{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,12,30]],"date-time":"2025-12-30T15:38:58Z","timestamp":1767109138041,"version":"3.44.0"},"publisher-location":"New York, NY, USA","reference-count":55,"publisher":"ACM","license":[{"start":{"date-parts":[[2023,11,26]],"date-time":"2023-11-26T00:00:00Z","timestamp":1700956800000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0\/"}],"funder":[{"name":"Bavarian State Ministry for Science and the Arts"},{"name":"Technical University of Munich\/Imperial College London Joint Academy for Doctoral Studies"},{"name":"German Federal Ministry of Education and Research"}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":[],"published-print":{"date-parts":[[2023,11,30]]},"DOI":"10.1145\/3605764.3623906","type":"proceedings-article","created":{"date-parts":[[2023,11,21]],"date-time":"2023-11-21T12:12:17Z","timestamp":1700568737000},"page":"43-53","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":5,"title":["Membership Inference Attacks Against Semantic Segmentation Models"],"prefix":"10.1145","author":[{"ORCID":"https:\/\/orcid.org\/0009-0000-3272-9996","authenticated-orcid":false,"given":"Tomas","family":"Chobola","sequence":"first","affiliation":[{"name":"Technical University of Munich, Munich, Germany"}]},{"ORCID":"https:\/\/orcid.org\/0000-0003-0179-6138","authenticated-orcid":false,"given":"Dmitrii","family":"Usynin","sequence":"additional","affiliation":[{"name":"Technical University of Munich &amp; Imperial College London, Munich, Germany"}]},{"ORCID":"https:\/\/orcid.org\/0000-0001-8382-8062","authenticated-orcid":false,"given":"Georgios","family":"Kaissis","sequence":"additional","affiliation":[{"name":"Technical University of Munich, Helmholtz Zentrum M\u00fcnchen, &amp; Imperial College London, Munich, Germany"}]}],"member":"320","published-online":{"date-parts":[[2023,11,26]]},"reference":[{"key":"e_1_3_2_1_1_1","doi-asserted-by":"publisher","DOI":"10.1145\/2976749.2978318"},{"key":"e_1_3_2_1_2_1","doi-asserted-by":"publisher","DOI":"10.1007\/s10462-020-09854-1"},{"key":"e_1_3_2_1_3_1","doi-asserted-by":"publisher","DOI":"10.1016\/j.image.2019.01.005"},{"key":"e_1_3_2_1_4_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP46214.2022.9833649"},{"key":"e_1_3_2_1_5_1","doi-asserted-by":"publisher","DOI":"10.1145\/3372297.3417238"},{"key":"e_1_3_2_1_6_1","volume-title":"Targeted backdoor attacks on deep learning systems using data poisoning. arXiv preprint arXiv:1712.05526","author":"Chen Xinyun","year":"2017","unstructured":"Xinyun Chen, Chang Liu, Bo Li, Kimberly Lu, and Dawn Song. 2017. Targeted backdoor attacks on deep learning systems using data poisoning. arXiv preprint arXiv:1712.05526 (2017)."},{"key":"e_1_3_2_1_7_1","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR.2019.01190"},{"key":"e_1_3_2_1_8_1","doi-asserted-by":"publisher","unstructured":"Tomas Chobola Dmitrii Usynin and Georgios Kaissis. 2023. Appendix Figure and Tables for Membership Inference Attacks Against Semantic Segmentation Models. https:\/\/doi.org\/10.6084\/m9.figshare.24222655","DOI":"10.6084\/m9.figshare.24222655"},{"key":"e_1_3_2_1_9_1","volume-title":"International conference on machine learning. PMLR","author":"Choquette-Choo Christopher A","year":"2021","unstructured":"Christopher A Choquette-Choo, Florian Tramer, Nicholas Carlini, and Nicolas Papernot. 2021. Label-only membership inference attacks. In International conference on machine learning. PMLR, 1964--1974."