{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,5,11]],"date-time":"2026-05-11T11:28:00Z","timestamp":1778498880154,"version":"3.51.4"},"reference-count":149,"publisher":"Association for Computing Machinery (ACM)","issue":"4","license":[{"start":{"date-parts":[[2023,11,10]],"date-time":"2023-11-10T00:00:00Z","timestamp":1699574400000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by-nc\/4.0\/"}],"funder":[{"name":"Avast Software and the OP RDE"},{"DOI":"10.13039\/100018240","name":"Research Center for Informatics","doi-asserted-by":"crossref","award":["CZ.02.1.01\/0.0.\/0.0.\/16_019\/0000765"],"award-info":[{"award-number":["CZ.02.1.01\/0.0.\/0.0.\/16_019\/0000765"]}],"id":[{"id":"10.13039\/100018240","id-type":"DOI","asserted-by":"crossref"}]}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":["ACM Comput. Surv."],"published-print":{"date-parts":[[2024,4,30]]},"abstract":"<jats:p>As machine learning becomes more widely used, the need to study its implications in security and privacy becomes more urgent. Although the body of work in privacy has been steadily growing over the past few years, research on the privacy aspects of machine learning has received less focus than the security aspects. Our contribution in this research is an analysis of more than 45 papers related to privacy attacks against machine learning that have been published during the past seven years. We propose an attack taxonomy, together with a threat model that allows the categorization of different attacks based on the adversarial knowledge, and the assets under attack. An initial exploration of the causes of privacy leaks is presented, as well as a detailed analysis of the different attacks. Finally, we present an overview of the most commonly proposed defenses and a discussion of the open problems and future directions identified during our analysis.<\/jats:p>","DOI":"10.1145\/3624010","type":"journal-article","created":{"date-parts":[[2023,9,15]],"date-time":"2023-09-15T12:01:16Z","timestamp":1694779276000},"page":"1-34","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":165,"title":["A Survey of Privacy Attacks in Machine Learning"],"prefix":"10.1145","volume":"56","author":[{"ORCID":"https:\/\/orcid.org\/0000-0002-0688-7752","authenticated-orcid":false,"given":"Maria","family":"Rigaki","sequence":"first","affiliation":[{"name":"Czech Technical University in Prague, Czech Republic"}]},{"ORCID":"https:\/\/orcid.org\/0000-0001-6238-9910","authenticated-orcid":false,"given":"Sebastian","family":"Garcia","sequence":"additional","affiliation":[{"name":"Czech Technical University in Prague, Czech Republic"}]}],"member":"320","published-online":{"date-parts":[[2023,11,10]]},"reference":[{"key":"e_1_3_1_2_2","doi-asserted-by":"publisher","DOI":"10.1145\/2976749.2978318"},{"key":"e_1_3_1_3_2","doi-asserted-by":"publisher","DOI":"10.1109\/MSEC.2018.2888775"},{"key":"e_1_3_1_4_2","doi-asserted-by":"publisher","DOI":"10.1504\/IJSN.2015.071829"},{"key":"e_1_3_1_5_2","unstructured":"AT&T 1994. Database of Faces. Retrieved April 17 2020 from http:\/\/cam-orl.co.uk\/facedatabase.html"},{"key":"e_1_3_1_6_2","doi-asserted-by":"publisher","DOI":"10.1145\/3133956.3133972"},{"key":"e_1_3_1_7_2","first-page":"20120","volume-title":"Proceedings of the 34th Conference on Neural Information Processing Systems (NeurIPS\u201920)","volume":"33","author":"Barbalau Antonio","year":"2020","unstructured":"Antonio Barbalau, Adrian Cosma, Radu Tudor Ionescu, and Marius Popescu. 2020. Black-box ripper: copying black-box models using generative evolutionary algorithms. In Proceedings of the 34th Conference on Neural Information Processing Systems (NeurIPS\u201920), Vol. 33. 20120\u201320129."},{"key":"e_1_3_1_8_2","first-page":"5050","volume-title":"Advances in Neural Information Processing Systems","author":"Berthelot David","year":"2019","unstructured":"David Berthelot, Nicholas Carlini, Ian Goodfellow, Nicolas Papernot, Avital Oliver, and Colin A. Raffel. 2019. Mixmatch: A holistic approach to semi-supervised learning. In Advances in Neural Information Processing Systems. NeurIPS, 5050\u20135060."