Toward Efficient Inference Attacks: Shadow Model Sharing via Mixture-of-Experts

We thank the reviewer for the constructive comments and address each issue raised below in detail.

Q1: Clarification about pathway alignment.

The pathway alignment module fine-tunes selected experts using additional subsets of the training data to mitigate under-training issues in the MoE model.
By “mimic the behavior,” we mean training in a similar manner as the target model. But using confidence scores from the target model would result in a different training paradigm and is shown to reduce MIA effectiveness, as discovered in knowledge distillation-based defenses [1, 2].
[1] Tang X, Mahloujifar S, Song L, et al. Mitigating membership inference attacks by {Self-Distillation} through a novel ensemble architecture[C]//31st USENIX security symposium (USENIX security 22). 2022: 1433-1450.
[2] Mazzone F, Van Den Heuvel L, Huber M, et al. Repeated knowledge distillation with confidence masking to mitigate membership inference attacks[C]//Proceedings of the 15th ACM Workshop on Artificial Intelligence and Security. 2022: 13-24.

Q2: About baseline choices.

QMIA and SNAP are specific inference attack methods rather than shadow model construction techniques. QMIA does not use shadow models, making it incompatible with our framework, while SNAP focuses on property inference via poisoning, which falls outside the scope of our MIA experiments. In contrast, RMIA relies on shadow models, so we include them for comparison to evaluate how SHAPOOL enhances efficiency by replacing the original shadow model construction—i.e., comparing RMIA+BASE with RMIA+SHAPOOL.

Q3: Additional factors for MIA performance.

We acknowledge that MIA performance can be influenced by additional factors beyond the three key ones we focus on. In particular, while this work focuses on MIA attacks from a black-box perspective, in a white-box setting where the target model’s parameters are accessible, alignment between the shadow models and the target model in parameter space, such as producing similar gradients or intermediate results, may also influence attack effectiveness. We will consider these factors when we extend this work to white-box settings.

Q4: Suggestions about ROC curves.

We agree that ROC curves offer valuable insights. Due to format constraints in this rebuttal, we are unable to enclose the full ROC curves here but will provide them in the final version of this paper.

Thank you very much for your thorough review and thoughtful suggestions. We have carefully addressed each concern, as detailed below.

Q1&W1: SHAPOOL’s generality and relation to attack-specific methods.

(1) The section "Extension to Other Inference Attacks" refers to applying SHAPOOL to different MIA algorithms, rather than other types of inference attacks. Although our experiments primarily focus on MIAs, the proposed method can be extended to other inference attacks such as black-box property inference attacks (PIA) [1, 2], which aim to distinguish between statistical properties (e.g., $t_0$ vs. $t_1$). To adapt SHAPOOL for PIA, we can modify the training data for each pathway such that one SHAPOOL is trained on data satisfying $t_0$ and the other on $t_1$, replacing the shadow models for each property. We present the pseudo-code as follows. While we are currently developing the PIA pipeline and conducting experiments, the results may not be completed by the end of this rebuttal. Nonetheless, we will report these results in the final version of this paper.

[1] Mahloujifar S, Ghosh E, Chase M. Property inference from poisoning[C]//2022 IEEE Symposium on Security and Privacy (SP). IEEE, 2022: 1120-1137.
[2] Chaudhari H, Abascal J, Oprea A, et al. SNAP: Efficient extraction of private properties with poisoning[C]//2023 IEEE Symposium on Security and Privacy (SP). IEEE, 2023: 400-417.

