On the (in)feasibility of attribute inference attacks on machine learning models

Benjamin Zi Hao Zhao, Aviral Agrawal, Catisha Coburn, Hassan Jameel Asghar, Raghav Bhaskar, Mohamed Ali Kaafar, Darren Webb, Peter Dickinson

Research output: Chapter in Book/Report/Conference proceedingConference proceeding contributionpeer-review

8 Citations (Scopus)


With an increase in low-cost machine learning APIs, advanced machine learning models may be trained on private datasets and monetized by providing them as a service. However, privacy researchers have demonstrated that these models may leak information about records in the training dataset via membership inference attacks. In this paper, we take a closer look at another inference attack reported in literature, called attribute inference, whereby an attacker tries to infer missing attributes of a partially known record used in the training dataset by accessing the machine learning model as an API. We show that even if a classification model succumbs to membership inference attacks, it is unlikely to be susceptible to attribute inference attacks. We demonstrate that this is because membership inference attacks fail to distinguish a member from a nearby non-member. We call the ability of an attacker to distinguish the two (similar) vectors as strong membership inference. We show that membership inference attacks cannot infer membership in this strong setting, and hence inferring attributes is infeasible. However, under a relaxed notion of attribute inference, called approximate attribute inference, we show that it is possible to infer attributes close to the true attributes. We verify our results on three publicly available datasets, five membership, and three attribute inference attacks reported in literature.

Original languageEnglish
Title of host publicationProceedings - 2021 IEEE European Symposium on Security and Privacy, EuroS&P 2021
Place of PublicationPiscataway, NJ
PublisherInstitute of Electrical and Electronics Engineers (IEEE)
Number of pages20
ISBN (Electronic)9781665414913
Publication statusPublished - 2021
Event6th IEEE European Symposium on Security and Privacy, Euro S&P 2021 - Virtual, Online, Austria
Duration: 6 Sept 202110 Sept 2021


Conference6th IEEE European Symposium on Security and Privacy, Euro S&P 2021
CityVirtual, Online


  • Attack
  • Attribute
  • Federated
  • Inference
  • Learning
  • Machine
  • Membership
  • Privacy


Dive into the research topics of 'On the (in)feasibility of attribute inference attacks on machine learning models'. Together they form a unique fingerprint.

Cite this