{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,5,11]],"date-time":"2026-05-11T22:46:27Z","timestamp":1778539587224,"version":"3.51.4"},"publisher-location":"New York, NY, USA","reference-count":51,"publisher":"ACM","license":[{"start":{"date-parts":[[2023,12,4]],"date-time":"2023-12-04T00:00:00Z","timestamp":1701648000000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0\/"}],"funder":[{"DOI":"10.13039\/501100006374","name":"NSF (National Science Foundation)","doi-asserted-by":"publisher","award":["CNS-2220433,OAC-2319988"],"award-info":[{"award-number":["CNS-2220433,OAC-2319988"]}],"id":[{"id":"10.13039\/501100006374","id-type":"DOI","asserted-by":"publisher"}]}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":[],"published-print":{"date-parts":[[2023,12,4]]},"DOI":"10.1145\/3627106.3627189","type":"proceedings-article","created":{"date-parts":[[2023,12,2]],"date-time":"2023-12-02T18:13:22Z","timestamp":1701540802000},"page":"787-798","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":3,"title":["Mitigating Membership Inference Attacks via Weighted Smoothing"],"prefix":"10.1145","author":[{"ORCID":"https:\/\/orcid.org\/0000-0002-7454-9085","authenticated-orcid":false,"given":"Mingtian","family":"Tan","sequence":"first","affiliation":[{"name":"The University of Virginia, USA"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-1288-6502","authenticated-orcid":false,"given":"Xiaofei","family":"Xie","sequence":"additional","affiliation":[{"name":"Singapore Management University, Singapore"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-3545-1392","authenticated-orcid":false,"given":"Jun","family":"Sun","sequence":"additional","affiliation":[{"name":"Singapore Management University, Singapore"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-9017-7947","authenticated-orcid":false,"given":"Tianhao","family":"Wang","sequence":"additional","affiliation":[{"name":"The University of Virginia, USA"}],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"320","published-online":{"date-parts":[[2023,12,4]]},"reference":[{"key":"e_1_3_2_1_1_1","doi-asserted-by":"publisher","DOI":"10.1145\/2976749.2978318"},{"key":"e_1_3_2_1_2_1","volume-title":"Do deep nets really need to be deep?Advances in neural information processing systems 27","author":"Ba Jimmy","year":"2014","unstructured":"Jimmy Ba and Rich Caruana. 2014. Do deep nets really need to be deep?Advances in neural information processing systems 27 (2014)."},{"key":"e_1_3_2_1_3_1","volume-title":"Differential privacy has disparate impact on model accuracy. Advances in neural information processing systems 32","author":"Bagdasaryan Eugene","year":"2019","unstructured":"Eugene Bagdasaryan, Omid Poursaeed, and Vitaly Shmatikov. 2019. Differential privacy has disparate impact on model accuracy. Advances in neural information processing systems 32 (2019)."},{"key":"e_1_3_2_1_4_1","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-662-53641-4_24"},{"key":"e_1_3_2_1_5_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP46214.2022.9833649"},{"key":"e_1_3_2_1_6_1","unstructured":"Nicholas Carlini Ulfar Erlingsson and Nicolas Papernot. 2018. Prototypical examples in deep learning: Metrics characteristics and utility. (2018)."},{"key":"e_1_3_2_1_7_1","volume-title":"Distribution density, tails, and outliers in machine learning: Metrics and applications. arXiv preprint arXiv:1910.13427","author":"Carlini Nicholas","year":"2019","unstructured":"Nicholas Carlini, Ulfar Erlingsson, and Nicolas Papernot. 2019. Distribution density, tails, and outliers in machine learning: Metrics and applications. arXiv preprint arXiv:1910.13427 (2019)."},{"key":"e_1_3_2_1_8_1","volume-title":"The privacy onion effect: Memorization is relative. arXiv preprint arXiv:2206.10469","author":"Carlini Nicholas","year":"2022","unstructured":"Nicholas Carlini, Matthew Jagielski, Nicolas Papernot, Andreas Terzis, Florian Tramer, and Chiyuan Zhang. 2022. The privacy onion effect: Memorization is relative. arXiv preprint arXiv:2206.10469 (2022)."