Privacy Leaks by Adversaries: Adversarial Iterations for Membership Inference Attack

Jing Xue; Zhishen Sun; Haishan Ye; Luo Luo; Xiangyu Chang; Guang Dai

doi:10.1609/aaai.v40i42.40912

Privacy Leaks by Adversaries: Adversarial Iterations for Membership Inference Attack

Jing Xue
, Zhishen Sun
, Haishan Ye
, Luo Luo
, Xiangyu Chang
, Guang Dai

School of Management

Xi'an Jiaotong University
State Grid Corporation of China
Fudan University

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

Abstract

Membership inference attack (MIA) has become one of the most widely used and effective methods for evaluating the privacy risks of machine learning models. This attack aims to determine whether a specific sample is part of the model’s training set by analyzing the model’s output. While traditional membership inference attacks focus on leveraging the model’s posterior output, such as confidence on the target sample, we propose IMIA, a novel attack strategy that utilizes the process of generating adversarial samples to infer membership. We propose to infer the member properties of the target sample using the number of iterations required to generate its adversarial sample. We conduct experiments across multiple models and datasets, and our results demonstrate that the number of iterations for generating an adversarial sample is a reliable feature for membership inference, achieving strong performance both in black-box and white-box attack scenarios. This work provides a new perspective for evaluating model privacy and highlights the potential of adversarial example-based features for privacy leakage assessment.

Original language	English
Title of host publication	Proceedings of the AAAI Conference on Artificial Intelligence
Editors	Sven Koenig, Chad Jenkins, Matthew E. Taylor
Publisher	Association for the Advancement of Artificial Intelligence
Pages	35967-35975
Number of pages	9
Edition	42
ISBN (Print)	9781577359067, 9781577359067, 9781577359067, 9781577359067, 9781577359067, 9781577359067, 9781577359067, 9781577359067, 9781577359067, 9781577359067, 9781577359067, 9781577359067, 9781577359067, 9781577359067, 9781577359067, 9781577359067, 9781577359067, 9781577359067, 9781577359067, 9781577359067, 9781577359067, 9781577359067, 9781577359067, 9781577359067, 9781577359067, 9781577359067, 9781577359067, 9781577359067, 9781577359067, 9781577359067, 9781577359067, 9781577359067, 9781577359067, 9781577359067, 9781577359067, 9781577359067, 9781577359067, 9781577359067, 9781577359067, 9781577359067, 9781577359067, 9781577359067, 9781577359067, 9781577359067, 9781577359067, 9781577359067, 9781577359067
DOIs	https://doi.org/10.1609/aaai.v40i42.40912
State	Published - 2026
Event	40th AAAI Conference on Artificial Intelligence, AAAI 2026 - Singapore, Singapore Duration: 20 Jan 2026 → 27 Jan 2026

Publication series

Name	Proceedings of the AAAI Conference on Artificial Intelligence
Number	42
Volume	40
ISSN (Print)	2159-5399
ISSN (Electronic)	2374-3468

Conference

Conference	40th AAAI Conference on Artificial Intelligence, AAAI 2026
Country/Territory	Singapore
City	Singapore
Period	20/01/26 → 27/01/26

Access to Document

10.1609/aaai.v40i42.40912

Cite this

Xue, J., Sun, Z., Ye, H., Luo, L., Chang, X., & Dai, G. (2026). Privacy Leaks by Adversaries: Adversarial Iterations for Membership Inference Attack. In S. Koenig, C. Jenkins, & M. E. Taylor (Eds.), Proceedings of the AAAI Conference on Artificial Intelligence (42 ed., pp. 35967-35975). (Proceedings of the AAAI Conference on Artificial Intelligence; Vol. 40, No. 42). Association for the Advancement of Artificial Intelligence. https://doi.org/10.1609/aaai.v40i42.40912

Xue, Jing ; Sun, Zhishen ; Ye, Haishan et al. / Privacy Leaks by Adversaries : Adversarial Iterations for Membership Inference Attack. Proceedings of the AAAI Conference on Artificial Intelligence. editor / Sven Koenig ; Chad Jenkins ; Matthew E. Taylor. 42. ed. Association for the Advancement of Artificial Intelligence, 2026. pp. 35967-35975 (Proceedings of the AAAI Conference on Artificial Intelligence; 42).

@inproceedings{956331dcce0c41da96315fec634c7ab3,

title = "Privacy Leaks by Adversaries: Adversarial Iterations for Membership Inference Attack",

abstract = "Membership inference attack (MIA) has become one of the most widely used and effective methods for evaluating the privacy risks of machine learning models. This attack aims to determine whether a specific sample is part of the model{\textquoteright}s training set by analyzing the model{\textquoteright}s output. While traditional membership inference attacks focus on leveraging the model{\textquoteright}s posterior output, such as confidence on the target sample, we propose IMIA, a novel attack strategy that utilizes the process of generating adversarial samples to infer membership. We propose to infer the member properties of the target sample using the number of iterations required to generate its adversarial sample. We conduct experiments across multiple models and datasets, and our results demonstrate that the number of iterations for generating an adversarial sample is a reliable feature for membership inference, achieving strong performance both in black-box and white-box attack scenarios. This work provides a new perspective for evaluating model privacy and highlights the potential of adversarial example-based features for privacy leakage assessment.",

