{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,12,30]],"date-time":"2025-12-30T11:55:14Z","timestamp":1767095714086,"version":"3.48.0"},"publisher-location":"New York, NY, USA","reference-count":48,"publisher":"ACM","funder":[{"DOI":"10.13039\/100000001","name":"National Science Foundation","doi-asserted-by":"publisher","award":["CNS-2247795"],"award-info":[{"award-number":["CNS-2247795"]}],"id":[{"id":"10.13039\/100000001","id-type":"DOI","asserted-by":"publisher"}]},{"name":"Office of Naval Research","award":["N00014-22-1-2680"],"award-info":[{"award-number":["N00014-22-1-2680"]}]}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":[],"published-print":{"date-parts":[[2025,10,13]]},"DOI":"10.1145\/3733799.3762977","type":"proceedings-article","created":{"date-parts":[[2025,12,30]],"date-time":"2025-12-30T11:38:49Z","timestamp":1767094729000},"page":"182-193","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":0,"title":["Ensembling Membership Inference Attacks Against Tabular Generative Models"],"prefix":"10.1145","author":[{"ORCID":"https:\/\/orcid.org\/0009-0002-0817-2379","authenticated-orcid":false,"given":"Joshua","family":"Ward","sequence":"first","affiliation":[{"name":"University of California Los Angeles, Los Angeles, California, USA"}]},{"ORCID":"https:\/\/orcid.org\/0009-0004-1577-4698","authenticated-orcid":false,"given":"Yuxuan","family":"Yang","sequence":"additional","affiliation":[{"name":"Stanford University, Palo Alto, USA"}]},{"ORCID":"https:\/\/orcid.org\/0009-0003-0866-0070","authenticated-orcid":false,"given":"Chi-Hua","family":"Wang","sequence":"additional","affiliation":[{"name":"University of California Los Angeles, Los Angeles, California, USA"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-7874-9404","authenticated-orcid":false,"given":"Guang","family":"Cheng","sequence":"additional","affiliation":[{"name":"University of California Los Angeles, Los Angeles, California, USA"}]}],"member":"320","published-online":{"date-parts":[[2025,12,30]]},"reference":[{"key":"e_1_3_3_2_2_2","unstructured":"Meenatchi Sundaram Muthu\u00a0Selva Annamalai Borja Balle Jamie Hayes Georgios Kaissis and Emiliano\u00a0De Cristofaro. 2025. The Hitchhiker\u2019s Guide to Efficient End-to-End and Tight DP Auditing. arxiv:https:\/\/arXiv.org\/abs\/2506.16666\u00a0[cs.CR] https:\/\/arxiv.org\/abs\/2506.16666"},{"key":"e_1_3_3_2_3_2","unstructured":"Bernd Bischl Giuseppe Casalicchio Matthias Feurer Frank Hutter Michel Lang Rafael\u00a0G. Mantovani Jan\u00a0N. van Rijn and Joaquin Vanschoren. 2019. OpenML Benchmarking Suites."},{"key":"e_1_3_3_2_4_2","unstructured":"Vadim Borisov Kathrin Se\u00dfler Tobias Leemann Martin Pawelczyk and Gjergji Kasneci. 2023. Language Models are Realistic Tabular Data Generators. arxiv:https:\/\/arXiv.org\/abs\/2210.06280\u00a0[cs.LG] https:\/\/arxiv.org\/abs\/2210.06280"},{"key":"e_1_3_3_2_5_2","doi-asserted-by":"crossref","unstructured":"Nicholas Carlini Steve Chien Milad Nasr Shuang Song A. Terzis and Florian Tram\u00e8r. 2021. Membership Inference Attacks From First Principles. 