},{"key":"e_1_3_2_1_9_1","volume-title":"30th USENIX Security Symposium (USENIX Security 21)","author":"Carlini Nicholas","year":"2021","unstructured":"Nicholas Carlini, Florian Tramer, Eric Wallace, Matthew Jagielski, Ariel Herbert-Voss, Katherine Lee, Adam Roberts, Tom Brown, Dawn Song, Ulfar Erlingsson, 2021. Extracting training data from large language models. In 30th USENIX Security Symposium (USENIX Security 21). 2633\u20132650."},{"key":"e_1_3_2_1_10_1","volume-title":"International Conference on Machine Learning. PMLR","author":"Choquette-Choo A","year":"2021","unstructured":"Christopher\u00a0A Choquette-Choo, Florian Tramer, Nicholas Carlini, and Nicolas Papernot. 2021. Label-only membership inference attacks. In International Conference on Machine Learning. PMLR, 1964\u20131974."},{"key":"e_1_3_2_1_11_1","doi-asserted-by":"publisher","DOI":"10.1145\/3576915.3616592"},{"key":"e_1_3_2_1_12_1","volume-title":"Theory of cryptography conference","author":"Dwork Cynthia","unstructured":"Cynthia Dwork, Frank McSherry, Kobbi Nissim, and Adam Smith. 2006. Calibrating noise to sensitivity in private data analysis. In Theory of cryptography conference. Springer, 265\u2013284."},{"key":"e_1_3_2_1_13_1","volume-title":"2013. CIFAR-10 and CIFAR-100 dataset and analysis.. https:\/\/www.cs.toronto.edu\/\u00a0kriz\/cifar.html. [Online","author":"Krizhevsky","year":"2022","unstructured":"Krizhevsky et al.2013. CIFAR-10 and CIFAR-100 dataset and analysis.. https:\/\/www.cs.toronto.edu\/\u00a0kriz\/cifar.html. [Online; accessed 15-March-2022]."},{"key":"e_1_3_2_1_14_1","volume-title":"2021. CASIA-WebFace dataset introduction and source. https:\/\/paperswithcode.com\/dataset\/casia-webface. [Online","author":"Yi","year":"2022","unstructured":"Yi et al.2021. CASIA-WebFace dataset introduction and source. https:\/\/paperswithcode.com\/dataset\/casia-webface. [Online; accessed 5-March-2022]."},{"key":"e_1_3_2_1_15_1","doi-asserted-by":"publisher","DOI":"10.1145\/3357713.3384290"},{"key":"e_1_3_2_1_16_1","first-page":"2881","article-title":"What neural networks memorize and why: Discovering the long tail via influence estimation","volume":"33","author":"Feldman Vitaly","year":"2020","unstructured":"Vitaly Feldman and Chiyuan Zhang. 2020. What neural networks memorize and why: Discovering the long tail via influence estimation. Advances in Neural Information Processing Systems 33 (2020), 2881\u20132891.","journal-title":"Advances in Neural Information Processing Systems"},{"key":"e_1_3_2_1_17_1","doi-asserted-by":"publisher","DOI":"10.1145\/2810103.2813677"},{"key":"e_1_3_2_1_18_1","doi-asserted-by":"publisher","DOI":"10.1145\/3243734.3243834"},{"key":"e_1_3_2_1_19_1","volume-title":"Explaining and harnessing adversarial examples. arXiv preprint arXiv:1412.6572","author":"Goodfellow J","year":"2014","unstructured":"Ian\u00a0J Goodfellow, Jonathon Shlens, and Christian Szegedy. 2014. Explaining and harnessing adversarial examples. arXiv preprint arXiv:1412.6572 (2014)."},{"key":"e_1_3_2_1_20_1","doi-asserted-by":"publisher","DOI":"10.1109\/ACCESS.2019.2909068"},{"key":"e_1_3_2_1_21_1","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR.2016.90"},{"key":"e_1_3_2_1_22_1","volume-title":"Distilling the knowledge in a neural network. arXiv preprint arXiv:1503.02531 2, 7","author":"Hinton Geoffrey","year":"2015","unstructured":"Geoffrey Hinton, Oriol Vinyals, Jeff Dean, 2015. Distilling the knowledge in a neural network. arXiv preprint arXiv:1503.02531 2, 7 (2015)."},{"key":"e_1_3_2_1_23_1","volume-title":"Resolving individuals contributing trace amounts of DNA to highly complex mixtures using high-density SNP genotyping microarrays. PLoS genetics 4, 8","author":"Homer Nils","year":"2008","unstructured":"Nils Homer, Szabolcs Szelinger, Margot Redman, David Duggan, Waibhav Tembe, Jill Muehling, John\u00a0V Pearson, Dietrich\u00a0A Stephan, Stanley\u00a0F Nelson, and David\u00a0W Craig. 2008. Resolving individuals contributing trace amounts of DNA to highly complex mixtures using high-density SNP genotyping microarrays. PLoS genetics 4, 8 (2008), e1000167."