ML Security PapersA Unified Perspective on Adversarial Membership Manipulation in Vision Models
Ruize Gao 1, Kaiwen Zhou 2,3, Yongqiang Chen 3, Feng Liu 4
Published on arXiv
2604.02780
Membership Inference Attack
OWASP ML Top 10 — ML04
Input Manipulation Attack
OWASP ML Top 10 — ML01
Key Finding
Adversarial perturbations consistently push non-members into member region across diverse architectures; gradient-norm collapse reliably separates fabricated from true members despite identical semantic representations
MFA (Member Fabrication Attack)
Novel technique introduced
Membership inference attacks (MIAs) aim to determine whether a specific data point was part of a model's training set, serving as effective tools for evaluating privacy leakage of vision models. However, existing MIAs implicitly assume honest query inputs, and their adversarial robustness remains unexplored. We show that MIAs for vision models expose a previously overlooked adversarial surface: adversarial membership manipulation, where imperceptible perturbations can reliably push non-member images into the "member" region of state-of-the-art MIAs. In this paper, we provide the first unified perspective on this phenomenon by analyzing its mechanism and implications. We begin by demonstrating that adversarial membership fabrication is consistently effective across diverse architectures and datasets. We then reveal a distinctive geometric signature - a characteristic gradient-norm collapse trajectory - that reliably separates fabricated from true members despite their nearly identical semantic representations. Building on this insight, we introduce a principled detection strategy grounded in gradient-geometry signals and develop a robust inference framework that substantially mitigates adversarial manipulation. Extensive experiments show that fabrication is broadly effective, while our detection and robust inference strategies significantly enhance resilience. This work establishes the first comprehensive framework for adversarial membership manipulation in vision models.
Key Contributions
- First demonstration that membership inference attacks are vulnerable to adversarial input manipulation via imperceptible perturbations (Member Fabrication Attack)
- Discovery of gradient-norm collapse trajectory as geometric signature distinguishing fabricated from true members
- Principled detection method (MFD) and robust inference framework (AR-MIAs) that incorporate gradient-geometry statistics to defend against fabrication attacks
🛡️ Threat Analysis
The attack vector is gradient-based adversarial perturbations at inference time that manipulate MIA outputs. While the TARGET is membership inference (ML04), the TECHNIQUE is adversarial example generation using imperceptible perturbations to alter model behavior—a core ML01 method applied to a privacy auditing context.
Primary focus is adversarial manipulation of membership inference attacks (MIAs)—both attacking MIAs via adversarial fabrication and defending them via robust inference. The paper demonstrates that imperceptible perturbations can fool state-of-the-art MIAs into falsely classifying non-members as members, and proposes detection/defense strategies specifically for MIA robustness.