1897-1914\u00a0pages. https:\/\/api.semanticscholar.org\/CorpusID:244920593","DOI":"10.1109\/SP46214.2022.9833649"},{"key":"e_1_3_3_2_6_2","doi-asserted-by":"publisher","DOI":"10.1145\/3372297.3417238"},{"key":"e_1_3_3_2_7_2","doi-asserted-by":"publisher","DOI":"10.1609\/aaai.v39i23.34697"},{"key":"e_1_3_3_2_8_2","unstructured":"Lingxi Cui Huan Li Ke Chen Lidan Shou and Gang Chen. 2024. Tabular Data Augmentation for Machine Learning: Progress and Prospects of Embracing Generative AI. arxiv:https:\/\/arXiv.org\/abs\/2407.21523\u00a0[cs.LG] https:\/\/arxiv.org\/abs\/2407.21523"},{"key":"e_1_3_3_2_9_2","first-page":"7627","volume-title":"Advances in Neural Information Processing Systems","author":"Durkan Conor","year":"2019","unstructured":"Conor Durkan, Artur Bekasov, Iain Murray, and George Papamakarios. 2019. Neural spline flows. In Advances in Neural Information Processing Systems , Vol.\u00a032. Curran Associates Inc., Vancouver, Canada, 7627\u20137638."},{"key":"e_1_3_3_2_10_2","doi-asserted-by":"publisher","DOI":"10.1007\/11681878_14"},{"key":"e_1_3_3_2_11_2","doi-asserted-by":"publisher","DOI":"10.7551\/mitpress\/7503.003.0038"},{"key":"e_1_3_3_2_12_2","unstructured":"Steven Golob Sikha Pentyala Anuar Maratkhan and Martine\u00a0De Cock. 2024. Privacy Vulnerabilities in Marginals-based Synthetic Data. arxiv:https:\/\/arXiv.org\/abs\/2410.05506\u00a0[cs.CR] https:\/\/arxiv.org\/abs\/2410.05506"},{"key":"e_1_3_3_2_13_2","unstructured":"Florent Gu\u00e9pin Nata\u0161a Kr\u010do Matthieu Meeus and Yves-Alexandre de Montjoye. 2024. Lost in the Averages: A New Specific Setup to Evaluate Membership Inference Attacks Against Machine Learning Models. arxiv:https:\/\/arXiv.org\/abs\/2405.15423\u00a0[cs.LG] https:\/\/arxiv.org\/abs\/2405.15423"},{"key":"e_1_3_3_2_14_2","doi-asserted-by":"crossref","unstructured":"Jamie Hayes Luca Melis George Danezis and Emiliano\u00a0De Cristofaro. 2017. LOGAN: Membership Inference Attacks Against Generative Models. Proceedings on Privacy Enhancing Technologies 2019 (2017) 133 \u2013 152. https:\/\/api.semanticscholar.org\/CorpusID:52211986","DOI":"10.2478\/popets-2019-0008"},{"key":"e_1_3_3_2_15_2","doi-asserted-by":"crossref","unstructured":"Benjamin Hilprecht Martin H\u00e4rterich and Daniel Bernau. 2019. Monte Carlo and Reconstruction Membership Inference Attacks against Generative Models. Proceedings on Privacy Enhancing Technologies 2019 (2019) 232 \u2013 249. https:\/\/api.semanticscholar.org\/CorpusID:199546273","DOI":"10.2478\/popets-2019-0067"},{"key":"e_1_3_3_2_16_2","unstructured":"Florimond Houssiau James Jordon Samuel\u00a0N Cohen Owen Daniel Andrew Elliott James Geddes Callum Mole Camila Rangel-Smith and Lukasz Szpruch. 2022. Tapas: a toolbox for adversarial privacy auditing of synthetic data."},{"key":"e_1_3_3_2_17_2","unstructured":"Hongsheng Hu Zoran Salcic Lichao Sun Gillian Dobbie Philip\u00a0S. Yu and Xuyun Zhang. 