---

Algorithm: SHAPOOL-based Property Inference Attacks
Input: Predefined values $t_0$ and $t_1$; Attack dataset $D_{attack}$; Shadow dataset $\mathcal{D}$; Attack algorithm $\mathcal{A}$;
Target model $M$; MoE model $f$;
Output: Inferred property value $\hat{t} \in \{t_0, t_1\}$
For $i \in \{0, 1\}$:
 Initialize mapping matrix of $f_i$ via pathway-choice routing
 For $j = 1$ to $m$:
  Sample $D_{i,j}^1, D_{i,j}^2 \subset D$ such that $P(D_{i,j}^1) = P(D_{i,j}^2) = t_i$
  Randomly select pathways $p_1$ and $p_2$ in $f_i$
  Train $p_1$ and $p_2$ jointly using pathway regularization on $D_{i,j}^1$ and $D_{i,j}^2$
 End For
 Randomly select $n$ pre-trained pathways $S \subset f_i$
 For each pathway $p \in S$:
  Fine-tune $p$ via pathway alignment
  Record confidence scores: $c_i \leftarrow p(D_{attack})$
 End For
End For
Construct $\mathcal{A}$ using distributions: $N_0 \sim c_0$, $N_1 \sim c_1$
Collect confidence scores: $\mathbf{c} \leftarrow M(D_{attack})$
Compute probability: $\ell_0 \leftarrow \mathcal{A}(\mathbf{c} \mid N_0)$, $\ell_1 \leftarrow \mathcal{A}(\mathbf{c} \mid N_1)$
Return: $\hat{t} \leftarrow \arg\max\limits_{i \in \{0,1\}} \ell_i$

---

(2) By “coupled with specific algorithms,” we mean that prior works such as [10, 12, 13] are specific attack algorithm, not general-purpose shadow model construction techniques and thus cannot be easily reused across different attacks. In contrast, SHAPOOL focuses purely on shadow model construction, making it more flexible for integration into different attack pipelines.

Q2&W2: Description of the full ROC-curve comparison.

SHAPOOL serves as a shadow model construction method that can be integrated into existing MIA frameworks such as LiRA and RMIA. Per your question, it yields ROC curves similar to the BASE versions under the same attack algorithm, with only some fluctuations and occasionally lower (less than 0.05) performance than BASE. Due to format constraints in this rebuttal, we are unable to enclose the full ROC curves here but will provide them in the final version of this paper.

Q3: The performance of fewer SHAPOOLs.

According to the ablation study (Figure 3b), we think that using fewer SHAPOOLs may lead to degraded performance and fall short of RMIA’s optimal results. Nonetheless, this is expected as the RMIA’s optimal results use unlimited number of individual shadow models, which incurs infeasible computational cost.

Q4&W2&W3: Performance under fixed compute budget.

Take LiRA-online on CIFAR100 with ResNet18 as an example. A single SHAPOOL outperforms four individual shadow models under the same compute budget. Furthermore, four SHAPOOLs—at a cost equivalent to 16 individual models—nearly match the performance achieved by using 128 shadow models. These results suggest that SHAPOOL consistently outperforms LiRA across a range of fixed compute budgets. Supporting experimental results are provided below.

Table 1: Performance (AUC/TF1) of LiRA-online with varying budgests on CIFAR100 (ResNet18)

W3: Clarification about experimental setup

(1) Our goal is not to compare which MIA performs best under constrained settings, but to show how SHAPOOL improves the efficiency of shadow model construction. We use LiRA as a representative case and compare the performance of LiRA+BASE with that of LiRA+SHAPOOL.
(2) While RMIA reports stable AUC with 4/8 models, we find that key metrics like TF1 can continue to improve with more models (e.g., TF1 increases from 0.44 to 0.53 but AUC stays 0.93–0.94 for 2~64 shadow models). To fairly compare with SHAPOOL’s upper bound, we use 64 models for RMIA.

W4: Reference and hardware details.

Per your suggestion, we add citations for the Bhattacharyya coefficient [1] and the CINC10 dataset [2]. The hardware details are included in Appendix C.1, that is, NVIDIA RTX 3090 GPUs with 24GB of memory.
[1] Bhattacharyya A. On a measure of divergence between two statistical populations defined by their probability distribution[J]. Bulletin of the Calcutta Mathematical Society, 1943, 35: 99-110.
[2] Darlow L N, Crowley E J, Antoniou A, et al. Cinic-10 is not imagenet or cifar-10[J]. arXiv preprint arXiv:1810.03505, 2018.

I thank the authors for responding to my comments!

