{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,4,21]],"date-time":"2026-04-21T15:26:11Z","timestamp":1776785171835,"version":"3.51.2"},"publisher-location":"New York, NY, USA","reference-count":48,"publisher":"ACM","license":[{"start":{"date-parts":[[2023,10,16]],"date-time":"2023-10-16T00:00:00Z","timestamp":1697414400000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/www.acm.org\/publications\/policies\/copyright_policy#Background"}],"funder":[{"name":"the National Natural Science Foundation of China","award":["62202066"],"award-info":[{"award-number":["62202066"]}]},{"name":"the National Natural Science Foundation of China","award":["62102040"],"award-info":[{"award-number":["62102040"]}]},{"name":"the National Natural Science Foundation of China","award":["62002028"],"award-info":[{"award-number":["62002028"]}]}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":[],"published-print":{"date-parts":[[2023,10,16]]},"DOI":"10.1145\/3607199.3607204","type":"proceedings-article","created":{"date-parts":[[2023,10,3]],"date-time":"2023-10-03T22:30:51Z","timestamp":1696372251000},"page":"222-235","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":7,"title":["Efficient Membership Inference Attacks against Federated Learning via Bias Differences"],"prefix":"10.1145","author":[{"ORCID":"https:\/\/orcid.org\/0009-0002-5581-6552","authenticated-orcid":false,"given":"Liwei","family":"Zhang","sequence":"first","affiliation":[{"name":"Key Laboratory of Trustworthy Distributed Computing and Service (MoE), Beijing University of Posts and Telecommunications, China"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-7614-3142","authenticated-orcid":false,"given":"Linghui","family":"Li","sequence":"additional","affiliation":[{"name":"Key Laboratory of Trustworthy Distributed Computing and Service (MoE), Beijing University of Posts and Telecommunications, China"}]},{"ORCID":"https:\/\/orcid.org\/0000-0001-5597-9306","authenticated-orcid":false,"given":"Xiaoyong","family":"Li","sequence":"additional","affiliation":[{"name":"Key Laboratory of Trustworthy Distributed Computing and Service (MoE), Beijing University of Posts and Telecommunications, China"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-7084-5952","authenticated-orcid":false,"given":"Binsi","family":"Cai","sequence":"additional","affiliation":[{"name":"Key Laboratory of Trustworthy Distributed Computing and Service (MoE), Beijing University of Posts and Telecommunications, China"}]},{"ORCID":"https:\/\/orcid.org\/0000-0003-0458-8481","authenticated-orcid":false,"given":"Yali","family":"Gao","sequence":"additional","affiliation":[{"name":"Key Laboratory of Trustworthy Distributed Computing and Service (MoE), Beijing University of Posts and Telecommunications, China"}]},{"ORCID":"https:\/\/orcid.org\/0009-0006-3638-7966","authenticated-orcid":false,"given":"Ruobin","family":"Dou","sequence":"additional","affiliation":[{"name":"China Mobile Group Tianjin Co.,Itd., China"}]},{"ORCID":"https:\/\/orcid.org\/0009-0008-3845-8128","authenticated-orcid":false,"given":"Luying","family":"Chen","sequence":"additional","affiliation":[{"name":"HAOHAN Data Technology Co.,ltd, China"}]}],"member":"320","published-online":{"date-parts":[[2023,10,16]]},"reference":[{"key":"e_1_3_2_1_1_1","doi-asserted-by":"publisher","DOI":"10.1145\/2976749.2978318"},{"key":"e_1_3_2_1_2_1","doi-asserted-by":"publisher","DOI":"10.1017\/S1351324920000510"},{"key":"e_1_3_2_1_3_1","volume-title":"Byzantine-tolerant machine learning. arXiv preprint arXiv:1703.02757","author":"Blanchard Peva","year":"2017","unstructured":"Peva Blanchard, El\u00a0Mahdi\u00a0El Mhamdi, Rachid Guerraoui, and Julien Stainer. 