{"id":"https://openalex.org/W4405182554","doi":"https://doi.org/10.1145/3658644.3690268","title":"Membership Inference Attacks against Vision Transformers: Mosaic MixUp Training to the Defense","display_name":"Membership Inference Attacks against Vision Transformers: Mosaic MixUp Training to the Defense","publication_year":2024,"publication_date":"2024-12-02","ids":{"openalex":"https://openalex.org/W4405182554","doi":"https://doi.org/10.1145/3658644.3690268"},"language":"en","primary_location":{"id":"doi:10.1145/3658644.3690268","is_oa":true,"landing_page_url":"https://doi.org/10.1145/3658644.3690268","pdf_url":"https://dl.acm.org/doi/pdf/10.1145/3658644.3690268","source":null,"license":null,"license_id":null,"version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"Proceedings of the 2024 on ACM SIGSAC Conference on Computer and Communications Security","raw_type":"proceedings-article"},"type":"article","indexed_in":["crossref"],"open_access":{"is_oa":true,"oa_status":"gold","oa_url":"https://dl.acm.org/doi/pdf/10.1145/3658644.3690268","any_repository_has_fulltext":null},"authorships":[{"author_position":"first","author":{"id":"https://openalex.org/A5006382818","display_name":"Qiankun Zhang","orcid":"https://orcid.org/0000-0002-8034-2689"},"institutions":[{"id":"https://openalex.org/I47720641","display_name":"Huazhong University of Science and Technology","ror":"https://ror.org/00p991c53","country_code":"CN","type":"education","lineage":["https://openalex.org/I47720641"]}],"countries":["CN"],"is_corresponding":true,"raw_author_name":"Qiankun Zhang","raw_affiliation_strings":["School of Cyber Science and Engineering, Huazhong University of Science and Technology, Wuhan, Hubei, China"],"affiliations":[{"raw_affiliation_string":"School of Cyber Science and Engineering, Huazhong University of Science and Technology, Wuhan, Hubei, China","institution_ids":["https://openalex.org/I47720641"]}]},{"author_position":"middle","author":{"id":null,"display_name":"Di Yuan","orcid":"https://orcid.org/0009-0002-4078-5140"},"institutions":[{"id":"https://openalex.org/I47720641","display_name":"Huazhong University of Science and Technology","ror":"https://ror.org/00p991c53","country_code":"CN","type":"education","lineage":["https://openalex.org/I47720641"]}],"countries":["CN"],"is_corresponding":false,"raw_author_name":"Di Yuan","raw_affiliation_strings":["School of Cyber Science and Engineering, Huazhong University of Science and Technology, Wuhan, Hubei, China"],"affiliations":[{"raw_affiliation_string":"School of Cyber Science and Engineering, Huazhong University of Science and Technology, Wuhan, Hubei, China","institution_ids":["https://openalex.org/I47720641"]}]},{"author_position":"middle","author":{"id":null,"display_name":"Boyu Zhang","orcid":"https://orcid.org/0009-0005-1100-2233"},"institutions":[{"id":"https://openalex.org/I47720641","display_name":"Huazhong University of Science and Technology","ror":"https://ror.org/00p991c53","country_code":"CN","type":"education","lineage":["https://openalex.org/I47720641"]}],"countries":["CN"],"is_corresponding":false,"raw_author_name":"Boyu Zhang","raw_affiliation_strings":["School of Cyber Science and Engineering, Huazhong University of Science and Technology, Wuhan, Hubei, China"],"affiliations":[{"raw_affiliation_string":"School of Cyber Science and Engineering, Huazhong University of Science and Technology, Wuhan, Hubei, China","institution_ids":["https://openalex.org/I47720641"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5076311357","display_name":"Bin