Member Inference Risk Assessment for Capsule Network

doi:10.3969/j.issn.1671-1122.2026.01.003

Abstract

Abstract:

To evaluate the defense capability of capsule network against membership inference attacks, this study implemented membership inference attacks on the FashionMNIST and CIFAR-10 datasets and selected LeNet, VGG16, and ResNet18 as shadow models. Additionally, this study tested the impact of the number of shadow models on the attack effectiveness, explored the relationship between overfitting and membership inference attacks, and tested the defensive effect of differential privacy against membership inference attacks. The experimental results show that the attack success rate of membership inference attacks can reach up to 94.8%, and there is no significant advantage in the attack success rate when the number of shadow models is between 1 and 5. Furthermore, the study found that the effectiveness of membership inference attacks increased with the increase in overfitting, and the application of differential privacy technology can effectively enhance the defensive capability of the capsule network, but the training time of the capsule network will increase by more than 133%. These findings indicate that common strategies and defensive measures against membership inference attacks are applicable to capsule network, highlighting the importance of prioritizing security issues in the design and application of capsule network.

Key words: capsule network, membership inference attack, machine learning, robustness

CLC Number:

TP309

WANG Yajie, LU Jinbiao, TAN Dongli, FAN Qing, ZHU Liehuang. Member Inference Risk Assessment for Capsule Network[J]. Netinfo Security, 2026, 26(1): 38-48.