},{"key":"e_1_3_2_1_10_1","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR.2016.350"},{"key":"e_1_3_2_1_11_1","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR.2009.5206848"},{"key":"e_1_3_2_1_12_1","doi-asserted-by":"publisher","DOI":"10.1109\/ICCV48922.2021.01175"},{"key":"e_1_3_2_1_13_1","doi-asserted-by":"publisher","DOI":"10.5555\/1791834.1791836"},{"key":"e_1_3_2_1_14_1","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR52688.2022.02021"},{"key":"e_1_3_2_1_15_1","doi-asserted-by":"publisher","DOI":"10.1109\/ACCESS.2019.2909068"},{"key":"e_1_3_2_1_16_1","doi-asserted-by":"publisher","DOI":"10.1007\/978--3-030--58592--1_31"},{"key":"e_1_3_2_1_17_1","unstructured":"Geoffrey Hinton Oriol Vinyals Jeff Dean et al. 2015. Distilling the knowledge in a neural network. arXiv preprint arXiv:1503.02531 Vol. 2 7 (2015)."},{"key":"e_1_3_2_1_18_1","doi-asserted-by":"publisher","DOI":"10.1016\/j.patrec.2018.12.021"},{"key":"e_1_3_2_1_19_1","doi-asserted-by":"publisher","DOI":"10.1109\/IJCNN52387.2021.9534381"},{"key":"e_1_3_2_1_20_1","first-page":"12080","article-title":"Metapoison: Practical general-purpose clean-label data poisoning","volume":"33","author":"Huang W Ronny","year":"2020","unstructured":"W Ronny Huang, Jonas Geiping, Liam Fowl, Gavin Taylor, and Tom Goldstein. 2020. Metapoison: Practical general-purpose clean-label data poisoning. Advances in Neural Information Processing Systems , Vol. 33 (2020), 12080--12091.","journal-title":"Advances in Neural Information Processing Systems"},{"key":"e_1_3_2_1_21_1","volume-title":"Neil Zhenqiang Gong, and Yinzhi Cao","author":"Hui Bo","year":"2021","unstructured":"Bo Hui, Yuchen Yang, Haolin Yuan, Philippe Burlina, Neil Zhenqiang Gong, and Yinzhi Cao. 2021. Practical blind membership inference attack via differential comparisons. arXiv preprint arXiv:2101.01341 (2021)."},{"key":"e_1_3_2_1_22_1","volume-title":"International conference on machine learning. PMLR, 5345--5355","author":"Kaya Yigitcan","year":"2021","unstructured":"Yigitcan Kaya and Tudor Dumitras. 2021. When Does Data Augmentation Help With Membership Inference Attacks?. In International conference on machine learning. PMLR, 5345--5355."},{"key":"e_1_3_2_1_23_1","volume-title":"Stolen Memories: Leveraging Model Memorization for Calibrated $$White-Box$$ Membership Inference. In 29th USENIX security symposium (USENIX Security 20). 1605--1622.","author":"Leino Klas","year":"2020","unstructured":"Klas Leino and Matt Fredrikson. 2020. Stolen Memories: Leveraging Model Memorization for Calibrated $$White-Box$$ Membership Inference. In 29th USENIX security symposium (USENIX Security 20). 1605--1622."},{"key":"e_1_3_2_1_24_1","doi-asserted-by":"publisher","DOI":"10.1145\/3422337.3447836"},{"key":"e_1_3_2_1_25_1","doi-asserted-by":"publisher","DOI":"10.1109\/TNNLS.2020.2995319"},{"key":"e_1_3_2_1_26_1","volume-title":"Hidden backdoor attack against semantic segmentation models. arXiv preprint arXiv:2103.04038","author":"Li Yiming","year":"2021","unstructured":"Yiming Li, Yanjie Li, Yalei Lv, Yong Jiang, and Shu-Tao Xia. 2021b. Hidden backdoor attack against semantic segmentation models. arXiv preprint arXiv:2103.04038 (2021)."},{"key":"e_1_3_2_1_27_1","doi-asserted-by":"publisher","DOI":"10.1109\/ICCV48922.2021.01615"},{"key":"e_1_3_2_1_28_1","doi-asserted-by":"publisher","DOI":"10.3390\/s21041434"},{"key":"e_1_3_2_1_29_1","doi-asserted-by":"publisher","DOI":"10.1145\/3372297.3423362"},{"key":"e_1_3_2_1_30_1","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-030-58607-2_11"},{"key":"e_1_3_2_1_31_1","doi-asserted-by":"publisher","DOI":"10.1609\/aaai.v34i07.6832"},{"key":"e_1_3_2_1_32_1","volume-title":"Towards measuring membership privacy. arXiv preprint arXiv:1712.09136","author":"Long Yunhui","year":"2017","unstructured":"Yunhui Long, Vincent Bindschaedler, and Carl A Gunter. 2017. Towards measuring membership privacy. arXiv preprint arXiv:1712.09136 (2017)."