{"id":"https://openalex.org/W2973232880","doi":"https://doi.org/10.1109/spw.2019.00021","title":"Membership Inference Attacks Against Adversarially Robust Deep Learning Models","display_name":"Membership Inference Attacks Against Adversarially Robust Deep Learning Models","publication_year":2019,"publication_date":"2019-05-01","ids":{"openalex":"https://openalex.org/W2973232880","doi":"https://doi.org/10.1109/spw.2019.00021","mag":"2973232880"},"language":"en","primary_location":{"is_oa":true,"landing_page_url":"https://doi.org/10.1109/spw.2019.00021","pdf_url":"https://ieeexplore.ieee.org/ielx7/8834415/8844588/08844607.pdf","source":null,"license":null,"license_id":null,"version":"publishedVersion","is_accepted":true,"is_published":true},"type":"article","type_crossref":"proceedings-article","indexed_in":["crossref"],"open_access":{"is_oa":true,"oa_status":"bronze","oa_url":"https://ieeexplore.ieee.org/ielx7/8834415/8844588/08844607.pdf","any_repository_has_fulltext":true},"authorships":[{"author_position":"first","author":{"id":"https://openalex.org/A5101908173","display_name":"Liwei Song","orcid":"https://orcid.org/0000-0003-4176-590X"},"institutions":[{"id":"https://openalex.org/I20089843","display_name":"Princeton University","ror":"https://ror.org/00hx57361","country_code":"US","type":"education","lineage":["https://openalex.org/I20089843"]}],"countries":["US"],"is_corresponding":false,"raw_author_name":"Liwei Song","raw_affiliation_strings":["Princeton University"],"affiliations":[{"raw_affiliation_string":"Princeton University","institution_ids":["https://openalex.org/I20089843"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5084892128","display_name":"Reza Shokri","orcid":"https://orcid.org/0000-0001-9816-0173"},"institutions":[{"id":"https://openalex.org/I165932596","display_name":"National University of Singapore","ror":"https://ror.org/01tgyzw49","country_code":"SG","type":"education","lineage":["https://openalex.org/I165932596"]}],"countries":["SG"],"is_corresponding":false,"raw_author_name":"Reza Shokri","raw_affiliation_strings":["National University of Singapore"],"affiliations":[{"raw_affiliation_string":"National University of Singapore","institution_ids":["https://openalex.org/I165932596"]}]},{"author_position":"last","author":{"id":"https://openalex.org/A5015619835","display_name":"Prateek Mittal","orcid":"https://orcid.org/0000-0002-4057-0118"},"institutions":[{"id":"https://openalex.org/I20089843","display_name":"Princeton University","ror":"https://ror.org/00hx57361","country_code":"US","type":"education","lineage":["https://openalex.org/I20089843"]}],"countries":["US"],"is_corresponding":false,"raw_author_name":"Prateek Mittal","raw_affiliation_strings":["Princeton University"],"affiliations":[{"raw_affiliation_string":"Princeton University","institution_ids":["https://openalex.org/I20089843"]}]}],"institution_assertions":[],"countries_distinct_count":2,"institutions_distinct_count":2,"corresponding_author_ids":[],"corresponding_institution_ids":[],"apc_list":null,"apc_paid":null,"fwci":3.429,"has_fulltext":true,"fulltext_origin":"pdf","cited_by_count":70,"citation_normalized_percentile":{"value":0.999908,"is_in_top_1_percent":true,"is_in_top_10_percent":true},"cited_by_percentile_year":{"min":97,"max":98},"biblio":{"volume":null,"issue":null,"first_page":null,"last_page":null},"is_retracted":false,"is_paratext":false,"primary_topic":{"id":"https://openalex.org/T11689","display_name":"Adversarial Robustness in