Figures/Tables 10

References 33

[1]	AL-RUBAIE M, CHANG J M. Privacy-Preserving Machine Learning: Threats and Solutions[J]. IEEE Security & Privacy, 2019, 17(2): 49-58.
[2]	SABOUR S, FROSST N, HINTON G E. Dynamic Routing between Capsules[C]// ACM. The 31st International Conference on Neural Information Processing Systems. New York: ACM, 2017: 3856-3866.
[3]	YADAV S, DHAGE S. TE-CapsNet: Time Efficient Capsule Network for Automatic Disease Classification from Medical Images[J]. Multimedia Tools and Applications, 2024, 83(16): 49389-49418. doi: 10.1007/s11042-023-17458-4
[4]	DHALLA S, MITTAL A, GUPTA S. LeukoCapsNet: A Resource-Efficient Modified CapsNet Model to Identify Leukemia from Blood Smear Images[J]. Neural Computing and Applications, 2024, 36(5): 2507-2524. doi: 10.1007/s00521-023-09157-w
[5]	LEI Yongjia, WU Zujian, LI Zhiying, et al. BP-CapsNet: An Image-Based Deep Learning Method for Medical Diagnosis[EB/OL]. (2023-10-01)[2025-05-23]. https://doi.org/10.1016/j.asoc.2023.110683.
[6]	SHOKRI R, STRONATI M, SONG Congzheng, et al. Membership Inference Attacks Against Machine Learning Models[C]// IEEE. 2017 IEEE Symposium on Security and Privacy (SP). New York: IEEE, 2017: 3-18.
[7]	BACKES M, BERRANG P, HUMBERT M, et al. Membership Privacy in MicroRNA-Based Studies[C]// ACM. The 2016 ACM SIGSAC Conference on Computer and Communications Security. New York: ACM, 2016: 319-330.
[8]	HAGESTEDT I, ZHANG Yang, HUMBERT M, et al. MBeacon: Privacy-Preserving Beacons for DNA Methylation Data[C]// IEEE. 2019 Network and Distributed System Security Symposium. New York: IEEE, 2019: 21-27.
[9]	PYRGELIS A, TRONCOSO C, DE C E. Knock Knock, Who’s There? Membership Inference on Aggregate Location Data[C]// IEEE. 2018 Network and Distributed System Security Symposium. New York: IEEE, 2018: 35-42.
[10]	HU Hongsheng, SALCIC Z, SUN Lichao, et al. Membership Inference Attacks on Machine Learning: A Survey[J]. ACM Computing Surveys, 2022, 54(11s): 1-37.
[11]	LONG Yunhui, BINDSCHAEDLER V, WANG Lei, et al. Understanding Membership Inferences on Well-Generalized Learning Models[EB/OL]. (2018-02-13)[2025-05-23]. https://doi.org/10.48550/arXiv.1802.04889.
[12]	IROLLA P, CHATEL G. Demystifying the Membership Inference Attack[C]// IEEE. 2019 12th CMI Conference on Cybersecurity and Privacy (CMI). New York: IEEE, 2019: 1-7.
[13]	LEINO K, FREDRIKSON M. Stolen Memories: Leveraging Model Memorization for Calibrated White-Box Membership Inference[C]// USENIX. The 29th USENIX Conference on Security Symposium. Berkeley: USENIX, 2020: 291-313.
[14]	CHOO C A C, TRAMER F, CARLINI N, et al. Label-Only Membership Inference Attacks[C]// ACM. The 38th International Conference on Machine Learning. New York: ACM, 2021: 1964-1974.
[15]	LI Zheng, ZHANG Yang. Membership Leakage in Label-Only Exposures[C]// ACM. The 2021 ACM SIGSAC Conference on Computer and Communications Security. New York: ACM, 2021: 880-895.
[16]	YEOM S, GIACOMELLI I, FREDRIKSON M, et al. Privacy Risk in Machine Learning: Analyzing the Connection to Overfitting[C]// IEEE. 2018 IEEE 31st Computer Security Foundations Symposium (CSF). New York: IEEE, 2018: 268-282.
[17]	REZAEI S, SHAFIQ Z, LIU Xin. Accuracy-Privacy Trade-Off in Deep Ensembles[C]// IEEE. 2023 IEEE Symposium on Security and Privacy (SP). New York: IEEE, 2023: 364-381.
[18]	SRIVASTAVA N, HINTON G, KRIZHEVSKY A, et al. Dropout: A Simple Way to Prevent Neural Networks from Overfitting[J]. Journal of Machine Learning Research, 2014, 15(1): 1929-1958.
[19]	KAYA Y, DUMITRAS T. When Does Data Augmentation Help with Membership Inference Attacks[C]// ACM. The 38th International Conference on Machine Learning. New York: ACM, 2021: 5345-5355.
[20]	CARUANA R, LAWRENCE S, GILES C. Overfitting in Neural Nets:Backpropagation, Conjugate Gradient, and Early Stopping[C]// NIPS. The 14th International Conference on Neural Information Processing Systems. Cambridge: MIT Press, 2000: 381-387.
[21]	NASR M, SHOKRI R, HOUMANSADR A. Machine Learning with Membership Privacy Using Adversarial Regularization[C]// ACM. The 2018 ACM SIGSAC Conference on Computer and Communications Security. New York: ACM, 2018: 634-646.
[22]	SALEM A, ZHANG Yang, HUMBERT M, et al. ML-Leaks: Model and Data Independent Membership Inference Attacks and Defenses on Machine Learning Models[C]// IEEE. 2019 Network and Distributed System Security Symposium. New York: IEEE, 2019: 111-115.
[23]	DWORK C, ROTH A. The Algorithmic Foundations of Differential Privacy[J]. Foundations and Trends in Theoretical Computer Science, 2014, 9(3/4): 211-407. doi: 10.1561/TCS URL
[24]	JIA Jinyuan, SALEM A, BACKES M, et al. MemGuard: Defending against Black-Box Membership Inference Attacks via Adversarial Examples[C]// ACM. The 2019 ACM SIGSAC Conference on Computer and Communications Security. New York: ACM, 2019: 259-274.
[25]	ZHANG Liheng, EDRAKI M, QI Guojun. CapProNet: Deep Feature Learning via Orthogonal Projections onto Capsule Subspaces[C]// ACM. The 32nd International Conference on Neural Information Processing Systems. New York: ACM, 2018: 5819-5828.
[26]	PHAYE S S R, SIKKA A, DHALL A, et al. Dense and Diverse Capsule Networks: Making the Capsules Learn Better[EB/OL]. (2018-05-10)[2025-05-23]. https://doi.org/10.48550/arXiv.1805.04001.
[27]	DELIEGE A, CIOPPA A, VAN D M. HitNet: A Neural Network with Capsules Embedded in a Hit-or-Miss Layer, Extended with Hybrid Data Augmentation and Ghost Capsules[EB/OL]. (2018-06-18)[2025-05-23]. https://doi.org/10.48550/arXiv.1806.06519.
[28]	SAHU S K, KUMAR P, SINGH A P. Dynamic Routing Using Inter Capsule Routing Protocol between Capsules[EB/OL]. (2018-05-27)[2025-05-23]. https://ieeexplore.ieee.org/document/8588168.
[29]	WANG Dilin, LIU Qiang. An Optimization View on Dynamic Routing between Capsules[C]// ACM. The 6th International Conference on Learning Representations. New York: ACM, 2018: 11-14.
[30]	YANG Jucheng, HAN Shujie, MAO Lei, et al. Overview of Capsule Network Model[J]. Journal of Shandong University (Engineering Science), 2019, 49(6): 1-10.
	杨巨成, 韩书杰, 毛磊, 等. 胶囊网络模型综述[J]. 山东大学学报(工学版), 2019, 49(6): 1-10.
[31]	HINTON G E, SABOUR S, FROSST N. Matrix Capsules with EM Routing[C]// ACM. The 6th International Conference on Learning Representations. New York: ACM, 2018: 21-29.
[32]	KRIZHEVSKY A, HINTON G. Learning Multiple Layers of Features from Tiny Images[C]// IEEE. The Conference on Computer Vision and Pattern Recognition. New York: IEEE, 2009: 2311-2320.
[33]	HAN Xiao, KASHIF R, ROLAND V. Fashion-MNIST: A Novel Image Dataset for Benchmarking Machine Learning Algorithms[EB/OL]. (2017-09-15)[2025-05-23]. https://doi.org/10.48550/arXiv.1708.07747.

参数	含义
${{x}_{j}}$	目标模型f的输入
f	目标模型
${{y}_{i}}$	_xi对应的真实标签
θ	目标模型的内部参数
P	目标模型预测置信度向量
A	攻击模型
θ^*	攻击模型的内部参数
${{D}_{train}}$	目标模型训练集
b_ij	胶囊i连接到胶囊j的先验概率
c_ij	胶囊i连接到胶囊j的概率
s_j	L层胶囊的总输入
${{\widehat{u}}_{j\|i}}$	预测胶囊
W_ij	转化矩阵