2022. Membership Inference Attacks on Machine Learning: A Survey. arxiv:https:\/\/arXiv.org\/abs\/2103.07853\u00a0[cs.LG] https:\/\/arxiv.org\/abs\/2103.07853"},{"key":"e_1_3_3_2_18_2","series-title":"(NIPS \u201920)","volume-title":"Proceedings of the 34th International Conference on Neural Information Processing Systems","author":"Jagielski Matthew","year":"2020","unstructured":"Matthew Jagielski, Jonathan Ullman, and Alina Oprea. 2020. Auditing differentially private machine learning: how private is private SGD?. In Proceedings of the 34th International Conference on Neural Information Processing Systems (Vancouver, BC, Canada) (NIPS \u201920). Curran Associates Inc., Red Hook, NY, USA, Article 1862, 12\u00a0pages."},{"key":"e_1_3_3_2_19_2","unstructured":"Mishaal Kazmi Hadrien Lautraite Alireza Akbari Qiaoyue Tang Mauricio Soroco Tao Wang S\u00e9bastien Gambs and Mathias L\u00e9cuyer. 2024. PANORAMIA: Privacy Auditing of Machine Learning Models without Retraining. arxiv:https:\/\/arXiv.org\/abs\/2402.09477\u00a0[cs.CR] https:\/\/arxiv.org\/abs\/2402.09477"},{"key":"e_1_3_3_2_20_2","doi-asserted-by":"publisher","unstructured":"J.\u00a0Z. Kolter Hariharan Manikandan and Yiding Jiang. 2023. Language models are weak learners. 10.48550\/arXiv.2306.14101","DOI":"10.48550\/arXiv.2306.14101"},{"key":"e_1_3_3_2_21_2","unstructured":"Akim Kotelnikov Dmitry Baranchuk Ivan Rubachev and Artem Babenko. 2022. TabDDPM: Modelling Tabular Data with Diffusion Models. arxiv:https:\/\/arXiv.org\/abs\/2209.15421\u00a0[cs.LG]"},{"key":"e_1_3_3_2_22_2","unstructured":"Qinyi Liu Mohammad Khalil Ronas Shakya and Jelena Jovanovic. 2024. Scaling While Privacy Preserving: A Comprehensive Synthetic Tabular Data Generation and Evaluation in Learning Analytics. arxiv:https:\/\/arXiv.org\/abs\/2401.06883\u00a0[cs.CR] https:\/\/arxiv.org\/abs\/2401.06883"},{"key":"e_1_3_3_2_23_2","doi-asserted-by":"publisher","DOI":"10.1109\/ICSPCC.2011.6061781"},{"key":"e_1_3_3_2_24_2","doi-asserted-by":"crossref","unstructured":"Yixin Liu Thalaiyasingam Ajanthan Hisham Husain and Vu Nguyen. 2024. Self-supervision improves diffusion models for tabular data imputation.","DOI":"10.1145\/3627673.3679829"},{"key":"e_1_3_3_2_25_2","first-page":"1288","volume-title":"Proceedings of the Annual Conference of the Cognitive Science Society","author":"Matsuda Noboru","year":"2009","unstructured":"Noboru Matsuda, Andrew Lee, William\u00a0W. Cohen, and Kenneth\u00a0R. Koedinger. 2009. A Computational Model of How Learner Errors Arise from Weak Prior Knowledge. In Proceedings of the Annual Conference of the Cognitive Science Society. Cognitive Science Society, Austin, TX, USA, 1288\u20131293. https:\/\/escholarship.org\/uc\/item\/[paper_id]"},{"key":"e_1_3_3_2_26_2","doi-asserted-by":"publisher","unstructured":"Ibtissam Medarhri Chaimae Chekira J.\u00a0M.\u00a0C. de Gea and Mohamed Hosni. 2025. Constructing Ensembles: A Diversity-Driven Approach with Correlation and Q-Statistics. 6\u00a0pages. 10.1109\/AI2E64943.2025.10983592","DOI":"10.1109\/AI2E64943.2025.10983592"},{"key":"e_1_3_3_2_27_2","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-031-51476-0_19"},{"key":"e_1_3_3_2_28_2","doi-asserted-by":"crossref","unstructured":"Fatemehsadat Mireshghallah Kartik Goyal Archit Uniyal Taylor Berg-Kirkpatrick and Reza Shokri. 