},{"key":"e_1_3_1_9_2","doi-asserted-by":"publisher","DOI":"10.1016\/j.patcog.2018.07.023"},{"key":"e_1_3_1_10_2","doi-asserted-by":"publisher","DOI":"10.5555\/1162264"},{"key":"e_1_3_1_11_2","doi-asserted-by":"publisher","DOI":"10.1023\/A:1010933404324"},{"key":"e_1_3_1_12_2","first-page":"267","volume-title":"Proceedings of the 28th USENIX Security Symposium (USENIX Security\u201919)","author":"Carlini Nicholas","year":"2019","unstructured":"Nicholas Carlini, Chang Liu, \u00dalfar Erlingsson, Jernej Kos, and Dawn Song. 2019. The secret sharer: Evaluating and testing unintended memorization in neural networks. In Proceedings of the 28th USENIX Security Symposium (USENIX Security\u201919). USENIX Association, 267\u2013284."},{"key":"e_1_3_1_13_2","first-page":"2633","volume-title":"Proceedings of the 30th USENIX Security Symposium (USENIX Security\u201921)","author":"Carlini Nicholas","year":"2021","unstructured":"Nicholas Carlini, Florian Tram\u00e8r, Eric Wallace, Matthew Jagielski, Ariel Herbert-Voss, Katherine Lee, Adam Roberts, Tom Brown, Dawn Song, \u00dalfar Erlingsson, Alina Oprea, and Colin Raffel. 2021. Extracting training data from large language models. In Proceedings of the 30th USENIX Security Symposium (USENIX Security\u201921). USENIX Association, 2633\u20132650."},{"issue":"1847","key":"e_1_3_1_14_2","first-page":"536","article-title":"M\u00e9thode g\u00e9n\u00e9rale pour la r\u00e9solution des systemes d\u2019\u00e9quations simultan\u00e9es","volume":"25","author":"Cauchy Augustin","year":"1847","unstructured":"Augustin Cauchy et\u00a0al. 1847. M\u00e9thode g\u00e9n\u00e9rale pour la r\u00e9solution des systemes d\u2019\u00e9quations simultan\u00e9es. Comp. Rend. Sci. Paris 25, 1847 (1847), 536\u2013538.","journal-title":"Comp. Rend. Sci. Paris"},{"key":"e_1_3_1_15_2","unstructured":"Texas Health Care Information Collection Center. 2006-2009. Texas Inpatient Public Use Data File (PUDF). Retrieved April 17 2020 from https:\/\/www.dshs.texas.gov\/thcic\/hospitals\/Inpatientpudf.shtm"},{"key":"e_1_3_1_16_2","doi-asserted-by":"publisher","DOI":"10.5555\/3489212.3489286"},{"key":"e_1_3_1_17_2","doi-asserted-by":"publisher","DOI":"10.1145\/3372297.3417238"},{"key":"e_1_3_1_18_2","doi-asserted-by":"publisher","DOI":"10.1145\/2939672.2939785"},{"key":"e_1_3_1_19_2","series-title":"Proceedings of Machine Learning Research","first-page":"1964","volume-title":"Proceedings of the 38th International Conference on Machine Learning","volume":"139","author":"Choquette-Choo Christopher A.","year":"2021","unstructured":"Christopher A. Choquette-Choo, Florian Tramer, Nicholas Carlini, and Nicolas Papernot. 2021. Label-only membership inference attacks. In Proceedings of the 38th International Conference on Machine Learning(Proceedings of Machine Learning Research, Vol. 139), Marina Meila and Tong Zhang (Eds.). PMLR, 1964\u20131974."},{"key":"e_1_3_1_20_2","doi-asserted-by":"publisher","DOI":"10.1056\/NEJMoa0809329"},{"key":"e_1_3_1_21_2","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR.2016.350"},{"key":"e_1_3_1_22_2","doi-asserted-by":"publisher","DOI":"10.1109\/IJCNN.2018.8489592"},{"key":"e_1_3_1_23_2","doi-asserted-by":"publisher","DOI":"10.5555\/2999134.2999271"},{"key":"e_1_3_1_24_2","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR.2009.5206848"},{"key":"e_1_3_1_25_2","unstructured":"Dheeru Dua and Casey Graff. 2017. UCI Machine Learning Repository. Retrieved April 17 2020 from http:\/\/archive.ics.uci.edu\/ml"},{"key":"e_1_3_1_26_2","doi-asserted-by":"publisher","DOI":"10.1561\/0400000042"},{"key":"e_1_3_1_27_2","doi-asserted-by":"publisher","DOI":"10.1111\/j.1469-1809.1936.tb02137.x"},{"key":"e_1_3_1_28_2","doi-asserted-by":"publisher","DOI":"10.1145\/2810103.2813677"},{"key":"e_1_3_1_29_2","first-page":"17","volume-title":"Proceedings of the 23rd USENIX Security Symposium (USENIX Security\u201914)","author":"Fredrikson Matthew","year":"2014","unstructured":"Matthew Fredrikson, Eric Lantz, Somesh Jha, Simon Lin, David Page, and Thomas Ristenpart. 