Zitao Chen and Karthik Pattabiraman, To appear in the Network and Distributed Systems Security Symposium (NDSS), 2025. (Acceptance Rate: TBD) [ PDF (Coming soon) | Talk ] (Code) (arXIV version)
Abstract:Modern machine learning (ML) ecosystems offer a surging number of ML frameworks and code repositories that can greatly facilitate the development of ML models. Today, even ordinary data holders who are not ML experts can apply an off-the-shelf codebase to build high-performance ML models on their data, which are often sensitive in nature (e.g., clinical records).
In this work, we consider a malicious ML provider who supplies model-training code to the data holders, does not have access to the training process, and has only black-box query access to the resulting model. In this setting, we demonstrate a new form of \emph{membership inference attack} that is strictly more powerful than prior art. Our attack empowers the adversary to reliably de-identify all the training samples (average>99\% attack TPR@0.1% FPR). Further, the compromised models still maintain competitive performance as their uncorrupted counterparts (average<1% accuracy drop). Finally, we show that the poisoned models can effectively disguise the amplified membership leakage under common membership privacy auditing, which can only be revealed by a set of secret samples known by the adversary.
Overall, our study not only points to the {worst-case} membership privacy leakage, but also unveils a common pitfall underlying existing privacy auditing methods. Thus, our work is a call-to-arms for future efforts to rethink the current practice of auditing membership privacy in machine learning models.