2022. Quantifying Privacy Risks of Masked Language Models Using Membership Inference Attacks. arxiv:https:\/\/arXiv.org\/abs\/2203.03929\u00a0[cs.LG] https:\/\/arxiv.org\/abs\/2203.03929","DOI":"10.18653\/v1\/2022.emnlp-main.570"},{"key":"e_1_3_3_2_29_2","unstructured":"Vamsi\u00a0K. Potluru Daniel Borrajo Andrea Coletta Niccol\u00f2 Dalmasso Yousef El-Laham Elizabeth Fons Mohsen Ghassemi Sriram Gopalakrishnan Vikesh Gosai Eleonora Krea\u010di\u0107 Ganapathy Mani Saheed Obitayo Deepak Paramanand Natraj Raman Mikhail Solonin Srijan Sood Svitlana Vyetrenko Haibei Zhu Manuela Veloso and Tucker Balch. 2024. Synthetic Data Applications in Finance. arxiv:https:\/\/arXiv.org\/abs\/2401.00081\u00a0[cs.LG] https:\/\/arxiv.org\/abs\/2401.00081"},{"key":"e_1_3_3_2_30_2","doi-asserted-by":"publisher","unstructured":"Zhaozhi Qian Bogdan-Constantin Cebere and Mihaela van\u00a0der Schaar. 2023. Synthcity: facilitating innovative use cases of synthetic data in different data modalities. 10.48550\/ARXIV.2301.07573","DOI":"10.48550\/ARXIV.2301.07573"},{"key":"e_1_3_3_2_31_2","series-title":"Proceedings of Machine Learning Research","first-page":"5558","volume-title":"Proceedings of the 36th International Conference on Machine Learning","volume":"97","author":"Sablayrolles Alexandre","year":"2019","unstructured":"Alexandre Sablayrolles, Matthijs Douze, Cordelia Schmid, Yann Ollivier, and Herv\u00e9 J\u00e9gou. 2019. White-box vs black-box: Bayes optimal strategies for membership inference. In Proceedings of the 36th International Conference on Machine Learning(Proceedings of Machine Learning Research, Vol.\u00a097). PMLR, Long Beach, CA, USA, 5558\u20135567."},{"key":"e_1_3_3_2_32_2","doi-asserted-by":"publisher","unstructured":"R. Schapire. 2004. The strength of weak learnability. Machine Learning 5 (2004) 197\u2013227. 10.1007\/BF00116037","DOI":"10.1007\/BF00116037"},{"key":"e_1_3_3_2_33_2","unstructured":"Aivin\u00a0V Solatorio and Olivier Dupriez. 2023. Realtabformer: Generating realistic relational and tabular data using transformers."},{"key":"e_1_3_3_2_34_2","first-page":"1451","volume-title":"31st USENIX Security Symposium (USENIX Security 22)","author":"Stadler Theresa","year":"2022","unstructured":"Theresa Stadler, Bristena Oprisanu, and Carmela Troncoso. 2022. Synthetic Data \u2013 Anonymisation Groundhog Day. In 31st USENIX Security Symposium (USENIX Security 22). USENIX Association, Boston, MA, 1451\u20131468. https:\/\/www.usenix.org\/conference\/usenixsecurity22\/presentation\/stadler"},{"key":"e_1_3_3_2_35_2","unstructured":"Namjoon Suh Xiaofeng Lin Din-Yin Hsieh Mehrdad Honarkhah and Guang Cheng. 2023. AutoDiff: combining Auto-encoder and Diffusion model for tabular data synthesizing. https:\/\/openreview.net\/forum?id=XhxOCXlXSh"},{"key":"e_1_3_3_2_36_2","unstructured":"Namjoon Suh Xiaofeng Lin Din-Yin Hsieh Merhdad Honarkhah and Guang Cheng. 