2014. Privacy in pharmacogenetics: An end-to-end case study of personalized warfarin dosing. In Proceedings of the 23rd USENIX Security Symposium (USENIX Security\u201914). USENIX Association, 17\u201332."},{"key":"e_1_3_1_30_2","doi-asserted-by":"publisher","DOI":"10.1145\/3243734.3243834"},{"key":"e_1_3_1_31_2","doi-asserted-by":"publisher","DOI":"10.1109\/34.927464"},{"key":"e_1_3_1_32_2","first-page":"979","volume-title":"Proceedings of the 25th USENIX Security Symposium (USENIX Security\u201916)","author":"Gong Neil Zhenqiang","year":"2016","unstructured":"Neil Zhenqiang Gong and Bin Liu. 2016. You are who you know and how you behave: Attribute inference attacks via users\u2019 social friends and behaviors. In Proceedings of the 25th USENIX Security Symposium (USENIX Security\u201916). USENIX Association, 979\u2013995."},{"key":"e_1_3_1_33_2","doi-asserted-by":"publisher","DOI":"10.24963\/ijcai.2021\/336"},{"key":"e_1_3_1_34_2","doi-asserted-by":"publisher","DOI":"10.1007\/s10710-017-9314-z"},{"key":"e_1_3_1_35_2","doi-asserted-by":"publisher","DOI":"10.5555\/2969033.2969125"},{"key":"e_1_3_1_36_2","volume-title":"The Caltech 256","author":"Griffin Gregory","year":"2007","unstructured":"Gregory Griffin, Alex Holub, and Pietro Perona. 2007. The Caltech 256. Technical Report. Pasadena, CA."},{"key":"e_1_3_1_37_2","volume-title":"Social Science Research on Pornography","year":"2006","unstructured":"GSS. 2006. Social Science Research on Pornography. Retrieved April 17, 2020 from https:\/\/byuresearch.org\/ssrp\/downloads\/GSS.xls"},{"key":"e_1_3_1_38_2","doi-asserted-by":"publisher","DOI":"10.1145\/2827872"},{"key":"e_1_3_1_39_2","doi-asserted-by":"publisher","DOI":"10.1109\/ICASSP.2014.6855235"},{"key":"e_1_3_1_40_2","doi-asserted-by":"publisher","DOI":"10.2478\/popets-2019-0008"},{"key":"e_1_3_1_41_2","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-030-58592-1_31"},{"key":"e_1_3_1_42_2","doi-asserted-by":"publisher","DOI":"10.1145\/3359789.3359824"},{"key":"e_1_3_1_43_2","unstructured":"Walt Hickey. 2014. DataLab: How Americans like their steak. Retrieved April 17 2020 from http:\/\/fivethirtyeight.com\/datalab\/how-americans-like-their-steak"},{"key":"e_1_3_1_44_2","doi-asserted-by":"publisher","DOI":"10.1109\/PST.2017.00023"},{"key":"e_1_3_1_45_2","doi-asserted-by":"publisher","DOI":"10.2478\/popets-2019-0067"},{"issue":"1","key":"e_1_3_1_46_2","article-title":"Neural networks for machine learning","volume":"264","author":"Hinton Geoffrey","year":"2012","unstructured":"Geoffrey Hinton, Nitsh Srivastava, and Kevin Swersky. 2012. Neural networks for machine learning. Coursera Video Lect. 264, 1 (2012).","journal-title":"Coursera Video Lect."},{"key":"e_1_3_1_47_2","doi-asserted-by":"publisher","DOI":"10.1162\/tacl_a_00299"},{"key":"e_1_3_1_48_2","doi-asserted-by":"publisher","DOI":"10.1145\/3133956.3134012"},{"key":"e_1_3_1_49_2","volume-title":"Proceedings of the Workshop on Faces in \u201cReal-life\u201d Images: Detection, Alignment, and Recognition","author":"Huang Gary B.","year":"2008","unstructured":"Gary B. Huang, Marwan Mattar, Tamara Berg, and Eric Learned-Miller. 2008. Labeled faces in the wild: A database forstudying face recognition in unconstrained environments. In Proceedings of the Workshop on Faces in \u201cReal-life\u201d Images: Detection, Alignment, and Recognition. Erik Learned-Miller and Andras Ferencz and Fr\u00e9d\u00e9ric Jurie, HAL. Retrieved from https:\/\/hal.inria.fr\/inria-00321923"},{"key":"e_1_3_1_50_2","unstructured":"International Conference on Spoken Language Translation 2015. IWSLT Evaluation 2015. Retrieved April 17 2020 from https:\/\/sites.google.com\/site\/iwsltevaluation2015"},{"key":"e_1_3_1_51_2","doi-asserted-by":"publisher","DOI":"10.5555\/3489212.3489288"},{"key":"e_1_3_1_52_2","first-page":"1895","volume-title":"Proceedings of the 28th USENIX Security Symposium (USENIX Security\u201919)","author":"Jayaraman Bargav","year":"2019","unstructured":"Bargav Jayaraman and David Evans. 2019. Evaluating differentially private machine learning in practice. In Proceedings of the 28th USENIX Security Symposium (USENIX Security\u201919). USENIX Association, 1895\u20131912."