Defending Against Membership Inference Attack by Shielding Membership Signals

Member Inference Attack (MIA) is a key measure for evaluating privacy leakage in Machine Learning (ML) models, aiming to distinguish private members from non-members by training the attack model. In addition to the traditional MIA, the recently proposed Generative Adversarial Network (GAN)-based MIA can help the adversary know the distribution of the victim's private dataset, thereby significantly improving attack accuracy. For traditional attacks and this new type of attack, previous defense schemes cannot handle the trade-off between privacy and utility well. To this end, we propose a defense solution using multi-model ensemble framework. Specifically, we train multiple submodels to hide membership signals and resist MIA, achieving reduced privacy leakage while guaranteeing the effectiveness of the target model. Our security analysis shows that our scheme can provide privacy protection while preserving model utility. Experimental results on widely used datasets show that our scheme can effectively resist MIAs with negligible utility loss.