{"id":"https://openalex.org/W3214437258","doi":"https://doi.org/10.1145/3460120.3484575","title":"Membership Leakage in Label-Only Exposures","display_name":"Membership Leakage in Label-Only Exposures","publication_year":2021,"publication_date":"2021-11-12","ids":{"openalex":"https://openalex.org/W3214437258","doi":"https://doi.org/10.1145/3460120.3484575","mag":"3214437258"},"language":"en","primary_location":{"id":"doi:10.1145/3460120.3484575","is_oa":false,"landing_page_url":"https://doi.org/10.1145/3460120.3484575","pdf_url":null,"source":null,"license":null,"license_id":null,"version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"Proceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security","raw_type":"proceedings-article"},"type":"article","indexed_in":["crossref"],"open_access":{"is_oa":false,"oa_status":"closed","oa_url":null,"any_repository_has_fulltext":false},"authorships":[{"author_position":"first","author":{"id":"https://openalex.org/A5100415036","display_name":"Zheng Li","orcid":"https://orcid.org/0000-0002-9704-7651"},"institutions":[{"id":"https://openalex.org/I4210128801","display_name":"Helmholtz Center for Information Security","ror":"https://ror.org/02njgxr09","country_code":"DE","type":"facility","lineage":["https://openalex.org/I1305996414","https://openalex.org/I4210128801"]}],"countries":["DE"],"is_corresponding":true,"raw_author_name":"Zheng Li","raw_affiliation_strings":["CISPA Helmholtz Center for Information Security, Saarbr\u00fccken, Germany"],"affiliations":[{"raw_affiliation_string":"CISPA Helmholtz Center for Information Security, Saarbr\u00fccken, Germany","institution_ids":["https://openalex.org/I4210128801"]}]},{"author_position":"last","author":{"id":"https://openalex.org/A5100354592","display_name":"Yang Zhang","orcid":"https://orcid.org/0000-0001-8135-369X"},"institutions":[{"id":"https://openalex.org/I4210128801","display_name":"Helmholtz Center for Information Security","ror":"https://ror.org/02njgxr09","country_code":"DE","type":"facility","lineage":["https://openalex.org/I1305996414","https://openalex.org/I4210128801"]}],"countries":["DE"],"is_corresponding":false,"raw_author_name":"Yang Zhang","raw_affiliation_strings":["CISPA Helmholtz Center for Information Security, Saarbr\u00fccken, Germany"],"affiliations":[{"raw_affiliation_string":"CISPA Helmholtz Center for Information Security, Saarbr\u00fccken, Germany","institution_ids":["https://openalex.org/I4210128801"]}]}],"institutions":[],"countries_distinct_count":1,"institutions_distinct_count":2,"corresponding_author_ids":["https://openalex.org/A5100415036"],"corresponding_institution_ids":["https://openalex.org/I4210128801"],"apc_list":null,"apc_paid":null,"fwci":19.7396,"has_fulltext":false,"cited_by_count":185,"citation_normalized_percentile":{"value":0.99504331,"is_in_top_1_percent":true,"is_in_top_10_percent":true},"cited_by_percentile_year":{"min":99,"max":100},"biblio":{"volume":null,"issue":null,"first_page":"880","last_page":"895"},"is_retracted":false,"is_paratext":false,"is_xpac":false,"primary_topic":{"id":"https://openalex.org/T11689","display_name":"Adversarial Robustness in Machine Learning","score":0.9998000264167786,"subfield":{"id":"https://openalex.org/subfields/1702","display_name":"Artificial Intelligence"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},"topics":[{"id":"https://openalex.org/T11689","display_name":"Adversarial Robustness in Machine Learning","score":0.9998000264167786,"subfield":{"id":"https://openalex.org/subfields/1702","display_name":"Artificial Intelligence"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T10764","display_name":"Privacy-Preserving Technologies in Data","score":0.9995999932289124,"subfield":{"id":"https://openalex.org/subfields/1702","display_name":"Artificial Intelligence"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T11636","display_name":"Artificial Intelligence in Healthcare and Education","score":0.96670001745224,"subfield":{"id":"https://openalex.org/subfields/2718","display_name":"Health Informatics"},"field":{"id":"https://openalex.org/fields/27","display_name":"Medicine"},"domain":{"id":"https://openalex.org/domains/4","display_name":"Health Sciences"}}],"keywords":[{"id":"https://openalex.org/keywords/leverage","display_name":"Leverage (statistics)","score":0.7923035621643066},{"id":"https://openalex.org/keywords/inference","display_name":"Inference","score":0.746911883354187},{"id":"https://openalex.org/keywords/computer-science","display_name":"Computer science","score":0.7075260877609253},{"id":"https://openalex.org/keywords/adversary","display_name":"Adversary","score":0.6541649699211121},{"id":"https://openalex.org/keywords/machine-learning","display_name":"Machine learning","score":0.5474834442138672},{"id":"https://openalex.org/keywords/attack-model","display_name":"Attack