},{"key":"e_1_3_1_53_2","doi-asserted-by":"publisher","DOI":"10.1109\/MSEC.2020.3039941"},{"key":"e_1_3_1_54_2","first-page":"513","volume-title":"Proceedings of the 27th USENIX Security Symposium (USENIX Security\u201918)","author":"Jia Jinyuan","year":"2018","unstructured":"Jinyuan Jia and Neil Zhenqiang Gong. 2018. AttriGuard: A practical defense against attribute inference attacks via adversarial machine learning. In Proceedings of the 27th USENIX Security Symposium (USENIX Security\u201918). USENIX Association, 513\u2013529."},{"key":"e_1_3_1_55_2","doi-asserted-by":"publisher","DOI":"10.1145\/3319535.3363201"},{"key":"e_1_3_1_56_2","doi-asserted-by":"publisher","DOI":"10.1038\/sdata.2016.35"},{"key":"e_1_3_1_57_2","doi-asserted-by":"publisher","DOI":"10.1109\/EuroSP.2019.00044"},{"key":"e_1_3_1_58_2","volume-title":"Acquire Valued Shoppers Challenge","year":"2014","unstructured":"Kaggle. 2014. Acquire Valued Shoppers Challenge. Retrieved April 17, 2020 from https:\/\/www.kaggle.com\/c\/acquire-valued-shoppers-challenge\/data"},{"key":"e_1_3_1_59_2","unstructured":"Kaggle. 2015. Diabetic Retinopathy Detection. Retrieved April 17 2020 from https:\/\/www.kaggle.com\/c\/diabetic-retinopathy-detection"},{"key":"e_1_3_1_60_2","doi-asserted-by":"publisher","DOI":"10.1145\/3037697.3037698"},{"key":"e_1_3_1_61_2","first-page":"3149","volume-title":"Proceedings of the 31st International Conference on Neural Information Processing Systems (NIPS\u201917)","author":"Ke Guolin","year":"2017","unstructured":"Guolin Ke, Qi Meng, Thomas Finley, Taifeng Wang, Wei Chen, Weidong Ma, Qiwei Ye, and Tie-Yan Liu. 2017. LightGBM: A highly efficient gradient boosting decision tree. In Proceedings of the 31st International Conference on Neural Information Processing Systems (NIPS\u201917). Curran Associates, 3149\u20133157."},{"key":"e_1_3_1_62_2","unstructured":"Diederik P. Kingma and Jimmy Ba. 2014. Adam: A method for stochastic optimization. Retrieved from https:\/\/arXiv:1412.6980"},{"key":"e_1_3_1_63_2","volume-title":"Proceedings of the 2nd International Conference on Learning Representations (ICLR\u201914)","volume":"1","author":"Kingma Diederik P.","year":"2014","unstructured":"Diederik P. Kingma and Max Welling. 2014. Auto-encoding variational bayes. In Proceedings of the 2nd International Conference on Learning Representations (ICLR\u201914), Vol. 1. ICLR."},{"key":"e_1_3_1_64_2","volume-title":"Proceedings of the 8th International Conference on Learning Representations (ICLR\u201920)","author":"Krishna Kalpesh","year":"2020","unstructured":"Kalpesh Krishna, Gaurav Singh Tomar, Ankur P. Parikh, Nicolas Papernot, and Mohit Iyyer. 2020. Thieves on sesame street! Model extraction of BERT-based APIs. In Proceedings of the 8th International Conference on Learning Representations (ICLR\u201920). ICLR, Virtual Conference."},{"key":"e_1_3_1_65_2","unstructured":"Alex Krizhevsky Geoffrey Hinton et\u00a0al. 2009. Learning multiple layers of features from tiny images. MSc thesis. http:\/\/www.cs.utoronto.ca\/kriz\/learning-features-2009-TR.pdf"},{"key":"e_1_3_1_66_2","unstructured":"Yann LeCun Corinna Cortes and Christopher J. C. Burges. 1998. The MNIST database of handwritten digits. Retrieved April 17 2020 from http:\/\/yann.lecun.com\/exdb\/mnist\/"},{"key":"e_1_3_1_67_2","first-page":"1605","volume-title":"Proceedings of the 29th USENIX Security Symposium (USENIX Security\u201920)","author":"Leino Klas","year":"2020","unstructured":"Klas Leino and Matt Fredrikson. 2020. Stolen memories: Leveraging model memorization for calibrated white-box membership inference. In Proceedings of the 29th USENIX Security Symposium (USENIX Security\u201920). 1605\u20131622."},{"key":"e_1_3_1_68_2","unstructured":"Tian Li Anit Kumar Sahu Ameet Talwalkar and Virginia Smith. 