Machine Learning","score":0.9999,"subfield":{"id":"https://openalex.org/subfields/1702","display_name":"Artificial Intelligence"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},"topics":[{"id":"https://openalex.org/T11689","display_name":"Adversarial Robustness in Machine Learning","score":0.9999,"subfield":{"id":"https://openalex.org/subfields/1702","display_name":"Artificial Intelligence"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T10764","display_name":"Privacy-Preserving Technologies in Data","score":0.9935,"subfield":{"id":"https://openalex.org/subfields/1702","display_name":"Artificial Intelligence"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T10883","display_name":"Ethics and Social Impacts of AI","score":0.9274,"subfield":{"id":"https://openalex.org/subfields/3311","display_name":"Safety Research"},"field":{"id":"https://openalex.org/fields/33","display_name":"Social Sciences"},"domain":{"id":"https://openalex.org/domains/2","display_name":"Social Sciences"}}],"keywords":[{"id":"https://openalex.org/keywords/robustness","display_name":"Robustness","score":0.689142},{"id":"https://openalex.org/keywords/overfitting","display_name":"Overfitting","score":0.68444383}],"concepts":[{"id":"https://openalex.org/C2776214188","wikidata":"https://www.wikidata.org/wiki/Q408386","display_name":"Inference","level":2,"score":0.8415196},{"id":"https://openalex.org/C37736160","wikidata":"https://www.wikidata.org/wiki/Q1801315","display_name":"Adversarial system","level":2,"score":0.81419766},{"id":"https://openalex.org/C41008148","wikidata":"https://www.wikidata.org/wiki/Q21198","display_name":"Computer science","level":0,"score":0.76628715},{"id":"https://openalex.org/C63479239","wikidata":"https://www.wikidata.org/wiki/Q7353546","display_name":"Robustness (evolution)","level":3,"score":0.689142},{"id":"https://openalex.org/C22019652","wikidata":"https://www.wikidata.org/wiki/Q331309","display_name":"Overfitting","level":3,"score":0.68444383},{"id":"https://openalex.org/C154945302","wikidata":"https://www.wikidata.org/wiki/Q11660","display_name":"Artificial intelligence","level":1,"score":0.6407873},{"id":"https://openalex.org/C119857082","wikidata":"https://www.wikidata.org/wiki/Q2539","display_name":"Machine learning","level":1,"score":0.6202643},{"id":"https://openalex.org/C36503486","wikidata":"https://www.wikidata.org/wiki/Q11235244","display_name":"Domain (mathematical analysis)","level":2,"score":0.47097066},{"id":"https://openalex.org/C108583219","wikidata":"https://www.wikidata.org/wiki/Q197536","display_name":"Deep learning","level":2,"score":0.44245252},{"id":"https://openalex.org/C38652104","wikidata":"https://www.wikidata.org/wiki/Q3510521","display_name":"Computer security","level":1,"score":0.40206307},{"id":"https://openalex.org/C50644808","wikidata":"https://www.wikidata.org/wiki/Q192776","display_name":"Artificial neural network","level":2,"score":0.13441911},{"id":"https://openalex.org/C33923547","wikidata":"https://www.wikidata.org/wiki/Q395","display_name":"Mathematics","level":0,"score":0.10737419},{"id":"https://openalex.org/C134306372","wikidata":"https://www.wikidata.org/wiki/Q7754","display_name":"Mathematical