model","score":0.5348932147026062},{"id":"https://openalex.org/keywords/information-leakage","display_name":"Information leakage","score":0.5165206789970398},{"id":"https://openalex.org/keywords/data-mining","display_name":"Data mining","score":0.5111542344093323},{"id":"https://openalex.org/keywords/training-set","display_name":"Training set","score":0.49557816982269287},{"id":"https://openalex.org/keywords/artificial-intelligence","display_name":"Artificial intelligence","score":0.4888998568058014},{"id":"https://openalex.org/keywords/sample","display_name":"Sample (material)","score":0.46879515051841736},{"id":"https://openalex.org/keywords/decision-boundary","display_name":"Decision boundary","score":0.46678057312965393},{"id":"https://openalex.org/keywords/computer-security","display_name":"Computer security","score":0.30808982253074646},{"id":"https://openalex.org/keywords/support-vector-machine","display_name":"Support vector machine","score":0.19157791137695312}],"concepts":[{"id":"https://openalex.org/C153083717","wikidata":"https://www.wikidata.org/wiki/Q6535263","display_name":"Leverage (statistics)","level":2,"score":0.7923035621643066},{"id":"https://openalex.org/C2776214188","wikidata":"https://www.wikidata.org/wiki/Q408386","display_name":"Inference","level":2,"score":0.746911883354187},{"id":"https://openalex.org/C41008148","wikidata":"https://www.wikidata.org/wiki/Q21198","display_name":"Computer science","level":0,"score":0.7075260877609253},{"id":"https://openalex.org/C41065033","wikidata":"https://www.wikidata.org/wiki/Q2825412","display_name":"Adversary","level":2,"score":0.6541649699211121},{"id":"https://openalex.org/C119857082","wikidata":"https://www.wikidata.org/wiki/Q2539","display_name":"Machine learning","level":1,"score":0.5474834442138672},{"id":"https://openalex.org/C65856478","wikidata":"https://www.wikidata.org/wiki/Q3991682","display_name":"Attack model","level":2,"score":0.5348932147026062},{"id":"https://openalex.org/C2779201187","wikidata":"https://www.wikidata.org/wiki/Q2775060","display_name":"Information leakage","level":2,"score":0.5165206789970398},{"id":"https://openalex.org/C124101348","wikidata":"https://www.wikidata.org/wiki/Q172491","display_name":"Data mining","level":1,"score":0.5111542344093323},{"id":"https://openalex.org/C51632099","wikidata":"https://www.wikidata.org/wiki/Q3985153","display_name":"Training set","level":2,"score":0.49557816982269287},{"id":"https://openalex.org/C154945302","wikidata":"https://www.wikidata.org/wiki/Q11660","display_name":"Artificial intelligence","level":1,"score":0.4888998568058014},{"id":"https://openalex.org/C198531522","wikidata":"https://www.wikidata.org/wiki/Q485146","display_name":"Sample (material)","level":2,"score":0.46879515051841736},{"id":"https://openalex.org/C42023084","wikidata":"https://www.wikidata.org/wiki/Q5249231","display_name":"Decision boundary","level":3,"score":0.46678057312965393},{"id":"https://openalex.org/C38652104","wikidata":"https://www.wikidata.org/wiki/Q3510521","display_name":"Computer security","level":1,"score":0.30808982253074646},{"id":"https://openalex.org/C12267149","wikidata":"https://www.wikidata.org/wiki/Q282453","display_name":"Support vector machine","level":2,"score":0.19157791137695312},{"id":"https://openalex.org/C43617362","wikidata":"https://www.wikidata.org/wiki/Q170050","display_name":"Chromatography","level":1,"score":0.0},{"id":"https://openalex.org/C185592680","wikidata":"https://www.wikidata.org/wiki/Q2329","display_name":"Chemistry","level":0,"score":0.0}],"mesh":[],"locations_count":1,"locations":[{"id":"doi:10.1145/3460120.3484575","is_oa":false,"landing_page_url":"https://doi.org/10.1145/3460120.3484575","pdf_url":null,"source":null,"license":null,"license_id":null,"version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"Proceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security","raw_type":"proceedings-article"}],"best_oa_location":null,"sustainable_development_goals":[{"display_name":"Peace, Justice and strong institutions","id":"https://metadata.un.org/sdg/16","score":0.8199999928474426}],"awards":[{"id":"https://openalex.org/G1966752340","display_name":null,"funder_award_id":"ZT-I-OO1 4","funder_id":"https://openalex.org/F4320325698","funder_display_name":"Helmholtz Association"}],"funders":[{"id":"https://openalex.org/F4320325698","display_name":"Helmholtz