This work addresses the low membership discrimination accuracy in membership inference attacks (MIAs). We propose two novel attack frameworks: CMIA (Conditional Shadow Model-based Adaptive MIA) and PMIA (Proxy Sample Behavior Matching-based Non-adaptive MIA). To our knowledge, these are the first approaches to systematically model inter-sample membership dependencies, incorporating conditional shadow training, proxy sample selection, and posterior probability ratio testing. Theoretical analysis and extensive experiments across multiple models and datasets demonstrate that both methods significantly outperform existing state-of-the-art MIAs under adaptive and non-adaptive settings—particularly at low false positive rates. Our results quantitatively expose the implicit privacy leakage of training data inherent in machine learning models, revealing previously underestimated risks in practical deployment scenarios.

A Membership Inference Attack (MIA) assesses how much a trained machine learning model reveals about its training data by determining whether specific query instances were included in the dataset. We classify existing MIAs into adaptive or non-adaptive, depending on whether the adversary is allowed to train shadow models on membership queries. In the adaptive setting, where the adversary can train shadow models after accessing query instances, we highlight the importance of exploiting membership dependencies between instances and propose an attack-agnostic framework called Cascading Membership Inference Attack (CMIA), which incorporates membership dependencies via conditional shadow training to boost membership inference performance. In the non-adaptive setting, where the adversary is restricted to training shadow models before obtaining membership queries, we introduce Proxy Membership Inference Attack (PMIA). PMIA employs a proxy selection strategy that identifies samples with similar behaviors to the query instance and uses their behaviors in shadow models to perform a membership posterior odds test for membership inference. We provide theoretical analyses for both attacks, and extensive experimental results demonstrate that CMIA and PMIA substantially outperform existing MIAs in both settings, particularly in the low false-positive regime, which is crucial for evaluating privacy risks.