Membership Inference Attack
What is Membership Inference Attack?
Membership Inference AttackA privacy attack that determines whether a specific data record was part of a machine-learning model's training set by analysing the model's behaviour on that record.
Membership inference, formalised by Shokri et al. (2017), exploits the tendency of ML models to be more confident on examples they have seen during training. The attacker queries the target model with a candidate sample, compares confidence, loss, or per-class scores against shadow models trained on similar data, and infers membership. Even API-only access is often sufficient. The attack is a building block for broader privacy threats — confirming whether a person's medical record, photo, or document was used to train a deployed model can violate GDPR, HIPAA, or the EU AI Act. Defences include differential privacy, dropout-style regularization, output minimization, and careful deduplication of training data.
● Examples
- 01
Determining that a specific patient's record was used to train a hospital's diagnostic model by comparing loss values.
- 02
Identifying whether a copyrighted book was part of an LLM's pre-training corpus via membership tests.
● Frequently asked questions
What is Membership Inference Attack?
A privacy attack that determines whether a specific data record was part of a machine-learning model's training set by analysing the model's behaviour on that record. It belongs to the AI & ML Security category of cybersecurity.
What does Membership Inference Attack mean?
A privacy attack that determines whether a specific data record was part of a machine-learning model's training set by analysing the model's behaviour on that record.
How does Membership Inference Attack work?
Membership inference, formalised by Shokri et al. (2017), exploits the tendency of ML models to be more confident on examples they have seen during training. The attacker queries the target model with a candidate sample, compares confidence, loss, or per-class scores against shadow models trained on similar data, and infers membership. Even API-only access is often sufficient. The attack is a building block for broader privacy threats — confirming whether a person's medical record, photo, or document was used to train a deployed model can violate GDPR, HIPAA, or the EU AI Act. Defences include differential privacy, dropout-style regularization, output minimization, and careful deduplication of training data.
How do you defend against Membership Inference Attack?
Defences for Membership Inference Attack typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for Membership Inference Attack?
Common alternative names include: MIA, Training-set membership attack.
● Related terms
- ai-security№ 704
Model Inversion
A privacy attack that reconstructs sensitive features of a model's training data — such as faces or text — by exploiting the model's outputs or gradients.
- ai-security№ 703
Model Extraction
An attack that reconstructs a confidential machine-learning model's parameters, behaviour, or training data by systematically querying its public API.
- ai-security№ 281
Data Poisoning
An attack on a machine-learning system in which adversaries inject, alter, or relabel training data so the resulting model behaves incorrectly or contains hidden backdoors.
- ai-security№ 027
AI Governance
The policies, processes, roles, and controls organisations and regulators use to ensure AI systems are developed, deployed, and operated responsibly and lawfully.
- ai-security№ 777
OWASP LLM Top 10
An OWASP-maintained list of the ten most critical security risks affecting applications that build on large language models.
- ai-security№ 691
MLSecOps
The discipline of integrating security and risk controls across the entire machine-learning lifecycle, from data sourcing through training, deployment, monitoring, and retirement.
● See also
- № 376Embedding Attacks