2019. Federated learning: Challenges methods and future directions. Retrieved from https:\/\/1908.07873"},{"key":"e_1_3_1_69_2","doi-asserted-by":"publisher","DOI":"10.1145\/3460120.3484575"},{"key":"e_1_3_1_70_2","doi-asserted-by":"publisher","DOI":"10.1007\/BF01589116"},{"key":"e_1_3_1_71_2","doi-asserted-by":"publisher","DOI":"10.1145\/3133956.3134056"},{"key":"e_1_3_1_72_2","doi-asserted-by":"publisher","DOI":"10.1109\/ACPR.2015.7486599"},{"key":"e_1_3_1_73_2","doi-asserted-by":"publisher","DOI":"10.1109\/ACCESS.2020.3045078"},{"key":"e_1_3_1_74_2","unstructured":"Yugeng Liu Rui Wen Xinlei He Ahmed Salem Zhikun Zhang Michael Backes Emiliano De Cristofaro Mario Fritz and Yang Zhang. 2021. ML-doctor: Holistic risk assessment of inference attacks against machine learning models. Retrieved from https:\/\/arXiv:2102.02551"},{"key":"e_1_3_1_75_2","unstructured":"Yunhui Long Vincent Bindschaedler Lei Wang Diyue Bu Xiaofeng Wang Haixu Tang Carl A. Gunter and Kai Chen. 2018. Understanding membership inferences on well-generalized learning models. Retrieved from https:\/\/arXiv:1802.04889"},{"key":"e_1_3_1_76_2","doi-asserted-by":"publisher","unstructured":"Ellen Goeleven Rudi De Raedt Lemke Leyman and Bruno Verschuere. 2008. The Karolinska directed emotional faces: A validation study. Cognition and Emotion 22 6 (2008) 1094\u20131118. DOI:10.1080\/02699930701626582","DOI":"10.1080\/02699930701626582"},{"key":"e_1_3_1_77_2","volume-title":"Proceedings of the International Workshop on Spoken Language Translation","author":"Luong Minh-Thang","year":"2015","unstructured":"Minh-Thang Luong and Christopher D. Manning. 2015. Stanford neural machine translation systems for spoken language domain. In Proceedings of the International Workshop on Spoken Language Translation."},{"key":"e_1_3_1_78_2","volume-title":"Proceedings of the 6th International Conference on Learning Representations (ICLR\u201918)","author":"Madry Aleksander","year":"2018","unstructured":"Aleksander Madry, Aleksandar Makelov, Ludwig Schmidt, Dimitris Tsipras, and Adrian Vladu. 2018. Towards deep learning models resistant to adversarial attacks. In Proceedings of the 6th International Conference on Learning Representations (ICLR\u201918). ICLR."},{"key":"e_1_3_1_79_2","doi-asserted-by":"publisher","DOI":"10.1109\/SP46214.2022.00140"},{"key":"e_1_3_1_80_2","unstructured":"Matt Mahoney. [n.d.]. Large Text Compression Benchmark. Retrieved March 8 2021 from http:\/\/mattmahoney.net\/dc\/text.html"},{"key":"e_1_3_1_81_2","doi-asserted-by":"publisher","DOI":"10.1145\/3332184"},{"key":"e_1_3_1_82_2","doi-asserted-by":"publisher","DOI":"10.5555\/972470.972475"},{"key":"e_1_3_1_83_2","series-title":"Proceedings of Machine Learning Research","first-page":"1273","volume-title":"Proceedings of the 20th International Conference on Artificial Intelligence and Statistics","volume":"54","author":"McMahan Brendan","year":"2017","unstructured":"Brendan McMahan, Eider Moore, Daniel Ramage, Seth Hampson, and Blaise Aguera y Arcas. 2017. Communication-efficient learning of deep networks from decentralized data. In Proceedings of the 20th International Conference on Artificial Intelligence and Statistics(Proceedings of Machine Learning Research, Vol. 54), Aarti Singh and Jerry Zhu (Eds.). PMLR, 1273\u20131282."},{"key":"e_1_3_1_84_2","volume-title":"Proceedings of the 6th International Conference on Learning Representations (ICLR\u201918)","author":"McMahan Brendan","year":"2018","unstructured":"Brendan McMahan, Daniel Ramage, Kunal Talwar, and Li Zhang. 2018. Learning differentially private recurrent language models. In Proceedings of the 6th International Conference on Learning Representations (ICLR\u201918). ICLR."},{"key":"e_1_3_1_85_2","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2019.00029"},{"key":"e_1_3_1_86_2","unstructured":"Stephen Merity Caiming Xiong James Bradbury and Richard Socher. 2016. Pointer sentinel mixture models. Retrieved from https:\/\/arXiv:1609.07843"},{"key":"e_1_3_1_87_2","doi-asserted-by":"publisher","DOI":"10.1145\/3287560.3287562"},{"key":"e_1_3_1_88_2","volume-title":"Proceedings of the ICML Workshop on Graph Representation Learning and Beyond (GRL+\u201920)","author":"Morris Christopher","year":"2020","unstructured":"Christopher Morris, Nils M. Kriege, Franka Bause, Kristian Kersting, Petra Mutzel, and Marion Neumann. 