2017. Byzantine-tolerant machine learning. arXiv preprint arXiv:1703.02757 (2017)."},{"key":"e_1_3_2_1_4_1","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR.2018.00986"},{"key":"e_1_3_2_1_5_1","volume-title":"Knowledge Cross-Distillation for Membership Privacy. arXiv preprint arXiv:2111.01363","author":"Chourasia Rishav","year":"2021","unstructured":"Rishav Chourasia, Batnyam Enkhtaivan, Kunihiro Ito, Junki Mori, Isamu Teranishi, and Hikaru Tsuchida. 2021. Knowledge Cross-Distillation for Membership Privacy. arXiv preprint arXiv:2111.01363 (2021)."},{"key":"e_1_3_2_1_6_1","unstructured":"Corinna Cortes Mehryar Mohri and Afshin Rostamizadeh. 2012. L2 regularization for learning kernels. arXiv preprint arXiv:1205.2653."},{"key":"e_1_3_2_1_7_1","volume-title":"33rd International Colloquium, ICALP 2006, Venice, Italy, July 10-14, 2006, Proceedings, Part II 33","author":"Dwork Cynthia","year":"2006","unstructured":"Cynthia Dwork. 2006. Differential privacy. In Automata, Languages and Programming: 33rd International Colloquium, ICALP 2006, Venice, Italy, July 10-14, 2006, Proceedings, Part II 33. Springer, 1\u201312."},{"key":"e_1_3_2_1_8_1","doi-asserted-by":"publisher","DOI":"10.1145\/2810103.2813677"},{"key":"e_1_3_2_1_9_1","doi-asserted-by":"publisher","DOI":"10.1002\/widm.1216"},{"key":"e_1_3_2_1_10_1","doi-asserted-by":"publisher","DOI":"10.1145\/3243734.3243834"},{"key":"e_1_3_2_1_11_1","volume-title":"Learning to Incorporate Texture Saliency Adaptive Attention to Image Cartoonization. arXiv preprint arXiv:2208.01587","author":"Gao Xiang","year":"2022","unstructured":"Xiang Gao, Yuqi Zhang, and Yingjie Tian. 2022. Learning to Incorporate Texture Saliency Adaptive Attention to Image Cartoonization. arXiv preprint arXiv:2208.01587 (2022)."},{"key":"e_1_3_2_1_12_1","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR.2016.90"},{"key":"e_1_3_2_1_13_1","volume-title":"Resolving individuals contributing trace amounts of DNA to highly complex mixtures using high-density SNP genotyping microarrays. PLoS genetics 4, 8","author":"Homer Nils","year":"2008","unstructured":"Nils Homer, Szabolcs Szelinger, Margot Redman, David Duggan, Waibhav Tembe, Jill Muehling, John\u00a0V Pearson, Dietrich\u00a0A Stephan, Stanley\u00a0F Nelson, and David\u00a0W Craig. 2008. Resolving individuals contributing trace amounts of DNA to highly complex mixtures using high-density SNP genotyping microarrays. PLoS genetics 4, 8 (2008), e1000167."},{"key":"e_1_3_2_1_14_1","volume-title":"International Conference on Machine Learning. PMLR, 2790\u20132799","author":"Houlsby Neil","year":"2019","unstructured":"Neil Houlsby, Andrei Giurgiu, Stanislaw Jastrzebski, Bruna Morrone, Quentin De\u00a0Laroussilhe, Andrea Gesmundo, Mona Attariyan, and Sylvain Gelly. 2019. Parameter-efficient transfer learning for NLP. In International Conference on Machine Learning. PMLR, 2790\u20132799."},{"key":"e_1_3_2_1_15_1","doi-asserted-by":"publisher","DOI":"10.1145\/3523273"},{"key":"e_1_3_2_1_16_1","doi-asserted-by":"publisher","DOI":"10.1109\/ICDM51629.2021.00129"},{"key":"e_1_3_2_1_17_1","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR.2017.243"},{"key":"e_1_3_2_1_18_1","volume-title":"Practical blind membership inference attack via differential comparisons. arXiv preprint arXiv:2101.01341","author":"Hui Bo","year":"2021","unstructured":"Bo Hui, Yuchen Yang, Haolin Yuan, Philippe Burlina, Neil\u00a0Zhenqiang Gong, and Yinzhi Cao. 2021. Practical blind membership inference attack via differential comparisons. arXiv preprint arXiv:2101.01341 (2021)."