{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,4,9]],"date-time":"2026-04-09T12:11:07Z","timestamp":1775736667071,"version":"3.50.1"},"reference-count":37,"publisher":"Oxford University Press (OUP)","issue":"11","license":[{"start":{"date-parts":[[2022,10,3]],"date-time":"2022-10-03T00:00:00Z","timestamp":1664755200000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/academic.oup.com\/journals\/pages\/open_access\/funder_policies\/chorus\/standard_publication_model"}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":[],"published-print":{"date-parts":[[2022,11,11]]},"abstract":"<jats:title>Abstract<\/jats:title>\n               <jats:p>The usage of deep learning is being escalated in many applications. Due to its outstanding performance, it is being used in a variety of security and privacy-sensitive areas in addition to conventional applications. One of the key aspects of deep learning efficacy is to have abundant data. This trait leads to the usage of data which can be highly sensitive and private, which in turn causes wariness with regard to deep learning in the general public. Membership inference attacks are considered lethal as they can be used to figure out whether a piece of data belongs to the training dataset or not. This can be problematic with regard to leakage of training data information and its characteristics. To highlight the significance of these types of attacks, we propose an enhanced methodology for membership inference attacks based on adversarial robustness, by adjusting the directions of adversarial perturbations through label smoothing under a white-box setting. We evaluate our proposed method on three datasets: Fashion-MNIST, CIFAR-10 and CIFAR-100. Our experimental results reveal that the performance of our method surpasses that of the existing adversarial robustness-based method when attacking normally trained models. Additionally, through comparing our technique with the state-of-the-art metric-based membership inference methods, our proposed method also shows better performance when attacking adversarially trained models. The code for reproducing the results of this work is available at https:\/\/github.com\/plll4zzx\/Evaluating-Membership-Inference-Through-Adversarial-Robustness.<\/jats:p>","DOI":"10.1093\/comjnl\/bxac080","type":"journal-article","created":{"date-parts":[[2022,8,24]],"date-time":"2022-08-24T16:01:30Z","timestamp":1661356890000},"page":"2969-2978","source":"Crossref","is-referenced-by-count":15,"title":["Evaluating Membership Inference Through Adversarial Robustness"],"prefix":"10.1093","volume":"65","author":[{"given":"Zhaoxi","family":"Zhang","sequence":"first","affiliation":[{"name":"School of Computer and Information Science , Southwest University"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Leo","family":"Yu Zhang","sequence":"additional","affiliation":[{"name":"School of Information Technology , Deakin University"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Xufei","family":"Zheng","sequence":"additional","affiliation":[{"name":"School of Computer and Information Science , Southwest University"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Bilal","family":"Hussain Abbasi","sequence":"additional","affiliation":[{"name":"School of Information Technology , Deakin University"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Shengshan","family":"Hu","sequence":"additional","affiliation":[{"name":"School of Cyber Science and Engineering , Huazhong University of Science and Technology"}],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"286","published-online":{"date-parts":[[2022,10,3]]},"reference":[{"key":"2022111713012551600_ref1","doi-asserted-by":"crossref","first-page":"4960","DOI":"10.1109\/ICASSP.2016.7472621","volume-title":"2016 IEEE International Conference on Acoustics, Speech and Signal Processing (ICASSP)","author":"Chan","year":"2016"},{"key":"2022111713012551600_ref2","doi-asserted-by":"crossref","DOI":"10.1088\/1741-2552\/aace8c","article-title":"Eegnet: A compact convolutional neural network for eeg-based brain\u2013computer interfaces","volume":"15","author":"Lawhern","year":"2018","journal-title":"J. Neural Eng."