2020. TUDataset: A collection of benchmark datasets for learning with graphs. In Proceedings of the ICML Workshop on Graph Representation Learning and Beyond (GRL+\u201920). www.graphlearning.io"},{"key":"e_1_3_1_89_2","volume-title":"Machine Learning: A Probabilistic Perspective","author":"Murphy Kevin P.","year":"2012","unstructured":"Kevin P. Murphy. 2012. Machine Learning: A Probabilistic Perspective. MIT Press, Cambridge, MA."},{"key":"e_1_3_1_90_2","doi-asserted-by":"publisher","DOI":"10.1145\/3243734.3243855"},{"key":"e_1_3_1_91_2","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2019.00065"},{"key":"e_1_3_1_92_2","unstructured":"Netflix 2009. Netflix prize. Retrieved April 17 2020 from https:\/\/www.netflixprize.com"},{"key":"e_1_3_1_93_2","volume-title":"Proceedings of the NIPS Workshop on Deep Learning and Unsupervised Feature Learning","author":"Netzer Yuval","year":"2011","unstructured":"Yuval Netzer, Tao Wang, Adam Coates, Alessandro Bissacco, Bo Wu, and Andrew Y. Ng. 2011. Reading digits in natural images with unsupervised feature learning. In Proceedings of the NIPS Workshop on Deep Learning and Unsupervised Feature Learning. NIPS, Granada, Spain."},{"key":"e_1_3_1_94_2","doi-asserted-by":"publisher","DOI":"10.1109\/ICIP.2014.7025068"},{"key":"e_1_3_1_95_2","doi-asserted-by":"publisher","DOI":"10.5555\/3157382.3157477"},{"key":"e_1_3_1_96_2","doi-asserted-by":"publisher","DOI":"10.1109\/ICVGIP.2008.47"},{"key":"e_1_3_1_97_2","volume-title":"Numerical Optimization","author":"Nocedal Jorge","year":"2006","unstructured":"Jorge Nocedal and Stephen J Wright. 2006. Numerical Optimization. Springer, Berlin."},{"key":"e_1_3_1_98_2","volume-title":"Proceedings of the 6th International Conference on Learning Representations (ICLR\u201918)","author":"Oh Seong Joon","year":"2018","unstructured":"Seong Joon Oh, Max Augustin, Mario Fritz, and Bernt Schiele. 2018. Towards reverse-engineering black-box neural networks. In Proceedings of the 6th International Conference on Learning Representations (ICLR\u201918). ICLR."},{"key":"e_1_3_1_99_2","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR.2019.00509"},{"key":"e_1_3_1_100_2","volume-title":"Proceedings of the 8th International Conference on Learning Representations (ICLR\u201920)","author":"Orekondy Tribhuvanesh","year":"2020","unstructured":"Tribhuvanesh Orekondy, Bernt Schiele, and Mario Fritz. 2020. Prediction poisoning: Towards defenses against DNN model stealing attacks. In Proceedings of the 8th International Conference on Learning Representations (ICLR\u201920)."},{"key":"e_1_3_1_101_2","doi-asserted-by":"publisher","DOI":"10.1609\/aaai.v34i01.5432"},{"key":"e_1_3_1_102_2","doi-asserted-by":"publisher","DOI":"10.1109\/SP40000.2020.00095"},{"key":"e_1_3_1_103_2","doi-asserted-by":"publisher","DOI":"10.3115\/1219840.1219855"},{"key":"e_1_3_1_104_2","doi-asserted-by":"publisher","DOI":"10.1145\/3052973.3053009"},{"key":"e_1_3_1_105_2","doi-asserted-by":"publisher","DOI":"10.1109\/EuroSP.2018.00035"},{"key":"e_1_3_1_106_2","doi-asserted-by":"publisher","DOI":"10.1016\/0041-5553(64)90137-5"},{"issue":"1","key":"e_1_3_1_107_2","first-page":"61","article-title":"Membership inference attack against differentially private deep learning model.","volume":"11","author":"Rahman Md Atiqur","year":"2018","unstructured":"Md Atiqur Rahman, Tanzila Rahman, Robert Lagani\u00e8re, Noman Mohammed, and Yang Wang. 2018. Membership inference attack against differentially private deep learning model. Trans. Data Priv. 11, 1 (2018), 61\u201379.","journal-title":"Trans. Data Priv."},{"key":"e_1_3_1_108_2","doi-asserted-by":"publisher","DOI":"10.1214\/aoms\/1177729586"},{"key":"e_1_3_1_109_2","series-title":"Proceedings of Machine Learning Research","first-page":"5558","volume-title":"Proceedings of the 36th International Conference on Machine Learning","volume":"97","author":"Sablayrolles Alexandre","year":"2019","unstructured":"Alexandre Sablayrolles, Matthijs Douze, Cordelia Schmid, Yann Ollivier, and Herve Jegou. 