analysis","level":1,"score":0.0},{"id":"https://openalex.org/C55493867","wikidata":"https://www.wikidata.org/wiki/Q7094","display_name":"Biochemistry","level":1,"score":0.0},{"id":"https://openalex.org/C185592680","wikidata":"https://www.wikidata.org/wiki/Q2329","display_name":"Chemistry","level":0,"score":0.0},{"id":"https://openalex.org/C104317684","wikidata":"https://www.wikidata.org/wiki/Q7187","display_name":"Gene","level":2,"score":0.0}],"mesh":[],"locations_count":1,"locations":[{"is_oa":true,"landing_page_url":"https://doi.org/10.1109/spw.2019.00021","pdf_url":"https://ieeexplore.ieee.org/ielx7/8834415/8844588/08844607.pdf","source":null,"license":null,"license_id":null,"version":"publishedVersion","is_accepted":true,"is_published":true}],"best_oa_location":{"is_oa":true,"landing_page_url":"https://doi.org/10.1109/spw.2019.00021","pdf_url":"https://ieeexplore.ieee.org/ielx7/8834415/8844588/08844607.pdf","source":null,"license":null,"license_id":null,"version":"publishedVersion","is_accepted":true,"is_published":true},"sustainable_development_goals":[{"id":"https://metadata.un.org/sdg/16","score":0.76,"display_name":"Peace, justice, and strong institutions"}],"grants":[],"datasets":[],"versions":[],"referenced_works_count":39,"referenced_works":["https://openalex.org/W1673923490","https://openalex.org/W1945616565","https://openalex.org/W2051267297","https://openalex.org/W2053637704","https://openalex.org/W2095577883","https://openalex.org/W2112507308","https://openalex.org/W2473418344","https://openalex.org/W2535690855","https://openalex.org/W2603766943","https://openalex.org/W2753783305","https://openalex.org/W2757528734","https://openalex.org/W2773446523","https://openalex.org/W2795435272","https://openalex.org/W2799032899","https://openalex.org/W2805807555","https://openalex.org/W2884943453","https://openalex.org/W2897830718","https://openalex.org/W2903800384","https://openalex.org/W2930926105","https://openalex.org/W2949523979","https://openalex.org/W2962763344","https://openalex.org/W2962943487","https://openalex.org/W2962972504","https://openalex.org/W2963143631","https://openalex.org/W2963207607","https://openalex.org/W2963343288","https://openalex.org/W2963496101","https://openalex.org/W2963857521","https://openalex.org/W2963888996","https://openalex.org/W2964137095","https://openalex.org/W2964153729","https://openalex.org/W2964253222","https://openalex.org/W3103245149","https://openalex.org/W4235152108","https://openalex.org/W4247200422","https://openalex.org/W4293846201","https://openalex.org/W4298140072","https://openalex.org/W4323340212","https://openalex.org/W9657784"],"related_works":["https://openalex.org/W4378510483","https://openalex.org/W4376166922","https://openalex.org/W4362597605","https://openalex.org/W4297676672","https://openalex.org/W4281702477","https://openalex.org/W4221142204","https://openalex.org/W3099765033","https://openalex.org/W2922073769","https://openalex.org/W2490526372","https://openalex.org/W1574414179"],"abstract_inverted_index":{"In":[0,54],"recent":[1],"years,":[2],"the":[3,11,22,26,39,51,70,81,103,116,132,141,161,171,200,213,226,247,250],"research":[4],"community":[5],"has":[6],"increasingly":[7],"focused":[8],"on":[9,50,170,188,252],"understanding":[10,64],"security":[12,23],"and":[13,25,99,121,174,193,212,260],"privacy":[14,27,214],"challenges":[15],"posed":[16],"by":[17,79,146,244],"deep":[18,66],"learning":[19,67],"models.":[20],"However,":[21,240],"domain":[24,28,44],"have":[29,46],"typically":[30],"been":[31],"considered":[32],"separately.":[33],"It":[34],"is":[35,204,216,242],"thus":[36],"unclear":[37],"whether":[38],"defense":[40,91,136,228],"methods":[41,92,137],"in":[42,115,160,267],"one":[43,104],"will":[45],"any":[47],"unexpected":[48],"impact":[49],"other":[52,133],"domain.":