},{"key":"e_1_3_2_1_33_1","volume-title":"Understanding membership inferences on well-generalized learning models. arXiv preprint arXiv:1802.04889","author":"Long Yunhui","year":"2018","unstructured":"Yunhui Long, Vincent Bindschaedler, Lei Wang, Diyue Bu, Xiaofeng Wang, Haixu Tang, Carl A Gunter, and Kai Chen. 2018. Understanding membership inferences on well-generalized learning models. arXiv preprint arXiv:1802.04889 (2018)."},{"key":"e_1_3_2_1_34_1","doi-asserted-by":"publisher","DOI":"10.1145\/3243734.3243855"},{"key":"e_1_3_2_1_35_1","volume-title":"WaNet--Imperceptible Warping-based Backdoor Attack. arXiv preprint arXiv:2102.10369","author":"Nguyen Anh","year":"2021","unstructured":"Anh Nguyen and Anh Tran. 2021. WaNet--Imperceptible Warping-based Backdoor Attack. arXiv preprint arXiv:2102.10369 (2021)."},{"key":"e_1_3_2_1_36_1","volume-title":"Joint European conference on machine learning and knowledge discovery in databases. Springer, 5--15","author":"Paudice Andrea","year":"2018","unstructured":"Andrea Paudice, Luis Mu noz-Gonz\u00e1lez, and Emil C Lupu. 2018. Label sanitization against label flipping poisoning attacks. In Joint European conference on machine learning and knowledge discovery in databases. Springer, 5--15."},{"key":"e_1_3_2_1_37_1","doi-asserted-by":"publisher","DOI":"10.1145\/3193289"},{"key":"e_1_3_2_1_38_1","volume-title":"Ml-leaks: Model and data independent membership inference attacks and defenses on machine learning models. arXiv preprint arXiv:1806.01246","author":"Salem Ahmed","year":"2018","unstructured":"Ahmed Salem, Yang Zhang, Mathias Humbert, Pascal Berrang, Mario Fritz, and Michael Backes. 2018. Ml-leaks: Model and data independent membership inference attacks and defenses on machine learning models. arXiv preprint arXiv:1806.01246 (2018)."},{"key":"e_1_3_2_1_39_1","volume-title":"Poison frogs! targeted clean-label poisoning attacks on neural networks. Advances in neural information processing systems","author":"Shafahi Ali","year":"2018","unstructured":"Ali Shafahi, W Ronny Huang, Mahyar Najibi, Octavian Suciu, Christoph Studer, Tudor Dumitras, and Tom Goldstein. 2018. Poison frogs! targeted clean-label poisoning attacks on neural networks. Advances in neural information processing systems , Vol. 31 (2018)."},{"key":"e_1_3_2_1_40_1","doi-asserted-by":"publisher","DOI":"10.1609\/aaai.v35i11.17150"},{"key":"e_1_3_2_1_41_1","volume-title":"International MICCAI Brainlesion Workshop. Springer, 92--104","author":"Sheller Micah J","year":"2018","unstructured":"Micah J Sheller, G Anthony Reina, Brandon Edwards, Jason Martin, and Spyridon Bakas. 2018. Multi-institutional deep learning modeling without sharing patient data: A feasibility study on brain tumor segmentation. In International MICCAI Brainlesion Workshop. Springer, 92--104."},{"volume-title":"2020 IEEE European Symposium on Security and Privacy (EuroS&P). IEEE, 175--183","author":"Reza","key":"e_1_3_2_1_42_1","unstructured":"Reza Shokri et al. 2020. Bypassing backdoor detection algorithms in deep learning. In 2020 IEEE European Symposium on Security and Privacy (EuroS&P). IEEE, 175--183."},{"key":"e_1_3_2_1_43_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2017.41"},{"key":"e_1_3_2_1_44_1","doi-asserted-by":"publisher","unstructured":"Amber L. Simpson Michela Antonelli Spyridon Bakas Michel Bilello Keyvan Farahani Bram van Ginneken Annette Kopp-Schneider Bennett A. Landman Geert Litjens Bjoern Menze Olaf Ronneberger Ronald M. Summers Patrick Bilic Patrick F. Christ Richard K. G. Do Marc Gollub Jennifer Golia-Pernicka Stephan H. Heckers William R. Jarnagin Maureen K. McHugo Sandy Napel Eugene Vorontsov Lena Maier-Hein and M. Jorge Cardoso. 