Q1&W1: SHAPOOL’s generality and relation to attack-specific methods.

(1) Thanks, I see! If the authors could make this clearer in the paper that would be great. (2) Ok I see. In that case, if I may, I think the point here is not that [10, 12, 13] are "coupled with specific algorithms" but rather that the focus of [10, 12, 13] is different from your work. Their focus is to come up with novel attack algorithms whereas yours solely focuses on shadow model construction, which are orthogonal to each other.

Q3: The performance of fewer SHAPOOLs.

Sorry maybe my point was not clear. My point was that I would like to see a comparison between SHAPOOL and RMIA both using a limited compute budget (<= 4 shadow models) kind of like the only you have already sent for SHAPOOL vs BASE for LiRA. Would this be possible? You don't have to send over results now but if you could commit to it/explain why this cannot be done that would be great. Thanks!

Q4&W2&W3: Performance under fixed compute budget.

Wow these results look really promising thanks! Just a minor question when comparing with LiRA here do you fix the variance for all samples? I think the LiRA paper originally reported that in low reference model settings, fixed variance outperforms per-sample variance substantially (see Figure 17). You don't have to send over the new results (if any) now but if you could make sure that this is clear in the final version of the paper that would be great.

W3: Clarification about experimental setup

I understand where the authors are coming from but RMIA's main contribution was specifically in the low reference model setting. Therefore I still believe that it is unfair that the authors only compare with RMIA when using many reference models. In any case isn't it an advantageous for the authors if for e.g., for 2 reference models RMIA's AUC ~ SHAPOOL's AUC but SHAPOOL's TF1 substantially outperforms RMIA? We can discuss this point in greater detail but I strongly believe that it is important to compare against the appropriate MIA for the setting. My suggestion is for the authors to report RMIA for Table 1 since RMIA is the best for "constrained resource" setting. Then Table 3 can remain as-is since Table 1 would already have evaluated RMIA under resource-constrained setting. Happy to hear the authors' thoughts on this.

I thank the authors for sincerely addressing the comments I have raised and will improve my score to 4. The only remaining concern I have pertains to the comparison with RMIA above and if the authors can commit to addressing this I will be inclined to improve my score further. Thanks!

We sincerely appreciate your time of reviewing our paper and insightful suggestions. We now address your concerns in details below.

Q1&W3: About baseline and related methods.

We consider the BASE method as an ideal baseline for training shadow models, as it independently trains shadow models with the same architecture and same data distribution as the target. As such, BASE is a natural and widely adopted approach, especially in black-box MIAs. The only disadvantage is its high computational cost, which is the main motivation of this paper to train similar quality of shadow models with much lower cost.

Regarding alternative shadow model construction strategies, naive methods such as simple model augmentation have shown limited effectiveness in our context. The work [R1] proposed a distilled construction strategy, where shadow models are generated from a pre-trained model via distillation. However, as shown in the table below, this approach yields suboptimal performance—whether using 64 or 128 distilled models.

Table 1: RMIA-online version on CIFAR100 and ResNet18.

[R1] Ye J, Maddi A, Murakonda S K, et al. Enhanced membership inference attacks against machine learning models[C]//Proceedings of the 2022 ACM SIGSAC conference on computer and communications security. 2022: 3093-3106.

Q2&W4: Experiments setup and stability.

We ran each experiment five times with different random seeds, as described in Section 5.1. To address your concern, we update Tables 1 to include standard deviation as below. Compared to BASE, our results show the same or slightly higher fluctuations in AUC and FPR.

Table 1 - LiRA-offline attack

Table 1 - LiRA-online attack

Q3: Impact of the amount of available shadow dataset.

We agree with you that the amount of available training data can affect performance, as discussed in Appendix D. Since our method is based on an MoE model with more parameters than an individual model, sufficient training data can achieve good performance. Nonetheless, only when the available data is extremely limited, for instance, less than 1.2× the amount used for an individual shadow model, the performance of SHAPOOL may degrade, as shown in Table 6 of Appendix C.3.