},{"key":"e_1_3_2_1_19_1","unstructured":"Alex Krizhevsky Geoffrey Hinton 2009. Learning multiple layers of features from tiny images. (2009)."},{"key":"e_1_3_2_1_20_1","volume-title":"Regularization for deep learning: A taxonomy. arXiv preprint arXiv:1710.10686","author":"Kuka\u010dka Jan","year":"2017","unstructured":"Jan Kuka\u010dka, Vladimir Golkov, and Daniel Cremers. 2017. Regularization for deep learning: A taxonomy. arXiv preprint arXiv:1710.10686 (2017)."},{"key":"e_1_3_2_1_21_1","doi-asserted-by":"publisher","DOI":"10.1609\/aaai.v36i10.21353"},{"key":"e_1_3_2_1_22_1","volume-title":"Deep learning. nature 521, 7553","author":"LeCun Yann","year":"2015","unstructured":"Yann LeCun, Yoshua Bengio, and Geoffrey Hinton. 2015. Deep learning. nature 521, 7553 (2015), 436\u2013444."},{"key":"e_1_3_2_1_23_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2019.00044"},{"key":"e_1_3_2_1_24_1","doi-asserted-by":"publisher","DOI":"10.1145\/3460120.3484575"},{"key":"e_1_3_2_1_25_1","doi-asserted-by":"publisher","DOI":"10.1109\/TDSC.2022.3180828"},{"key":"e_1_3_2_1_26_1","doi-asserted-by":"publisher","DOI":"10.1145\/3548606.3560684"},{"key":"e_1_3_2_1_27_1","doi-asserted-by":"publisher","DOI":"10.1109\/EuroSP48549.2020.00040"},{"key":"e_1_3_2_1_28_1","doi-asserted-by":"crossref","unstructured":"Gabor Lugosi and Shahar Mendelson. 2021. Robust multivariate mean estimation: the optimality of trimmed mean. (2021).","DOI":"10.1214\/20-AOS1961"},{"key":"e_1_3_2_1_29_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2019.00029"},{"key":"e_1_3_2_1_30_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2019.00065"},{"key":"e_1_3_2_1_31_1","doi-asserted-by":"publisher","DOI":"10.1111\/j.1467-9868.2007.00607.x"},{"key":"e_1_3_2_1_32_1","doi-asserted-by":"publisher","DOI":"10.1109\/ICDM51629.2021.00157"},{"key":"e_1_3_2_1_33_1","volume-title":"Perfectly Accurate Membership Inference by a Dishonest Central Server in Federated Learning. arXiv preprint arXiv:2203.16463","author":"Pichler Georg","year":"2022","unstructured":"Georg Pichler, Marco Romanelli, Leonardo\u00a0Rey Vega, and Pablo Piantanida. 2022. Perfectly Accurate Membership Inference by a Dishonest Central Server in Federated Learning. arXiv preprint arXiv:2203.16463 (2022)."},{"key":"e_1_3_2_1_34_1","volume-title":"Ml-leaks: Model and data independent membership inference attacks and defenses on machine learning models. arXiv preprint arXiv:1806.01246","author":"Salem Ahmed","year":"2018","unstructured":"Ahmed Salem, Yang Zhang, Mathias Humbert, Pascal Berrang, Mario Fritz, and Michael Backes. 2018. Ml-leaks: Model and data independent membership inference attacks and defenses on machine learning models. arXiv preprint arXiv:1806.01246 (2018)."},{"key":"e_1_3_2_1_35_1","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR.2018.00474"},{"key":"e_1_3_2_1_36_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2017.41"},{"key":"e_1_3_2_1_37_1","doi-asserted-by":"publisher","DOI":"10.1109\/TVCG.2021.3067201"},{"key":"e_1_3_2_1_38_1","volume-title":"Very deep convolutional networks for large-scale image recognition. arXiv preprint arXiv:1409.1556","author":"Simonyan Karen","year":"2014","unstructured":"Karen Simonyan and Andrew Zisserman. 