},{"key":"2022111713012551600_ref3","first-page":"4401","volume-title":"Proceedings of the IEEE\/CVF Conference on Computer Vision and Pattern Recognition","author":"Karras","year":"2019"},{"key":"2022111713012551600_ref4","first-page":"1822","article-title":"Hybrid network intrusion detection system for smart environments based on internet of things","volume":"62","author":"Subbarayalu","year":"2019","journal-title":"The Computer Journal"},{"key":"2022111713012551600_ref5","first-page":"4873","volume-title":"Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition","author":"Kemelmacher-Shlizerman","year":"2016"},{"key":"2022111713012551600_ref6","first-page":"815","volume-title":"Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition","author":"Schroff","year":"2015"},{"key":"2022111713012551600_ref7","doi-asserted-by":"crossref","first-page":"1170","DOI":"10.1001\/jamaophthalmol.2017.3782","article-title":"Automated grading of age-related macular degeneration from color fundus images using deep convolutional neural networks","volume":"135","author":"Burlina","year":"2017","journal-title":"JAMA Ophthalmology"},{"key":"2022111713012551600_ref8","doi-asserted-by":"crossref","first-page":"8","DOI":"10.1016\/j.csbj.2014.11.005","article-title":"Machine learning applications in cancer prognosis and prediction","volume":"13","author":"Kourou","year":"2015","journal-title":"Comput. Struct. Biotechnol. J."},{"key":"2022111713012551600_ref9","doi-asserted-by":"crossref","first-page":"1","DOI":"10.1145\/3417978","article-title":"A survey of android malware detection with deep neural models","volume":"53","author":"Qiu","year":"2020","journal-title":"ACM Computing Surveys (CSUR)"},{"key":"2022111713012551600_ref10","doi-asserted-by":"crossref","first-page":"1825","DOI":"10.1109\/JPROC.2020.2993293","article-title":"Software vulnerability detection using deep neural networks: A survey","volume":"108","author":"Lin","year":"2020","journal-title":"Proc. IEEE"},{"key":"2022111713012551600_ref11","doi-asserted-by":"crossref","first-page":"987","DOI":"10.1109\/TIFS.2019.2932228","article-title":"Android HIV: A study of repackaging malware for evading machine-learning detection","volume":"15","author":"Chen","year":"2020","journal-title":"IEEE Transactions on Information Forensics and Security"},{"key":"2022111713012551600_ref12","doi-asserted-by":"crossref","first-page":"1744","DOI":"10.1109\/COMST.2018.2885561","article-title":"Data-driven cybersecurity incident prediction: A survey","volume":"21","author":"Sun","year":"2018","journal-title":"IEEE Communications Surveys & Tutorials"},{"key":"2022111713012551600_ref13","doi-asserted-by":"crossref","first-page":"1397","DOI":"10.1109\/COMST.2018.2800740","article-title":"Detecting and preventing cyber insider threats: A survey","volume":"20","author":"Liu","year":"2018","journal-title":"IEEE Communications Surveys & Tutorials"},{"key":"2022111713012551600_ref14","doi-asserted-by":"crossref","first-page":"602","DOI":"10.1093\/comjnl\/bxt044","article-title":"Mlh-ids: A multi-level hybrid intrusion detection method","volume":"57","author":"Gogoi","year":"2014","journal-title":"The Computer Journal"},{"key":"2022111713012551600_ref15","year":"2016"},{"key":"2022111713012551600_ref16","volume-title":"The Health Insurance Portability and Accountability Act of 1996 (HIPAA)","author":"Centers for Medicare & Medicaid Services","year":"1996"},{"key":"2022111713012551600_ref17","doi-asserted-by":"crossref","first-page":"3","DOI":"10.1109\/SP.2017.41","volume-title":"2017 IEEE Symposium on Security and Privacy (SP)","author":"Shokri","year":"2017"},{"key":"2022111713012551600_ref18","doi-asserted-by":"crossref","first-page":"268","DOI":"10.1109\/CSF.2018.00027","volume-title":"2018 IEEE 31st Computer Security Foundations Symposium (CSF)","author":"Yeom","year":"2018"},{"key":"2022111713012551600_ref19","doi-asserted-by":"crossref","first-page":"739","DOI":"10.1109\/SP.2019.00065","volume-title":"2019 IEEE Symposium on Security and Privacy (SP)","author":"Nasr","year":"2019"},{"key":"2022111713012551600_ref20","first-page":"1605","volume-title":"29th