Yuan","orcid":"https://orcid.org/0000-0002-5365-904X"},"institutions":[{"id":"https://openalex.org/I47720641","display_name":"Huazhong University of Science and Technology","ror":"https://ror.org/00p991c53","country_code":"CN","type":"education","lineage":["https://openalex.org/I47720641"]}],"countries":["CN"],"is_corresponding":false,"raw_author_name":"Bin Yuan","raw_affiliation_strings":["School of Cyber Science and Engineering, Huazhong University of Science and Technology, Wuhan, Hubei, China"],"affiliations":[{"raw_affiliation_string":"School of Cyber Science and Engineering, Huazhong University of Science and Technology, Wuhan, Hubei, China","institution_ids":["https://openalex.org/I47720641"]}]},{"author_position":"last","author":{"id":"https://openalex.org/A5062738729","display_name":"Bingqian Du","orcid":"https://orcid.org/0000-0002-4825-8153"},"institutions":[{"id":"https://openalex.org/I47720641","display_name":"Huazhong University of Science and Technology","ror":"https://ror.org/00p991c53","country_code":"CN","type":"education","lineage":["https://openalex.org/I47720641"]}],"countries":["CN"],"is_corresponding":false,"raw_author_name":"Bingqian Du","raw_affiliation_strings":["School of Computer Science and Technology, Huazhong University of Science and Technology, Wuhan, Hubei, China"],"affiliations":[{"raw_affiliation_string":"School of Computer Science and Technology, Huazhong University of Science and Technology, Wuhan, Hubei, China","institution_ids":["https://openalex.org/I47720641"]}]}],"institutions":[],"countries_distinct_count":1,"institutions_distinct_count":5,"corresponding_author_ids":["https://openalex.org/A5006382818"],"corresponding_institution_ids":["https://openalex.org/I47720641"],"apc_list":null,"apc_paid":null,"fwci":0.2446,"has_fulltext":true,"cited_by_count":1,"citation_normalized_percentile":{"value":0.55939549,"is_in_top_1_percent":false,"is_in_top_10_percent":false},"cited_by_percentile_year":{"min":91,"max":95},"biblio":{"volume":null,"issue":null,"first_page":"1256","last_page":"1270"},"is_retracted":false,"is_paratext":false,"is_xpac":false,"primary_topic":{"id":"https://openalex.org/T10036","display_name":"Advanced Neural Network Applications","score":0.9991999864578247,"subfield":{"id":"https://openalex.org/subfields/1707","display_name":"Computer Vision and Pattern Recognition"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},"topics":[{"id":"https://openalex.org/T10036","display_name":"Advanced Neural Network Applications","score":0.9991999864578247,"subfield":{"id":"https://openalex.org/subfields/1707","display_name":"Computer Vision and Pattern Recognition"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T11605","display_name":"Visual Attention and Saliency Detection","score":0.9911999702453613,"subfield":{"id":"https://openalex.org/subfields/1707","display_name":"Computer Vision and Pattern Recognition"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T11307","display_name":"Domain Adaptation and Few-Shot Learning","score":0.9857000112533569,"subfield":{"id":"https://openalex.org/subfields/1702","display_name":"Artificial Intelligence"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}}],"keywords":[{"id":"https://openalex.org/keywords/inference","display_name":"Inference","score":0.7416268587112427},{"id":"https://openalex.org/keywords/transformer","display_name":"Transformer","score":0.7217334508895874},{"id":"https://openalex.org/keywords/computer-science","display_name":"Computer science","score":0.6586325764656067},{"id":"https://openalex.org/keywords/embedding","display_name":"Embedding","score":0.609850287437439},{"id":"https://openalex.org/keywords/recall","display_name":"Recall","score":0.5443418025970459},{"id":"https://openalex.org/keywords/artificial-intelligence","display_name":"Artificial