},{"key":"e_1_3_2_1_24_1","volume-title":"Membership Inference Attacks on Machine Learning: A Survey. arXiv preprint arXiv:2103.07853","author":"Hu Hongsheng","year":"2021","unstructured":"Hongsheng Hu, Zoran Salcic, Gillian Dobbie, and Xuyun Zhang. 2021. Membership Inference Attacks on Machine Learning: A Survey. arXiv preprint arXiv:2103.07853 (2021)."},{"key":"e_1_3_2_1_25_1","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR.2017.243"},{"key":"e_1_3_2_1_26_1","volume-title":"28th { USENIX} Security Symposium ({ USENIX} Security 19). 1895\u20131912.","author":"Jayaraman Bargav","unstructured":"Bargav Jayaraman and David Evans. 2019. Evaluating differentially private machine learning in practice. In 28th { USENIX} Security Symposium ({ USENIX} Security 19). 1895\u20131912."},{"key":"e_1_3_2_1_27_1","doi-asserted-by":"publisher","DOI":"10.1145\/3319535.3363201"},{"key":"e_1_3_2_1_28_1","doi-asserted-by":"publisher","unstructured":"Bogdan Kulynych and Mohammad Yaghini. 2018. mia: A library for running membership inference attacks against ML models. https:\/\/doi.org\/10.5281\/zenodo.1433744","DOI":"10.5281\/zenodo.1433744"},{"key":"e_1_3_2_1_29_1","doi-asserted-by":"publisher","DOI":"10.1145\/3422337.3447836"},{"key":"e_1_3_2_1_30_1","doi-asserted-by":"publisher","DOI":"10.1145\/3460120.3484575"},{"key":"e_1_3_2_1_31_1","doi-asserted-by":"publisher","DOI":"10.1145\/3243734.3243855"},{"key":"e_1_3_2_1_32_1","volume-title":"Sampling attacks: Amplification of membership inference attacks by repeated queries. arXiv preprint arXiv:2009.00395","author":"Rahimian Shadi","year":"2020","unstructured":"Shadi Rahimian, Tribhuvanesh Orekondy, and Mario Fritz. 2020. Sampling attacks: Amplification of membership inference attacks by repeated queries. arXiv preprint arXiv:2009.00395 (2020)."},{"key":"e_1_3_2_1_33_1","first-page":"61","article-title":"Membership Inference Attack against Differentially Private Deep Learning","volume":"11","author":"Rahman Md\u00a0Atiqur","year":"2018","unstructured":"Md\u00a0Atiqur Rahman, Tanzila Rahman, Robert Lagani\u00e8re, Noman Mohammed, and Yang Wang. 2018. Membership Inference Attack against Differentially Private Deep Learning Model.Trans. Data Priv. 11, 1 (2018), 61\u201379.","journal-title":"Model.Trans. Data Priv."},{"key":"e_1_3_2_1_34_1","volume-title":"Ml-leaks: Model and data independent membership inference attacks and defenses on machine learning models. arXiv preprint arXiv:1806.01246","author":"Salem Ahmed","year":"2018","unstructured":"Ahmed Salem, Yang Zhang, Mathias Humbert, Pascal Berrang, Mario Fritz, and Michael Backes. 2018. Ml-leaks: Model and data independent membership inference attacks and defenses on machine learning models. arXiv preprint arXiv:1806.01246 (2018)."},{"key":"e_1_3_2_1_35_1","volume-title":"Membership privacy for machine learning models through knowledge transfer. arXiv preprint arXiv:1906.06589","author":"Shejwalkar Virat","year":"2019","unstructured":"Virat Shejwalkar and Amir Houmansadr. 2019. Membership privacy for machine learning models through knowledge transfer. arXiv preprint arXiv:1906.06589 (2019)."},{"key":"e_1_3_2_1_36_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2017.41"},{"key":"e_1_3_2_1_37_1","doi-asserted-by":"publisher","DOI":"10.1145\/3133956.3134077"},{"key":"e_1_3_2_1_38_1","volume-title":"30th { USENIX} Security Symposium ({ USENIX} Security 21).","author":"Song Liwei","unstructured":"Liwei Song and Prateek Mittal. 2021. Systematic evaluation of privacy risks of machine learning models. In 30th { USENIX} Security Symposium ({ USENIX} Security 21)."},{"key":"e_1_3_2_1_39_1","volume-title":"Dropout: a simple way to prevent neural networks from overfitting. The journal of machine learning research 15, 1","author":"Srivastava Nitish","year":"2014","unstructured":"Nitish Srivastava, Geoffrey Hinton, Alex Krizhevsky, Ilya Sutskever, and Ruslan Salakhutdinov. 2014. Dropout: a simple way to prevent neural networks from overfitting. The journal of machine learning research 15, 1 (2014), 1929\u20131958."