W1: SHAPOOL’s generality

Although our experiments primarily focus on MIAs, SHAPOOL can be extended to other attacks such as black-box property inference attacks (PIA) [1, 2], which aim to distinguish statistical properties (e.g., between $t_0$ and $t_1$). To adapt SHAPOOL for PIA, we can modify the training data of each pathway so that one SHAPOOL is trained on data satisfying $t_0$ and the other on $t_1$, replacing the shadow models for each property, as shown in the pseudo-code below. While we are currently developing the PIA pipeline and conducting experiments, the results may not be completed by the end of this rebuttal. Nonetheless, we will report these results in the final version of this paper.

[1] Mahloujifar S, Ghosh E, Chase M. Property inference from poisoning[C]//2022 IEEE Symposium on Security and Privacy (SP). IEEE, 2022: 1120-1137.
[2] Chaudhari H, Abascal J, Oprea A, et al. SNAP: Efficient extraction of private properties with poisoning[C]//2023 IEEE Symposium on Security and Privacy (SP). IEEE, 2023: 400-417.

---

Algorithm: SHAPOOL-based Property Inference Attacks
Input: Predefined values $t_0$ and $t_1$; Attack dataset $D_{attack}$; Shadow dataset $\mathcal{D}$; Attack algorithm $\mathcal{A}$;
Target model $M$; MoE model $f$;
Output: Inferred property value $\hat{t} \in \{t_0, t_1\}$
For $i \in \{0, 1\}$:
 Initialize mapping matrix of $f_i$ via pathway-choice routing
 For $j = 1$ to $m$:
  Sample $D_{i,j}^1, D_{i,j}^2 \subset D$ such that $P(D_{i,j}^1) = P(D_{i,j}^2) = t_i$
  Randomly select pathways $p_1$ and $p_2$ in $f_i$
  Train $p_1$ and $p_2$ jointly using pathway regularization on $D_{i,j}^1$ and $D_{i,j}^2$
 End For
 Randomly select $n$ pre-trained pathways $S \subset f_i$
 For each pathway $p \in S$:
  Fine-tune $p$ via pathway alignment
  Record confidence scores: $c_i \leftarrow p(D_{attack})$
 End For
End For
Construct $\mathcal{A}$ using distributions: $N_0 \sim c_0$, $N_1 \sim c_1$
Collect confidence scores: $\mathbf{c} \leftarrow M(D_{attack})$
Compute probability: $\ell_0 \leftarrow \mathcal{A}(\mathbf{c} \mid N_0)$, $\ell_1 \leftarrow \mathcal{A}(\mathbf{c} \mid N_1)$
Return: $\hat{t} \leftarrow \arg\max\limits_{i \in \{0,1\}} \ell_i$

---

W2: Design of three modules.

We agree that the modules are based on intuitive principles; however, their novelty lies in adapting MoE for shared shadow model construction through minimal yet effective modifications. As demonstrated in our ablation study (Figure 5 and Table 4), each module contributes meaningfully to the final attack performance. Moreover, the simplicity of our design facilitates easy integration, while achieving comparable or even superior performance (Tables 1 and 2) compared to traditional shadow model construction methods.

W5: Experimental figure settings.

We will revise Figures 3 and 6 to improve readability in the final version.

Dear Reviewer,

Thank you again for your valuable time and detailed review. We have posted a rebuttal where we sought to address your concerns with new empirical evidence and further clarifications.

We would be grateful to know if our response has helped clarify these points, and happy to discuss any remaining questions you may have.

Thank you once more for your insights.

Best Regards.

Thank you very much for your time and valuable comments, most of which are positive and encouraging. Due to very tight rebuttal schedule, for your suggestion to conduct experiments on larger-image datasets, we use the TinyImageNet [1] derived from ImageNet and ResNet18 under the unconstrained setting for RMIA. The results, presented below, provide further support for our approach. We will consider using even larger-image datasets in the final version of this paper.

[1] Ya Le and X Yang. Tiny ImageNet Visual Recognition Challenge. 2015.

Table: Performance and cost of RMIA on TinyImageNet.