Association","ror":null}],"has_content":{"pdf":false,"grobid_xml":false},"content_urls":null,"referenced_works_count":56,"referenced_works":["https://openalex.org/W9657784","https://openalex.org/W398859631","https://openalex.org/W569478347","https://openalex.org/W1473189865","https://openalex.org/W1873763122","https://openalex.org/W2040228409","https://openalex.org/W2051267297","https://openalex.org/W2095705004","https://openalex.org/W2100676408","https://openalex.org/W2111547563","https://openalex.org/W2119874464","https://openalex.org/W2180612164","https://openalex.org/W2408141691","https://openalex.org/W2461943168","https://openalex.org/W2516574342","https://openalex.org/W2535690855","https://openalex.org/W2570685808","https://openalex.org/W2603766943","https://openalex.org/W2620038827","https://openalex.org/W2748789698","https://openalex.org/W2752828042","https://openalex.org/W2786233556","https://openalex.org/W2786379237","https://openalex.org/W2795435272","https://openalex.org/W2796004214","https://openalex.org/W2796299376","https://openalex.org/W2807096445","https://openalex.org/W2884280357","https://openalex.org/W2884943453","https://openalex.org/W2897830718","https://openalex.org/W2911634294","https://openalex.org/W2913770005","https://openalex.org/W2923095117","https://openalex.org/W2932329902","https://openalex.org/W2945237470","https://openalex.org/W2946363484","https://openalex.org/W2947821610","https://openalex.org/W2963671154","https://openalex.org/W2965527189","https://openalex.org/W2976822050","https://openalex.org/W2984546022","https://openalex.org/W2990980946","https://openalex.org/W2996296329","https://openalex.org/W3008580825","https://openalex.org/W3023716276","https://openalex.org/W3046102592","https://openalex.org/W3102111060","https://openalex.org/W3103836116","https://openalex.org/W3104224589","https://openalex.org/W3138758728","https://openalex.org/W6720608135","https://openalex.org/W6728586007","https://openalex.org/W6743986261","https://openalex.org/W6746849571","https://openalex.org/W6779093661","https://openalex.org/W7043248672"],"related_works":["https://openalex.org/W4388150944","https://openalex.org/W4242235492","https://openalex.org/W189451467","https://openalex.org/W2113853244","https://openalex.org/W2604394466","https://openalex.org/W2952603690","https://openalex.org/W4387796593","https://openalex.org/W2941205169","https://openalex.org/W4328053081","https://openalex.org/W4399283307"],"abstract_inverted_index":{"Machine":[0],"learning":[1],"(ML)":[2],"has":[3,21],"been":[4],"widely":[5],"adopted":[6],"in":[7,40,154],"various":[8],"privacy-critical":[9],"applications,":[10],"e.g.,":[11],"face":[12],"recognition":[13],"and":[14,47,110,133,147,171,201],"medical":[15],"image":[16],"analysis.":[17],"However,":[18,81],"recent":[19],"research":[20],"shown":[22],"that":[23,112,139,203],"ML":[24],"models":[25],"are":[26,115,180],"vulnerable":[27,117],"to":[28,52,118,183],"attacks":[29,67,83,109,142,153,200,208],"against":[30,197],"their":[31,77],"training":[32,62],"data.":[33],"Membership":[34],"inference":[35,66,108,167],"is":[36,57],"one":[37],"major":[38],"attack":[39,132],"this":[41,102],"domain:":[42],"Given":[43],"a":[44,178],"data":[45],"sample":[46,56],"model,":[48],"an":[49],"adversary":[50],"aims":[51],"determine":[53],"whether":[54],"the":[55,60,69,74,89,93,97,150,163,184],"part":[58],"of":[59,127,165,177,207,212],"model's":[61,185],"set.":[63],"Existing":[64],"membership":[65,107,119,166],"leverage":[68],"confidence":[70],"scores":[71],"returned":[72],"by":[73],"model":[75,90,99,179],"as":[76],"inputs":[78],"(score-based":[79],"attacks).":[80],"these":[82,213],"can":[84,143,209],"be":[85],"easily":[86],"mitigated":[87],"if":[88],"only":[91],"exposes":[92],"predicted":[94],"label,":[95],"i.e.,":[96,174],"final":[98],"decision.":[100],"In":[101,121],"paper,":[103],"we":[104,123,192],"propose":[105],"decision-based":[106,128,141,199],"demonstrate":[111],"label-only":[113],"exposures":[114],"also":[116],"leakage.":[120],"particular,":[122],"develop":[124],"two":[125,205],"types":[126,206],"attacks,":[129],"namely":[130],"transfer":[131],"boundary":[134,187],"attack.":[135],"Empirical":[136],"evaluation":[137],"shows":[138],"our":[140,198,204],"achieve":[144],"remarkable":[145],"performance,":[146],"even":[148],"outperform":[149],"previous":[151],"score-based":[152],"some":[155],"cases.":[156],"We":[157],"further":[158],"present":[159],"new":[160],"insights":[161],"on":[162,169],"success":[164],"based":[168],"quantitative":[170],"qualitative":[172],"analysis,":[173],"member":[175],"samples":[176],"more":[181],"distant":[182],"decision":[186],"than":[188],"non-member":[189],"samples.":[190],"Finally,":[191],"evaluate":[193],"multiple":[194],"defense":[195],"mechanisms":[196],"show":[202],"bypass":[210],"most":[211],"defenses.":[214]},"counts_by_year":[{"year":2026,"cited_by_count":5},{"year":2025,"cited_by_count":39},{"year":2024,"cited_by_count":53},{"year":2023,"cited_by_count":42},{"year":2022,"cited_by_count":36},{"year":2021,"cited_by_count":10}],"updated_date":"2026-04-23T09:07:50.710637","created_date":"2025-10-10T00:00:00"}