2019. White-box vs black-box: Bayes optimal strategies for membership inference. In Proceedings of the 36th International Conference on Machine Learning(Proceedings of Machine Learning Research, Vol. 97), Kamalika Chaudhuri and Ruslan Salakhutdinov (Eds.). PMLR, 5558\u20135567."},{"key":"e_1_3_1_110_2","first-page":"1291","volume-title":"Proceedings of the 29th USENIX Security Symposium (USENIX Security\u201920)","author":"Salem Ahmed","year":"2020","unstructured":"Ahmed Salem, Apratim Bhattacharya, Michael Backes, Mario Fritz, and Yang Zhang. 2020. Updates-leak: Data set inference and reconstruction attacks in online learning. In Proceedings of the 29th USENIX Security Symposium (USENIX Security\u201920). USENIX Association, 1291\u20131308."},{"key":"e_1_3_1_111_2","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2019.23119"},{"key":"e_1_3_1_112_2","doi-asserted-by":"publisher","DOI":"10.1073\/pnas.0602562103"},{"key":"e_1_3_1_113_2","volume-title":"Proceedings of the 6th International Conference on Learning Representations (ICLR\u201918)","author":"Sener Ozan","year":"2018","unstructured":"Ozan Sener and Silvio Savarese. 2018. Active learning for convolutional neural networks: A core-set approach. In Proceedings of the 6th International Conference on Learning Representations (ICLR\u201918)."},{"key":"e_1_3_1_114_2","doi-asserted-by":"publisher","DOI":"10.1017\/CBO9781107298019"},{"key":"e_1_3_1_115_2","doi-asserted-by":"publisher","DOI":"10.1145\/2976749.2978392"},{"key":"e_1_3_1_116_2","doi-asserted-by":"publisher","DOI":"10.1145\/2810103.2813687"},{"key":"e_1_3_1_117_2","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2017.41"},{"key":"e_1_3_1_118_2","doi-asserted-by":"publisher","DOI":"10.1145\/3372297.3417270"},{"key":"e_1_3_1_119_2","doi-asserted-by":"publisher","DOI":"10.1145\/3292500.3330885"},{"key":"e_1_3_1_120_2","volume-title":"Proceedings of the 8th International Conference on Learning Representations (ICLR\u201920)","author":"Song Congzheng","year":"2020","unstructured":"Congzheng Song and Vitaly Shmatikov. 2020. Overlearning reveals sensitive attributes. In Proceedings of the 8th International Conference on Learning Representations (ICLR\u201920)."},{"key":"e_1_3_1_121_2","doi-asserted-by":"publisher","DOI":"10.1145\/3319535.3354211"},{"key":"e_1_3_1_122_2","doi-asserted-by":"publisher","DOI":"10.5555\/2627435.2670313"},{"key":"e_1_3_1_123_2","doi-asserted-by":"publisher","DOI":"10.1109\/IJCNN.2011.6033395"},{"key":"e_1_3_1_124_2","volume-title":"Reinforcement Learning: An Introduction","author":"Sutton Richard S.","year":"2018","unstructured":"Richard S. Sutton and Andrew G. Barto. 2018. Reinforcement Learning: An Introduction. MIT Press, Cambridge, MA."},{"key":"e_1_3_1_125_2","first-page":"601","volume-title":"Proceedings of the 25th USENIX Security Symposium (USENIX Security\u201916)","author":"Tram\u00e8r Florian","year":"2016","unstructured":"Florian Tram\u00e8r, Fan Zhang, Ari Juels, Michael K. Reiter, and Thomas Ristenpart. 2016. Stealing machine learning models via prediction APIs. In Proceedings of the 25th USENIX Security Symposium (USENIX Security\u201916). USENIX Association, 601\u2013618."},{"key":"e_1_3_1_126_2","doi-asserted-by":"publisher","unstructured":"Stacey Truex Ling Liu Mehmet Emre Gursoy Lei Yu and Wenqi Wei. 2021. Demystifying membership Inference attacks in machine learning as a service. IEEE Transactions on Services Computing 14 6 (2021) 2073\u20132089. DOI:10.1109\/TSC.2019.2897554","DOI":"10.1109\/TSC.2019.2897554"},{"key":"e_1_3_1_127_2","doi-asserted-by":"publisher","DOI":"10.5555\/2986916.2987018"},{"key":"e_1_3_1_128_2","doi-asserted-by":"publisher","DOI":"10.1098\/rsta.2018.0083"},{"key":"e_1_3_1_129_2","first-page":"3081","volume-title":"Proceedings of the 9th International Conference on Language Resources and Evaluation (LREC\u201914)","author":"Verhoeven Ben","year":"2014","unstructured":"Ben Verhoeven and Walter Daelemans. 2014. CLiPS stylometry investigation (CSI) corpus: A Dutch corpus for the detection of age, gender, personality, sentiment and deception in text. In Proceedings of the 9th International Conference on Language Resources and Evaluation (LREC\u201914). European Language Resources Association (ELRA), 3081\u20133085."