2023. AutoDiff: combining Auto-encoder and Diffusion model for tabular data synthesizing. arxiv:https:\/\/arXiv.org\/abs\/2310.15479\u00a0[stat.ML] https:\/\/arxiv.org\/abs\/2310.15479"},{"key":"e_1_3_3_2_37_2","doi-asserted-by":"publisher","unstructured":"Vibeke\u00a0Binz Vallevik Aleksandar Babic Serena\u00a0E. Marshall Severin Elvatun Helga\u00a0M.B. Br\u00f8gger Sharmini Alagaratnam Bj\u00f8rn Edwin Narasimha\u00a0R. Veeraragavan Anne\u00a0Kjersti Befring and Jan\u00a0F. Nyg\u00e5rd. 2024. Can I trust my fake data \u2013 A comprehensive quality assessment framework for synthetic tabular data in healthcare. International Journal of Medical Informatics 185 (May 2024) 105413. 10.1016\/j.ijmedinf.2024.105413","DOI":"10.1016\/j.ijmedinf.2024.105413"},{"key":"e_1_3_3_2_38_2","unstructured":"Boris van Breugel Hao Sun Zhaozhi Qian and Mihaela van\u00a0der Schaar. 2023. Membership Inference Attacks against Synthetic Data through Overfitting Detection. arxiv:https:\/\/arXiv.org\/abs\/2302.12580\u00a0[cs.LG]"},{"key":"e_1_3_3_2_39_2","unstructured":"Joshua Ward Chi-Hua Wang and Guang Cheng. 2024. Data Plagiarism Index: Characterizing the Privacy Risk of Data-Copying in Tabular Generative Models. arxiv:https:\/\/arXiv.org\/abs\/2406.13012\u00a0[cs.LG] https:\/\/arxiv.org\/abs\/2406.13012"},{"key":"e_1_3_3_2_40_2","unstructured":"Joshua Ward Chi-Hua Wang and Guang Cheng. 2025. Privacy Auditing Synthetic Data Release through Local Likelihood Attacks. arxiv:https:\/\/arXiv.org\/abs\/2508.21146\u00a0[cs.LG] https:\/\/arxiv.org\/abs\/2508.21146"},{"key":"e_1_3_3_2_41_2","series-title":"Proceedings of Machine Learning Research","first-page":"5357","volume-title":"Proceedings of The 26th International Conference on Artificial Intelligence and Statistics","volume":"206","author":"Watson David\u00a0S.","year":"2023","unstructured":"David\u00a0S. Watson, Kristin Blesch, Jan Kapar, and Marvin\u00a0N. Wright. 2023. Adversarial Random Forests for Density Estimation and Generative Modeling. In Proceedings of The 26th International Conference on Artificial Intelligence and Statistics(Proceedings of Machine Learning Research, Vol.\u00a0206), Francisco Ruiz, Jennifer Dy, and Jan-Willem van\u00a0de Meent (Eds.). PMLR, Valencia, Spain, 5357\u20135375. https:\/\/proceedings.mlr.press\/v206\/watson23a.html"},{"key":"e_1_3_3_2_42_2","first-page":"7335","volume-title":"Advances in Neural Information Processing Systems","author":"Xu Lei","year":"2019","unstructured":"Lei Xu, Maria Skoularidou, Alfredo Cuesta-Infante, and Kalyan Veeramachaneni. 2019. Modeling Tabular data using Conditional GAN. In Advances in Neural Information Processing Systems , Vol.\u00a032. Curran Associates, Inc., Vancouver, Canada, 7335\u20137345. https:\/\/proceedings.neurips.cc\/paper\/2019\/hash\/254ed7d2de3b23ab10936522dd547b78-Abstract.html"},{"key":"e_1_3_3_2_43_2","doi-asserted-by":"publisher","unstructured":"X. Yao and Yong Liu. 1999. Ensemble learning via negative correlation. Neural networks : the official journal of the International Neural Network Society 12 10 (1999) 1399\u20131404. 10.1016\/S0893-6080(99)00073-8","DOI":"10.1016\/S0893-6080(99)00073-8"},{"key":"e_1_3_3_2_44_2","doi-asserted-by":"crossref","unstructured":"Jinsung Yoon Lydia\u00a0N Drumright and Mihaela Van Der\u00a0Schaar. 