Abstract: Currently, there is a controversy about the relationship between the accuracy rate of Membership Inference Attacks (MIA) in Generative Adversarial Networks (GAN) and the generalization ability of the generative model itself, and thus effective attacks are difficult to be widely applied, which limits the improvement of generative models. A Bayesian Estimation (BE)-based membership inference attack scheme was proposed, aiming at efficiently matching parameters for optimal attacks in gray-box scenarios. First, the training frameworks of the target and shadow models were designed under black-box conditions to obtain the parameter knowledge required for the attack model; then, the attack model was trained by combining the use of this effective parameter information to continuously update the objective function; finally, the trained attack model was applied to the membership inference attack. The experimental results show that the attack accuracy of the gray-box attack method based on BE is improved by 19.44% and 27.37% compared to the existing white-box and black-box attack schemes, respectively. The findings demonstrate a direct link between parameter exposure and attack success rate, and also provide a direction for developing future defensive strategies in this area.

Key words: Machine Learning (ML), Generative Adversarial Network (GAN), Membership Inference Attack （MIA）, Bayesian Estimation (BE), correlation analysis
 

摘要： 目前，关于生成式对抗网络（GAN）中成员推理攻击(MIA)的精确率与生成模型自身泛化能力之间的关系存在争议，因此有效的攻击手段难以广泛应用，这限制了生成模型的改进。为了解决这一问题，提出一种基于贝叶斯估计（BE）的MIA方案，旨在灰盒场景下高效匹配参数以实现最优攻击。首先，在黑盒条件下设计目标模型和影子模型的训练框架，以获取攻击模型所需的参数知识；其次，结合利用这些有效参数信息不断更新目标函数，从而训练攻击模型；最后，将训练好的攻击模型应用于MIA。实验结果表明，与现有的白盒和黑盒攻击方案相比，基于BE的灰盒攻击方法的准确率分别提升了15.89%和21.64%。研究结果展示了参数暴露与攻击成功率之间的直接联系，也为未来该领域开发防御性策略提供了方向。

关键词: 机器学习, 生成式对抗网络, 成员推理攻击, 贝叶斯估计, 关联分析