intelligence","score":0.5020523071289062},{"id":"https://openalex.org/keywords/machine-learning","display_name":"Machine learning","score":0.4342736005783081},{"id":"https://openalex.org/keywords/architecture","display_name":"Architecture","score":0.42858976125717163},{"id":"https://openalex.org/keywords/training-set","display_name":"Training set","score":0.42296335101127625},{"id":"https://openalex.org/keywords/computer-security","display_name":"Computer security","score":0.37398970127105713},{"id":"https://openalex.org/keywords/engineering","display_name":"Engineering","score":0.2081661820411682},{"id":"https://openalex.org/keywords/psychology","display_name":"Psychology","score":0.08332493901252747}],"concepts":[{"id":"https://openalex.org/C2776214188","wikidata":"https://www.wikidata.org/wiki/Q408386","display_name":"Inference","level":2,"score":0.7416268587112427},{"id":"https://openalex.org/C66322947","wikidata":"https://www.wikidata.org/wiki/Q11658","display_name":"Transformer","level":3,"score":0.7217334508895874},{"id":"https://openalex.org/C41008148","wikidata":"https://www.wikidata.org/wiki/Q21198","display_name":"Computer science","level":0,"score":0.6586325764656067},{"id":"https://openalex.org/C41608201","wikidata":"https://www.wikidata.org/wiki/Q980509","display_name":"Embedding","level":2,"score":0.609850287437439},{"id":"https://openalex.org/C100660578","wikidata":"https://www.wikidata.org/wiki/Q18733","display_name":"Recall","level":2,"score":0.5443418025970459},{"id":"https://openalex.org/C154945302","wikidata":"https://www.wikidata.org/wiki/Q11660","display_name":"Artificial intelligence","level":1,"score":0.5020523071289062},{"id":"https://openalex.org/C119857082","wikidata":"https://www.wikidata.org/wiki/Q2539","display_name":"Machine learning","level":1,"score":0.4342736005783081},{"id":"https://openalex.org/C123657996","wikidata":"https://www.wikidata.org/wiki/Q12271","display_name":"Architecture","level":2,"score":0.42858976125717163},{"id":"https://openalex.org/C51632099","wikidata":"https://www.wikidata.org/wiki/Q3985153","display_name":"Training set","level":2,"score":0.42296335101127625},{"id":"https://openalex.org/C38652104","wikidata":"https://www.wikidata.org/wiki/Q3510521","display_name":"Computer security","level":1,"score":0.37398970127105713},{"id":"https://openalex.org/C127413603","wikidata":"https://www.wikidata.org/wiki/Q11023","display_name":"Engineering","level":0,"score":0.2081661820411682},{"id":"https://openalex.org/C15744967","wikidata":"https://www.wikidata.org/wiki/Q9418","display_name":"Psychology","level":0,"score":0.08332493901252747},{"id":"https://openalex.org/C153349607","wikidata":"https://www.wikidata.org/wiki/Q36649","display_name":"Visual arts","level":1,"score":0.0},{"id":"https://openalex.org/C165801399","wikidata":"https://www.wikidata.org/wiki/Q25428","display_name":"Voltage","level":2,"score":0.0},{"id":"https://openalex.org/C119599485","wikidata":"https://www.wikidata.org/wiki/Q43035","display_name":"Electrical engineering","level":1,"score":0.0},{"id":"https://openalex.org/C180747234","wikidata":"https://www.wikidata.org/wiki/Q23373","display_name":"Cognitive psychology","level":1,"score":0.0},{"id":"https://openalex.org/C142362112","wikidata":"https://www.wikidata.org/wiki/Q735","display_name":"Art","level":0,"score":0.0}],"mesh":[],"locations_count":1,"locations":[{"id":"doi:10.1145/3658644.3690268","is_oa":true,"landing_page_url":"https://doi.org/10.1145/3658644.3690268","pdf_url":"https://dl.acm.org/doi/pdf/10.1145/3658644.3690268","source":null,"license":null,"license_id":null,"version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"Proceedings