USENIX Security Symposium (USENIX Security 20)","author":"Leino","year":"2020"},{"key":"2022111713012551600_ref21","first-page":"5558","volume-title":"International Conference on Machine Learning","author":"Sablayrolles","year":"2019"},{"key":"2022111713012551600_ref22","first-page":"2615","volume-title":"30th USENIX Security Symposium (USENIX Security 21)","author":"Song","year":"2021"},{"key":"2022111713012551600_ref23","doi-asserted-by":"crossref","first-page":"880","DOI":"10.1145\/3460120.3484575","volume-title":"Proceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security","author":"Li","year":"2021"},{"key":"2022111713012551600_ref24","first-page":"1964","volume-title":"International Conference on Machine Learning","author":"Choquette-Choo","year":"2021"},{"key":"2022111713012551600_ref25","volume-title":"International Conference on Learning Representations","author":"Szegedy","year":"2013"},{"key":"2022111713012551600_ref26","first-page":"2574","volume-title":"Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition","author":"Moosavi-Dezfooli","year":"2016"},{"key":"2022111713012551600_ref27","article-title":"Self-supervised adversarial example detection by disentangled representation","author":"Zhang","year":"2021"},{"key":"2022111713012551600_ref28","doi-asserted-by":"crossref","first-page":"2335","DOI":"10.1145\/3474085.3475396","volume-title":"Proceedings of the 29th ACM International Conference on Multimedia","author":"Hu","year":"2021"},{"key":"2022111713012551600_ref29","first-page":"2818","volume-title":"Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition","author":"Szegedy","year":"2016"},{"key":"2022111713012551600_ref30","article-title":"Distilling the knowledge in a neural network","author":"Hinton","year":"2015"},{"key":"2022111713012551600_ref31","volume-title":"International Conference on Learning Representations","author":"Goodfellow","year":"2015"},{"key":"2022111713012551600_ref32","volume-title":"International Conference on Learning Representations","author":"Madry","year":"2018"},{"key":"2022111713012551600_ref33","doi-asserted-by":"crossref","first-page":"39","DOI":"10.1109\/SP.2017.49","volume-title":"2017 IEEE Symposium on Security and Privacy (SP)","author":"Carlini","year":"2017"},{"key":"2022111713012551600_ref34","doi-asserted-by":"publisher","first-page":"3048","DOI":"10.1109\/TPAMI.2021.3055564","article-title":"Knowledge distillation and student-teacher learning for visual intelligence: A review and new outlooks","volume":"44","author":"Wang","year":"2021","journal-title":"IEEE Trans. Pattern Anal. Mach. Intell."},{"key":"2022111713012551600_ref35","article-title":"Fashion-mnist: A novel image dataset for benchmarking machine learning algorithms","author":"Xiao","year":"2017"},{"key":"2022111713012551600_ref36","article-title":"Learning multiple layers of features from tiny images","author":"Krizhevsky","year":"2009","journal-title":"Technical report."},{"key":"2022111713012551600_ref37","volume-title":"International Conference on Learning Representations","author":"Simonyan","year":"2015"}],"container-title":["The Computer Journal"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/academic.oup.com\/comjnl\/article-pdf\/65\/11\/2969\/47089001\/bxac080.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"syndication"},{"URL":"https:\/\/academic.oup.com\/comjnl\/article-pdf\/65\/11\/2969\/47089001\/bxac080.pdf","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2022,11,17]],"date-time":"2022-11-17T13:02:09Z","timestamp":1668690129000},"score":1,"resource":{"primary":{"URL":"https:\/\/academic.oup.com\/comjnl\/article\/65\/11\/2969\/6746755"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2022,10,3]]},"references-count":37,"journal-issue":{"issue":"11","published-online":{"date-parts":[[2022,10,3]]},"published-print":{"date-parts":[[2022,11,11]]}},"URL":"https:\/\/doi.org\/10.1093\/comjnl\/bxac080","relation":{},"ISSN":["0010-4620","1460-2067"],"issn-type":[{"value":"0010-4620","type":"print"},{"value":"1460-2067","type":"electronic"}],"subject":[],"published-other":{"date-parts":[[2022,11]]},"published":{"date-parts":[[2022,10,3]]}}}