2019. A large annotated medical image dataset for the development and evaluation of segmentation algorithms. https:\/\/doi.org\/10.48550\/ARXIV.1902.09063","DOI":"10.48550\/ARXIV.1902.09063"},{"key":"e_1_3_2_1_45_1","volume-title":"30th USENIX Security Symposium (USENIX Security 21)","author":"Song Liwei","year":"2021","unstructured":"Liwei Song and Prateek Mittal. 2021. Systematic evaluation of privacy risks of machine learning models. In 30th USENIX Security Symposium (USENIX Security 21). 2615--2632."},{"key":"e_1_3_2_1_46_1","doi-asserted-by":"publisher","DOI":"10.1016\/j.media.2020.101693"},{"key":"e_1_3_2_1_47_1","volume-title":"Data and model dependencies of membership inference attack. arXiv preprint arXiv:2002.06856","author":"Tonni Shakila Mahjabin","year":"2020","unstructured":"Shakila Mahjabin Tonni, Dinusha Vatsalan, Farhad Farokhi, Dali Kaafar, Zhigang Lu, and Gioacchino Tangari. 2020. Data and model dependencies of membership inference attack. arXiv preprint arXiv:2002.06856 (2020)."},{"key":"e_1_3_2_1_48_1","volume-title":"Hoang Le, Matthew Jagielski, Sanghyun Hong, and Nicholas Carlini.","author":"Tram\u00e8r Florian","year":"2022","unstructured":"Florian Tram\u00e8r, Reza Shokri, Ayrton San Joaquin, Hoang Le, Matthew Jagielski, Sanghyun Hong, and Nicholas Carlini. 2022. Truth Serum: Poisoning Machine Learning Models to Reveal Their Secrets. arXiv preprint arXiv:2204.00032 (2022)."},{"key":"e_1_3_2_1_49_1","doi-asserted-by":"publisher","DOI":"10.2478\/popets-2022-0014"},{"key":"e_1_3_2_1_50_1","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-030-87193-2_4"},{"key":"e_1_3_2_1_51_1","volume-title":"Proceedings on Privacy Enhancing Technologies","author":"Yaghini M","year":"2022","unstructured":"M Yaghini, B Kulynych, Giovanni Cherubin, Michael Veale, and Carmela Troncoso. 2022. Disparate Vulnerability to Membership Inference Attacks. Proceedings on Privacy Enhancing Technologies (2022)."},{"key":"e_1_3_2_1_52_1","doi-asserted-by":"publisher","DOI":"10.1145\/3319535.3354209"},{"key":"e_1_3_2_1_53_1","doi-asserted-by":"publisher","unstructured":"Samuel Yeom Irene Giacomelli Matt Fredrikson and Somesh Jha. 2017. Privacy Risk in Machine Learning: Analyzing the Connection to Overfitting. https:\/\/doi.org\/10.48550\/ARXIV.1709.01604","DOI":"10.48550\/ARXIV.1709.01604"},{"volume-title":"Privacy risk in machine learning: Analyzing the connection to overfitting. In 2018 IEEE 31st computer security foundations symposium (CSF)","author":"Yeom Samuel","key":"e_1_3_2_1_54_1","unstructured":"Samuel Yeom, Irene Giacomelli, Matt Fredrikson, and Somesh Jha. 2018. Privacy risk in machine learning: Analyzing the connection to overfitting. In 2018 IEEE 31st computer security foundations symposium (CSF). IEEE, 268--282."},{"key":"e_1_3_2_1_55_1","doi-asserted-by":"publisher","DOI":"10.1016\/j.compbiomed.2021.104392"}],"event":{"name":"CCS '23: ACM SIGSAC Conference on Computer and Communications Security","sponsor":["SIGSAC ACM Special Interest Group on Security, Audit, and Control"],"location":"Copenhagen Denmark","acronym":"CCS '23"},"container-title":["Proceedings of the 16th ACM Workshop on Artificial Intelligence and Security"],"original-title":[],"link":[{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3605764.3623906","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3605764.3623906","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,8,23]],"date-time":"2025-08-23T01:36:25Z","timestamp":1755912985000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3605764.3623906"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2023,11,26]]},"references-count":55,"alternative-id":["10.1145\/3605764.3623906","10.1145\/3605764"],"URL":"https:\/\/doi.org\/10.1145\/3605764.3623906","relation":{},"subject":[],"published":{"date-parts":[[2023,11,26]]},"assertion":[{"value":"2023-11-26","order":3,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}