of the 2024 on ACM SIGSAC Conference on Computer and Communications Security","raw_type":"proceedings-article"}],"best_oa_location":{"id":"doi:10.1145/3658644.3690268","is_oa":true,"landing_page_url":"https://doi.org/10.1145/3658644.3690268","pdf_url":"https://dl.acm.org/doi/pdf/10.1145/3658644.3690268","source":null,"license":null,"license_id":null,"version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"Proceedings of the 2024 on ACM SIGSAC Conference on Computer and Communications Security","raw_type":"proceedings-article"},"sustainable_development_goals":[],"awards":[{"id":"https://openalex.org/G1434328829","display_name":null,"funder_award_id":"62372191","funder_id":"https://openalex.org/F4320321001","funder_display_name":"National Natural Science Foundation of China"},{"id":"https://openalex.org/G2087396116","display_name":null,"funder_award_id":"China","funder_id":"https://openalex.org/F4320321001","funder_display_name":"National Natural Science Foundation of China"},{"id":"https://openalex.org/G3317480652","display_name":null,"funder_award_id":"Science","funder_id":"https://openalex.org/F4320321001","funder_display_name":"National Natural Science Foundation of China"},{"id":"https://openalex.org/G52572893","display_name":null,"funder_award_id":"62202197","funder_id":"https://openalex.org/F4320321001","funder_display_name":"National Natural Science Foundation of China"},{"id":"https://openalex.org/G5994120800","display_name":null,"funder_award_id":"Natural","funder_id":"https://openalex.org/F4320321001","funder_display_name":"National Natural Science Foundation of China"},{"id":"https://openalex.org/G6048716046","display_name":null,"funder_award_id":"62302183, 62372191, 62302187","funder_id":"https://openalex.org/F4320323817","funder_display_name":"Universitas Brawijaya"},{"id":"https://openalex.org/G6058138561","display_name":null,"funder_award_id":", No.","funder_id":"https://openalex.org/F4320321001","funder_display_name":"National Natural Science Foundation of China"},{"id":"https://openalex.org/G658255779","display_name":null,"funder_award_id":"62302183","funder_id":"https://openalex.org/F4320321001","funder_display_name":"National Natural Science Foundation of China"},{"id":"https://openalex.org/G7607908787","display_name":null,"funder_award_id":"202404","funder_id":"https://openalex.org/F4320321001","funder_display_name":"National Natural Science Foundation of China"},{"id":"https://openalex.org/G8863666567","display_name":null,"funder_award_id":"and No.","funder_id":"https://openalex.org/F4320321001","funder_display_name":"National Natural Science Foundation of China"}],"funders":[{"id":"https://openalex.org/F4320321001","display_name":"National Natural Science Foundation of China","ror":"https://ror.org/01h0zpd94"},{"id":"https://openalex.org/F4320323817","display_name":"Universitas Brawijaya","ror":"https://ror.org/01wk3d929"}],"has_content":{"grobid_xml":true,"pdf":true},"content_urls":{"pdf":"https://content.openalex.org/works/W4405182554.pdf","grobid_xml":"https://content.openalex.org/works/W4405182554.grobid-xml"},"referenced_works_count":25,"referenced_works":["https://openalex.org/W2108598243","https://openalex.org/W2473418344","https://openalex.org/W2794825826","https://openalex.org/W2884943453","https://openalex.org/W2887995258","https://openalex.org/W2912568927","https://openalex.org/W2954996726","https://openalex.org/W2963378725","https://openalex.org/W2965527189","https://openalex.org/W2983140679","https://openalex.org/W3096609285","https://openalex.org/W3102785203","https://openalex.org/W3121523901","https://openalex.org/W3138516171","https://openalex.org/W3158803559","https://openalex.org/W3159043981","https://openalex.org/W3212600502","https://openalex.org/W4213019189","https://openalex.org/W4285531802","https://openalex.org/W4300072878","https://openalex.org/W4308410741","https://openalex.org/W4308469411","https://openalex.org/W4315746341","https://openalex.org/W4384155751","https://openalex.org/W6745136726"],"related_works":["https://openalex.org/W2081900870","https://openalex.org/W2037549926","https://openalex.org/W2345479200","https://openalex.org/W2183306018","https://openalex.org/W2055243143","https://openalex.org/W2118758177","https://openalex.org/W4206178588","https://openalex.org/W3094491777","https://openalex.org/W3214715529","https://openalex.org/W4287635093"],"abstract_inverted_index":{"Vision":[0],"transformers":[1],"(ViTs)":[2],"have":[3],"demonstrated":[4],"great":[5],"success":[6],"in":[7],"various":[8],"fundamental":[9],"CV":[10],"tasks,":[11],"mainly":[12],"benefiting":[13],"from":[14],"their":[15],"self-attention-based":[16],"transformer":[17],"architectures,":[18],"and":[19,55,86,105,122,148,155,191],"the":[20,49,75,79,92,157],"paradigm":[21],"of":[22],"pre-training":[23],"followed":[24],"by":[25,97,110],"fine-tuning.":[26],"However,":[27],"such":[28,37],"advantages":[29],"may":[30],"lead":[31],"to":[32,186],"significant":[33],"data":[34],"privacy":[35],"risks,":[36],"as":[38,137],"membership":[39],"inference":[40],"attacks":[41],"(MIAs),":[42],"which":[43],"remain":[44],"unclear.":[45],"This":[46],"paper":[47],"presents":[48],"first":[50,61],"comprehensive":[51],"study":[52],"on":[53,70,91,114],"MIAs":[54],"corresponding":[56,158],"defenses":[57],"against":[58,140],"ViTs.":[59],"Our":[60,166],"contribution":[62],"is":[63],"a":[64,115,126,138,152,161,172],"rollout-attention-based":[65],"MIA":[66],"method":[67],"(RAMIA),":[68],"based":[69],"an":[71],"experimental":[72,112],"observation":[73,113],"that":[74],"attention,":[76,81],"more":[77],"precisely":[78],"rollout":[80],"behaves":[82],"disproportionately":[83],"for":[84,129],"members":[85],"non-members.":[87],"We":[88],"evaluate":[89,188],"RAMIA":[90,190],"standard":[93],"ViT":[94],"architecture":[95],"proposed":[96],"Google":[98],"(ICLR":[99],"2021),":[100],"achieving":[101],"high":[102],"accuracy,":[103],"precision,":[104],"recall":[106],"performance.":[107],"Further,":[108],"inspired":[109],"another":[111],"strong":[116],"connection":[117],"between":[118],"positional":[119],"embeddings":[120],"(PEs)":[121],"attentions,":[123],"we":[124],"propose":[125],"novel":[127],"framework":[128],"training":[130],"ViTs,":[131],"named":[132],"Mosaic":[133],"MixUp":[134],"Training":[135],"(MMUT),":[136],"defense":[139,180],"RAMIA.":[141],"Intuitively,":[142],"MMUT":[143,170],"mixes":[144],"up":[145],"private":[146],"images":[147],"public":[149],"ones":[150],"at":[151],"patch":[153],"level,":[154],"mosaics":[156],"PEs":[159],"with":[160],"global":[162],"learnable":[163],"mosaic":[164],"embedding.":[165],"empirical":[167],"results":[168],"show":[169],"achieves":[171],"much":[173],"better":[174],"accuracy-privacy":[175],"trade-off":[176],"than":[177],"some":[178],"common":[179],"mechanisms.":[181],"Extensive":[182],"experiments":[183],"are":[184],"conducted":[185],"rigorously":[187],"both":[189],"MMUT.":[192]},"counts_by_year":[{"year":2025,"cited_by_count":1}],"updated_date":"2026-04-10T15:06:20.359241","created_date":"2025-10-10T00:00:00"}