2014. Very deep convolutional networks for large-scale image recognition. arXiv preprint arXiv:1409.1556 (2014)."},{"key":"e_1_3_2_1_39_1","volume-title":"Information privacy research: an interdisciplinary review. MIS quarterly","author":"Smith H\u00a0Jeff","year":"2011","unstructured":"H\u00a0Jeff Smith, Tamara Dinev, and Heng Xu. 2011. Information privacy research: an interdisciplinary review. MIS quarterly (2011), 989\u20131015."},{"key":"e_1_3_2_1_40_1","volume-title":"USENIX Security Symposium, Vol.\u00a01. 4.","author":"Song Liwei","year":"2021","unstructured":"Liwei Song and Prateek Mittal. 2021. Systematic Evaluation of Privacy Risks of Machine Learning Models.. In USENIX Security Symposium, Vol.\u00a01. 4."},{"key":"e_1_3_2_1_41_1","doi-asserted-by":"publisher","DOI":"10.1145\/3319535.3354211"},{"key":"e_1_3_2_1_42_1","doi-asserted-by":"publisher","DOI":"10.1109\/TKDE.2020.3025580"},{"key":"e_1_3_2_1_43_1","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR42600.2020.00811"},{"key":"e_1_3_2_1_44_1","volume-title":"Privacy risk in machine learning: Analyzing the connection to overfitting. In 2018 IEEE 31st computer security foundations symposium (CSF)","author":"Yeom Samuel","unstructured":"Samuel Yeom, Irene Giacomelli, Matt Fredrikson, and Somesh Jha. 2018. Privacy risk in machine learning: Analyzing the connection to overfitting. In 2018 IEEE 31st computer security foundations symposium (CSF). IEEE, 268\u2013282."},{"key":"e_1_3_2_1_45_1","volume-title":"International Conference on Machine Learning. PMLR, 5650\u20135659","author":"Yin Dong","year":"2018","unstructured":"Dong Yin, Yudong Chen, Ramchandran Kannan, and Peter Bartlett. 2018. Byzantine-robust distributed learning: Towards optimal statistical rates. In International Conference on Machine Learning. PMLR, 5650\u20135659."},{"key":"e_1_3_2_1_46_1","doi-asserted-by":"publisher","DOI":"10.1609\/aaai.v35i12.17284"},{"key":"e_1_3_2_1_47_1","volume-title":"Label-Only Membership Inference Attacks and Defenses In Semantic Segmentation Models","author":"Zhang Guangsheng","year":"2022","unstructured":"Guangsheng Zhang, Bo Liu, Tianqing Zhu, Ming Ding, and Wanlei Zhou. 2022. Label-Only Membership Inference Attacks and Defenses In Semantic Segmentation Models. IEEE Transactions on Dependable and Secure Computing (2022)."},{"key":"e_1_3_2_1_48_1","doi-asserted-by":"publisher","DOI":"10.1109\/TCYB.2021.3050508"}],"event":{"name":"RAID 2023: The 26th International Symposium on Research in Attacks, Intrusions and Defenses","location":"Hong Kong China","acronym":"RAID 2023"},"container-title":["Proceedings of the 26th International Symposium on Research in Attacks, Intrusions and Defenses"],"original-title":[],"link":[{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3607199.3607204","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3607199.3607204","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,6,17]],"date-time":"2025-06-17T16:37:34Z","timestamp":1750178254000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3607199.3607204"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2023,10,16]]},"references-count":48,"alternative-id":["10.1145\/3607199.3607204","10.1145\/3607199"],"URL":"https:\/\/doi.org\/10.1145\/3607199.3607204","relation":{},"subject":[],"published":{"date-parts":[[2023,10,16]]},"assertion":[{"value":"2023-10-16","order":3,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}