Abstract
Most existing membership inference attacks (MIAs) utilize metrics (e.g.,loss) calculated on the model's final state, while recent advanced attacksleverage metrics computed at various stages, including both intermediate andfinal stages, throughout the model training. Nevertheless, these attacks oftenprocess multiple intermediate states of the metric independently, ignoringtheir time-dependent patterns. Consequently, they struggle to effectivelydistinguish between members and non-members who exhibit similar metric values,particularly resulting in a high false-positive rate. In this study, we delve deeper into the new membership signals in theblack-box scenario. We identify a new, more integrated membership signal: thePattern of Metric Sequence, derived from the various stages of model training.We contend that current signals provide only partial perspectives of this newsignal: the new one encompasses both the model's multiple intermediate andfinal states, with a greater emphasis on temporal patterns among them. Buildingupon this signal, we introduce a novel attack method called Sequential-metricbased Membership Inference Attack (SeqMIA). Specifically, we utilize knowledgedistillation to obtain a set of distilled models representing various stages ofthe target model's training. We then assess multiple metrics on these distilledmodels in chronological order, creating distilled metric sequence. We finallyintegrate distilled multi-metric sequences as a sequential multiformat andemploy an attention-based RNN attack model for inference. Empirical resultsshow SeqMIA outperforms all baselines, especially can achieve an order ofmagnitude improvement in terms of TPR @ 0.1% FPR. Furthermore, we delve intothe reasons why this signal contributes to SeqMIA's high attack performance,and assess various defense mechanisms against SeqMIA.