LoMime: Query-Efficient Membership Inference using Model Extraction in Label-Only Settings

arXiv:2602.18934v2 Announce Type: replace Abstract: Membership inference attacks (MIAs) threaten the privacy of machine learning models by revealing whether a specific data point was used during training. Existing MIAs often rely on impractical assumptions, such as access to public datasets, shadow models, confidence scores, or knowledge of the training data distribution, making them vulnerable to defenses like confidence masking and adversarial regularization. Label-only MIAs, even under strict constraints, suffer from high query requirements per sample. We propose a cost-effective label-only MIA framework based on transferability and model extraction. By querying the target model $M$ using active sampling, perturbation-based selection, and synthetic data, we extract a functionally similar surrogate model $S$ on which membership inference is performed. This shifts the query overhead to a one-time extraction phase, eliminating repeated queries to $M$. Our method matches the performance of state-of-the-art label-only MIAs while significantly reducing query costs and operating under strict black-box constraints. On benchmark tabular datasets, we show that a query budget equivalent to testing the membership of approximately $1%$ of the training samples is sufficient to extract $S$ and achieve membership inference accuracy within $\pm 1%$ of that obtained when attacking $M$ directly. We also evaluate the effectiveness of standard defenses, including DP-SGD and regularization, proposed for label-only MIAs against our attack. Finally, we present preliminary results extending our framework to deep neural networks trained on image datasets, demonstrating promising transferability and membership inference performance under label-only access while highlighting directions for further optimization.