author = "Jing Xue and Zhishen Sun and Haishan Ye and Luo Luo and Xiangyu Chang and Guang Dai",

note = "Publisher Copyright: {\textcopyright} 2026, Association for the Advancement of Artificial Intelligence (www.aaai.org). All rights reserved.; 40th AAAI Conference on Artificial Intelligence, AAAI 2026 ; Conference date: 20-01-2026 Through 27-01-2026",

year = "2026",

doi = "10.1609/aaai.v40i42.40912",

language = "英语",

isbn = "9781577359067",

series = "Proceedings of the AAAI Conference on Artificial Intelligence",

publisher = "Association for the Advancement of Artificial Intelligence",

number = "42",

pages = "35967--35975",

editor = "Sven Koenig and Chad Jenkins and Taylor, \{Matthew E.\}",

booktitle = "Proceedings of the AAAI Conference on Artificial Intelligence",

edition = "42",

}

Xue, J, Sun, Z, Ye, H, Luo, L, Chang, X & Dai, G 2026, Privacy Leaks by Adversaries: Adversarial Iterations for Membership Inference Attack. in S Koenig, C Jenkins & ME Taylor (eds), Proceedings of the AAAI Conference on Artificial Intelligence. 42 edn, Proceedings of the AAAI Conference on Artificial Intelligence, no. 42, vol. 40, Association for the Advancement of Artificial Intelligence, pp. 35967-35975, 40th AAAI Conference on Artificial Intelligence, AAAI 2026, Singapore, Singapore, 20/01/26. https://doi.org/10.1609/aaai.v40i42.40912

Privacy Leaks by Adversaries: Adversarial Iterations for Membership Inference Attack. / Xue, Jing; Sun, Zhishen; Ye, Haishan et al.
Proceedings of the AAAI Conference on Artificial Intelligence. ed. / Sven Koenig; Chad Jenkins; Matthew E. Taylor. 42. ed. Association for the Advancement of Artificial Intelligence, 2026. p. 35967-35975 (Proceedings of the AAAI Conference on Artificial Intelligence; Vol. 40, No. 42).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

TY - GEN

T1 - Privacy Leaks by Adversaries

T2 - 40th AAAI Conference on Artificial Intelligence, AAAI 2026

AU - Xue, Jing

AU - Sun, Zhishen

AU - Ye, Haishan

AU - Luo, Luo

AU - Chang, Xiangyu

AU - Dai, Guang

PY - 2026

Y1 - 2026

N2 - Membership inference attack (MIA) has become one of the most widely used and effective methods for evaluating the privacy risks of machine learning models. This attack aims to determine whether a specific sample is part of the model’s training set by analyzing the model’s output. While traditional membership inference attacks focus on leveraging the model’s posterior output, such as confidence on the target sample, we propose IMIA, a novel attack strategy that utilizes the process of generating adversarial samples to infer membership. We propose to infer the member properties of the target sample using the number of iterations required to generate its adversarial sample. We conduct experiments across multiple models and datasets, and our results demonstrate that the number of iterations for generating an adversarial sample is a reliable feature for membership inference, achieving strong performance both in black-box and white-box attack scenarios. This work provides a new perspective for evaluating model privacy and highlights the potential of adversarial example-based features for privacy leakage assessment.

AB - Membership inference attack (MIA) has become one of the most widely used and effective methods for evaluating the privacy risks of machine learning models. This attack aims to determine whether a specific sample is part of the model’s training set by analyzing the model’s output. While traditional membership inference attacks focus on leveraging the model’s posterior output, such as confidence on the target sample, we propose IMIA, a novel attack strategy that utilizes the process of generating adversarial samples to infer membership. We propose to infer the member properties of the target sample using the number of iterations required to generate its adversarial sample. We conduct experiments across multiple models and datasets, and our results demonstrate that the number of iterations for generating an adversarial sample is a reliable feature for membership inference, achieving strong performance both in black-box and white-box attack scenarios. This work provides a new perspective for evaluating model privacy and highlights the potential of adversarial example-based features for privacy leakage assessment.

UR - https://www.scopus.com/pages/publications/105035019801

U2 - 10.1609/aaai.v40i42.40912

DO - 10.1609/aaai.v40i42.40912

M3 - 会议稿件

AN - SCOPUS:105035019801

SN - 9781577359067

T3 - Proceedings of the AAAI Conference on Artificial Intelligence

SP - 35967

EP - 35975

BT - Proceedings of the AAAI Conference on Artificial Intelligence

A2 - Koenig, Sven

A2 - Jenkins, Chad

A2 - Taylor, Matthew E.

PB - Association for the Advancement of Artificial Intelligence

Y2 - 20 January 2026 through 27 January 2026

ER -

Xue J, Sun Z, Ye H, Luo L, Chang X, Dai G. Privacy Leaks by Adversaries: Adversarial Iterations for Membership Inference Attack. In Koenig S, Jenkins C, Taylor ME, editors, Proceedings of the AAAI Conference on Artificial Intelligence. 42 ed. Association for the Advancement of Artificial Intelligence. 2026. p. 35967-35975. (Proceedings of the AAAI Conference on Artificial Intelligence; 42). doi: 10.1609/aaai.v40i42.40912

Privacy Leaks by Adversaries: Adversarial Iterations for Membership Inference Attack

Abstract

Publication series

Conference

Access to Document

Other files and links

Fingerprint

Cite this