2020. Anonymization through data synthesis using generative adversarial networks (ads-gan). IEEE journal of biomedical and health informatics 24 8 (2020) 2378\u20132388.","DOI":"10.1109\/JBHI.2020.2980262"},{"key":"e_1_3_3_2_45_2","first-page":"1","volume-title":"International Conference on Learning Representations","author":"Yoon Jinsung","year":"2019","unstructured":"Jinsung Yoon, James Jordon, and Mihaela van\u00a0der Schaar. 2019. PATE-GAN: Generating Synthetic Data with Differential Privacy Guarantees. In International Conference on Learning Representations. OpenReview.net, New Orleans, LA, USA, 1\u201315. https:\/\/openreview.net\/forum?id=S1zk9iRqF7"},{"key":"e_1_3_3_2_46_2","first-page":"4Ay23yeuz0","volume-title":"The Twelfth International Conference on Learning Representations","author":"Zhang Hengrui","year":"2024","unstructured":"Hengrui Zhang, Jiani Zhang, Zhengyuan Shen, Balasubramaniam Srinivasan, Xiao Qin, Christos Faloutsos, Huzefa Rangwala, and George Karypis. 2024. Mixed-Type Tabular Data Synthesis with Score-based Diffusion in Latent Space. In The Twelfth International Conference on Learning Representations. OpenReview.net, Vienna, Austria, 4Ay23yeuz0. https:\/\/openreview.net\/forum?id=4Ay23yeuz0"},{"key":"e_1_3_3_2_47_2","doi-asserted-by":"publisher","unstructured":"Jun Zhang Graham Cormode Cecilia\u00a0M. Procopiuc Divesh Srivastava and Xiaokui Xiao. 2017. PrivBayes: Private Data Release via Bayesian Networks. ACM Trans. Database Syst. 42 4 Article 25 (Oct. 2017) 41\u00a0pages. 10.1145\/3134428","DOI":"10.1145\/3134428"},{"key":"e_1_3_3_2_48_2","unstructured":"Shuhan Zheng and Nontawat Charoenphakdee. 2023. Diffusion models for missing value imputation in tabular data. arxiv:https:\/\/arXiv.org\/abs\/2210.17128\u00a0[cs.LG] https:\/\/arxiv.org\/abs\/2210.17128"},{"key":"e_1_3_3_2_49_2","doi-asserted-by":"publisher","unstructured":"Xiaojun Zhou Jingyi He and Chunhua Yang. 2021. An ensemble learning method based on deep neural network and group decision making. Knowl. Based Syst. 239 (2021) 107801. 10.1016\/j.knosys.2021.107801","DOI":"10.1016\/j.knosys.2021.107801"}],"event":{"name":"AISec '25: Proceedings of the 2025 Workshop on Artificial Intelligence and Security","sponsor":["SIGSAC ACM Special Interest Group on Security, Audit, and Control"],"location":"Taipei , Taiwan","acronym":"AISec '25"},"container-title":["Proceedings of the 18th ACM Workshop on Artificial Intelligence and Security"],"original-title":[],"link":[{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3733799.3762977","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,12,30]],"date-time":"2025-12-30T11:52:42Z","timestamp":1767095562000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3733799.3762977"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2025,10,13]]},"references-count":48,"alternative-id":["10.1145\/3733799.3762977","10.1145\/3733799"],"URL":"https:\/\/doi.org\/10.1145\/3733799.3762977","relation":{},"subject":[],"published":{"date-parts":[[2025,10,13]]},"assertion":[{"value":"2025-12-30","order":3,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}