A Unified Perspective on Adversarial Membership Manipulation in Vision Models

arXiv cs.CV / 4/6/2026

💬 OpinionIdeas & Deep AnalysisModels & Research

共有:

Key Points

The paper shows that membership inference attacks against vision models have an unstudied vulnerability: adversarial membership manipulation, where tiny, nearly imperceptible perturbations can shift non-member inputs to be classified as members by state-of-the-art MIAs.
Experiments indicate that this adversarial “fabrication” works broadly across different model architectures and datasets, suggesting the vulnerability is not isolated to a specific setup.
The authors identify a geometric/gradient-norm signature (a gradient-norm collapse trajectory) that distinguishes fabricated (perturbed) samples from true members even when their semantic representations are nearly identical.
Based on this signature, they propose a detection strategy and a more robust inference framework that substantially mitigates the manipulation effect.
The work positions itself as the first unified framework for analyzing and defending against adversarial membership manipulation in vision-model privacy evaluations.

Abstract

Membership inference attacks (MIAs) aim to determine whether a specific data point was part of a model's training set, serving as effective tools for evaluating privacy leakage of vision models. However, existing MIAs implicitly assume honest query inputs, and their adversarial robustness remains unexplored. We show that MIAs for vision models expose a previously overlooked adversarial surface: adversarial membership manipulation, where imperceptible perturbations can reliably push non-member images into the "member" region of state-of-the-art MIAs. In this paper, we provide the first unified perspective on this phenomenon by analyzing its mechanism and implications. We begin by demonstrating that adversarial membership fabrication is consistently effective across diverse architectures and datasets. We then reveal a distinctive geometric signature - a characteristic gradient-norm collapse trajectory - that reliably separates fabricated from true members despite their nearly identical semantic representations. Building on this insight, we introduce a principled detection strategy grounded in gradient-geometry signals and develop a robust inference framework that substantially mitigates adversarial manipulation. Extensive experiments show that fabrication is broadly effective, while our detection and robust inference strategies significantly enhance resilience. This work establishes the first comprehensive framework for adversarial membership manipulation in vision models.