},{"key":"e_1_3_1_130_2","unstructured":"VoxForge 2009. VoxForge Speech Corpus. Retrieved April 17 2020 from http:\/\/www.voxforge.org\/"},{"key":"e_1_3_1_131_2","volume-title":"The Caltech UCSD Birds-200-2011 Dataset","author":"Wah Catherine","year":"2011","unstructured":"Catherine Wah, Steve Branson, Peter Welinder, Pietro Perona, and Serge Belongie. 2011. The Caltech UCSD Birds-200-2011 Dataset. Technical Report. Pasadena, CA."},{"key":"e_1_3_1_132_2","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2018.00038"},{"key":"e_1_3_1_133_2","doi-asserted-by":"publisher","DOI":"10.1016\/j.jpdc.2019.03.003"},{"key":"e_1_3_1_134_2","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR.2017.369"},{"key":"e_1_3_1_135_2","doi-asserted-by":"publisher","DOI":"10.1109\/INFOCOM.2019.8737416"},{"key":"e_1_3_1_136_2","doi-asserted-by":"publisher","DOI":"10.1109\/CSF.2016.32"},{"key":"e_1_3_1_137_2","unstructured":"Han Xiao Kashif Rasul and Roland Vollgraf. 2017. Fashion-mnist: A novel image dataset for benchmarking machine learning algorithms. Retrieved from https:\/\/arXiv:1708.07747"},{"key":"e_1_3_1_138_2","doi-asserted-by":"publisher","DOI":"10.1016\/j.jnca.2015.05.010"},{"key":"e_1_3_1_139_2","doi-asserted-by":"publisher","DOI":"10.1145\/3319535.3354261"},{"key":"e_1_3_1_140_2","unstructured":"Yelp. [n.d.]. Yelp Open Dataset. Retrieved April 17 2020 from https:\/\/www.yelp.com\/dataset"},{"key":"e_1_3_1_141_2","doi-asserted-by":"publisher","DOI":"10.1109\/CSF.2018.00027"},{"key":"e_1_3_1_142_2","unstructured":"Jason Yosinski Jeff Clune Anh Nguyen Thomas Fuchs and Hod Lipson. 2015. Understanding neural networks through deep visualization. Retrieved from https:\/\/arXiv:1506.06579"},{"key":"e_1_3_1_143_2","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2020.24178"},{"key":"e_1_3_1_144_2","doi-asserted-by":"publisher","DOI":"10.1109\/ICCV.2019.00156"},{"key":"e_1_3_1_145_2","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR.2015.7299113"},{"key":"e_1_3_1_146_2","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR42600.2020.00033"},{"key":"e_1_3_1_147_2","volume-title":"Proceedings of the 31st USENIX Security Symposium (USENIX Security\u201922)","author":"Zhang Zhikun","year":"2022","unstructured":"Zhikun Zhang, Min Chen, Michael Backes, Yun Shen, and Yang Zhang. 2022. Inference attacks against graph neural networks. In Proceedings of the 31st USENIX Security Symposium (USENIX Security\u201922). USENIX Association."},{"key":"e_1_3_1_148_2","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-030-29959-0_4"},{"key":"e_1_3_1_149_2","volume-title":"Deep Leakage from Gradients","author":"Zhu Ligeng","year":"2019","unstructured":"Ligeng Zhu, Zhijian Liu, and Song Han. 2019. Deep Leakage from Gradients. Curran Associates."},{"key":"e_1_3_1_150_2","doi-asserted-by":"publisher","DOI":"10.1109\/ICCV.2015.11"}],"container-title":["ACM Computing Surveys"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3624010","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3624010","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,6,17]],"date-time":"2025-06-17T16:36:06Z","timestamp":1750178166000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3624010"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2023,11,10]]},"references-count":149,"journal-issue":{"issue":"4","published-print":{"date-parts":[[2024,4,30]]}},"alternative-id":["10.1145\/3624010"],"URL":"https:\/\/doi.org\/10.1145\/3624010","relation":{},"ISSN":["0360-0300","1557-7341"],"issn-type":[{"value":"0360-0300","type":"print"},{"value":"1557-7341","type":"electronic"}],"subject":[],"published":{"date-parts":[[2023,11,10]]},"assertion":[{"value":"2020-07-28","order":0,"name":"received","label":"Received","group":{"name":"publication_history","label":"Publication History"}},{"value":"2023-09-02","order":2,"name":"accepted","label":"Accepted","group":{"name":"publication_history","label":"Publication History"}},{"value":"2023-11-10","order":3,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}