},{"key":"e_1_3_2_1_40_1","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR.2016.308"},{"key":"e_1_3_2_1_41_1","volume-title":"31st USENIX Security Symposium (USENIX Security 22)","author":"Tang Xinyu","year":"2022","unstructured":"Xinyu Tang, Saeed Mahloujifar, Liwei Song, Virat Shejwalkar, Milad Nasr, Amir Houmansadr, and Prateek Mittal. 2022. Mitigating membership inference attacks by { Self-Distillation} through a novel ensemble architecture. In 31st USENIX Security Symposium (USENIX Security 22). 1433\u20131450."},{"key":"e_1_3_2_1_42_1","doi-asserted-by":"publisher","DOI":"10.1109\/TPS-ISA48467.2019.00019"},{"key":"e_1_3_2_1_43_1","volume-title":"The HAM10000 dataset, a large collection of multi-source dermatoscopic images of common pigmented skin lesions. Scientific data 5, 1","author":"Tschandl Philipp","year":"2018","unstructured":"Philipp Tschandl, Cliff Rosendahl, and Harald Kittler. 2018. The HAM10000 dataset, a large collection of multi-source dermatoscopic images of common pigmented skin lesions. Scientific data 5, 1 (2018), 1\u20139."},{"key":"e_1_3_2_1_44_1","doi-asserted-by":"publisher","DOI":"10.1145\/3548606.3560675"},{"key":"e_1_3_2_1_45_1","doi-asserted-by":"publisher","DOI":"10.1109\/CSF.2018.00027"},{"key":"e_1_3_2_1_46_1","volume-title":"Journal of Physics: Conference Series, Vol.\u00a01168","author":"Ying Xue","year":"2022","unstructured":"Xue Ying. 2019. An overview of overfitting and its solutions. In Journal of Physics: Conference Series, Vol.\u00a01168. IOP Publishing, 022022."},{"key":"e_1_3_2_1_47_1","volume-title":"Opacus: User-Friendly Differential Privacy Library in PyTorch. arXiv preprint arXiv:2109.12298","author":"Yousefpour Ashkan","year":"2021","unstructured":"Ashkan Yousefpour, Igor Shilov, Alexandre Sablayrolles, Davide Testuggine, Karthik Prasad, Mani Malek, John Nguyen, Sayan Ghosh, Akash Bharadwaj, Jessica Zhao, Graham Cormode, and Ilya Mironov. 2021. Opacus: User-Friendly Differential Privacy Library in PyTorch. arXiv preprint arXiv:2109.12298 (2021)."},{"key":"e_1_3_2_1_48_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2019.00019"},{"key":"e_1_3_2_1_49_1","volume-title":"mixup: Beyond empirical risk minimization. arXiv preprint arXiv:1710.09412","author":"Zhang Hongyi","year":"2017","unstructured":"Hongyi Zhang, Moustapha Cisse, Yann\u00a0N Dauphin, and David Lopez-Paz. 2017. mixup: Beyond empirical risk minimization. arXiv preprint arXiv:1710.09412 (2017)."},{"key":"e_1_3_2_1_50_1","volume-title":"International Conference on Machine Learning. PMLR, 12674\u201312685","author":"Zhao Bo","year":"2021","unstructured":"Bo Zhao and Hakan Bilen. 2021. Dataset condensation with differentiable siamese augmentation. In International Conference on Machine Learning. PMLR, 12674\u201312685."},{"key":"e_1_3_2_1_51_1","volume-title":"Dataset Condensation with Gradient Matching.ICLR 1, 2","author":"Zhao Bo","year":"2021","unstructured":"Bo Zhao, Konda\u00a0Reddy Mopuri, and Hakan Bilen. 2021. Dataset Condensation with Gradient Matching.ICLR 1, 2 (2021), 3."}],"event":{"name":"ACSAC '23: Annual Computer Security Applications Conference","location":"Austin TX USA","acronym":"ACSAC '23"},"container-title":["Annual Computer Security Applications Conference"],"original-title":[],"link":[{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3627106.3627189","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3627106.3627189","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,8,22]],"date-time":"2025-08-22T17:40:31Z","timestamp":1755884431000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3627106.3627189"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2023,12,4]]},"references-count":51,"alternative-id":["10.1145\/3627106.3627189","10.1145\/3627106"],"URL":"https:\/\/doi.org\/10.1145\/3627106.3627189","relation":{},"subject":[],"published":{"date-parts":[[2023,12,4]]},"assertion":[{"value":"2023-12-04","order":3,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}