[53],"this":[55,78,241],"paper,":[56],"we":[57,197],"take":[58],"a":[59,154],"step":[60],"towards":[61],"enhancing":[62],"our":[63],"of":[65,83,143,236,249],"models":[68,145,192],"when":[69],"two":[71,88,269],"domains":[72],"are":[73,122,151,263],"combined":[74],"together.":[75],"We":[76,222],"do":[77],"measuring":[80],"success":[82,235],"membership":[84,106,179,185,209,237],"inference":[85,107,180,186,210,238],"attacks":[86,108,187],"against":[87],"state-of-the-art":[89],"adversarial":[90,97,135,165,201],"that":[93,148,199,225,257],"mitigate":[94],"evasion":[95],"attacks:":[96],"training":[98,119,162,172,202],"provable":[100,227],"defense.":[101],"On":[102,131],"hand,":[105,134],"aim":[109,138],"to":[110,124,139,178,208,233],"infer":[111],"an":[112],"individual's":[113],"participation":[114],"_target":[117,128,144],"model's":[118,129],"dataset":[120,173],"known":[123],"be":[125,175],"correlated":[126,218],"with":[127,219],"overfitting.":[130],"enhance":[140],"robustness":[142],"ensuring":[147],"model":[149,220,251],"predictions":[150],"unchanged":[152],"for":[153],"small":[155],"area":[156],"around":[157],"each":[158],"sample":[159],"dataset.":[163],"Intuitively,":[164],"defenses":[166],"may":[167],"rely":[168],"more":[169,176,206],"vulnerable":[177],"attacks.":[181,239],"By":[182],"performing":[183],"empirical":[184],"both":[189],"adversarially":[190],"robust":[191],"corresponding":[194],"undefended":[195],"models,":[196],"find":[198,224],"method":[203],"indeed":[205],"susceptible":[207],"attacks,":[211],"leakage":[215],"directly":[217],"robustness.":[221],"also":[223],"approach":[229],"does":[230],"not":[231,264],"lead":[232],"enhanced":[234],"achieved":[243,266],"significantly":[245],"sacrificing":[246],"accuracy":[248,262],"benign":[253],"data":[254],"points,":[255],"indicating":[256],"privacy,":[258],"security,":[259],"prediction":[261],"jointly":[265],"these":[268],"approaches.":[270]},"cited_by_api_url":"https://api.openalex.org/works?filter=cites:W2973232880","counts_by_year":[{"year":2024,"cited_by_count":7},{"year":2023,"cited_by_count":12},{"year":2022,"cited_by_count":17},{"year":2021,"cited_by_count":19},{"year":2020,"cited_by_count":13},{"year":2019,"cited_by_count":1},{"year":2018,"cited_by_count":1}],"updated_date":"2025-01-10T15:46:41.569306","created_date":"2019-09-26"}
  <script>parent.window.postMessage('ixistenz.url:https://api.openalex.org/works/doi:10.1109%2FSPW.2019.00021', '*'); </script> <div id='browserdiffcontainer' style='position: fixed; right: 10px; top: 10vh; min-width: 60px;  border: 1px solid white; background: rgb(251, 189, 0);; opacity: 0.9; font-family: helvetica, arial, sans serif;  font-size: 12px; z-index: 20001; padding-bottom: 20px;'><div onclick="toggle('browserdiffcontainerlist'); return false;" style='background: rgb(151, 89, 0);; color: white; '><strong>&nbsp; <span class='glyphicon glyphicon-minus'></span> NODES</strong></div><div id='browserdiffcontainerlist' style='padding-left: 10px; padding-right: 5px; max-height: 50vh; overflow: auto; '><div><a href='#diffid116' style='color: white;' onClick="parent.window.postMessage('ixistenz.opendiff:116', '*');; return false;" style='text-decoration: none; '>COMMUNITY </a> <a style='color: white;' href='#diffid116'><sup>1</sup></a></div></div></div>
<script>
function toggle( divname ) {
  var x = document.getElementById( divname );
  if (x.style.display === 'none') {
    x.style.display = 'block';
  } else {
    x.style.display = 'none';
  }
} </script>