Papers
Topics
Authors
Recent
Gemini 2.5 Flash
Gemini 2.5 Flash
41 tokens/sec
GPT-4o
59 tokens/sec
Gemini 2.5 Pro Pro
41 tokens/sec
o3 Pro
7 tokens/sec
GPT-4.1 Pro
50 tokens/sec
DeepSeek R1 via Azure Pro
28 tokens/sec
2000 character limit reached

Lost in the Averages: A New Specific Setup to Evaluate Membership Inference Attacks Against Machine Learning Models (2405.15423v1)

Published 24 May 2024 in cs.LG and cs.CR

Abstract: Membership Inference Attacks (MIAs) are widely used to evaluate the propensity of a ML model to memorize an individual record and the privacy risk releasing the model poses. MIAs are commonly evaluated similarly to ML models: the MIA is performed on a test set of models trained on datasets unseen during training, which are sampled from a larger pool, $D_{eval}$. The MIA is evaluated across all datasets in this test set, and is thus evaluated across the distribution of samples from $D_{eval}$. While this was a natural extension of ML evaluation to MIAs, recent work has shown that a record's risk heavily depends on its specific dataset. For example, outliers are particularly vulnerable, yet an outlier in one dataset may not be one in another. The sources of randomness currently used to evaluate MIAs may thus lead to inaccurate individual privacy risk estimates. We propose a new, specific evaluation setup for MIAs against ML models, using weight initialization as the sole source of randomness. This allows us to accurately evaluate the risk associated with the release of a model trained on a specific dataset. Using SOTA MIAs, we empirically show that the risk estimates given by the current setup lead to many records being misclassified as low risk. We derive theoretical results which, combined with empirical evidence, suggest that the risk calculated in the current setup is an average of the risks specific to each sampled dataset, validating our use of weight initialization as the only source of randomness. Finally, we consider an MIA with a stronger adversary leveraging information about the target dataset to infer membership. Taken together, our results show that current MIA evaluation is averaging the risk across datasets leading to inaccurate risk estimates, and the risk posed by attacks leveraging information about the target dataset to be potentially underestimated.

PDF HTML Abstract
Ai Sparkles Streamline Icon: https://streamlinehq.com Summarize Bookmark Chat Bubble Oval Streamline Icon: https://streamlinehq.com Chat (Pro)
Definition Search Book Streamline Icon: https://streamlinehq.com
References (33)
  1. Evaluations of machine learning privacy defenses are misleading. arXiv preprint arXiv:2404.17399.
  2. Alan Turing Institute (2022). Reprosyn. https://github.com/alan-turing-institute/reprosyn. This work is licensed under the MIT license. To view a copy of this license, please visit https://github.com/alan-turing-institute/reprosyn/blob/main/LICENSE.
  3. A linear reconstruction approach for attribute inference attacks against synthetic data. arXiv preprint arXiv:2301.10053.
  4. Hacking smart machines with smarter ones: How to extract meaningful data from machine learning classifiers. International Journal of Security and Networks, 10(3):137–150.
  5. Adult. UCI Machine Learning Repository. DOI: https://doi.org/10.24432/C5XW20. This work is licensed under the Creative Commons Attribution 4.0 International License. To view a copy of this license, visit http://creativecommons.org/licenses/by/4.0/.
  6. Membership inference attacks from first principles. In 2022 IEEE Symposium on Security and Privacy (SP), pages 1897–1914.
  7. The privacy onion effect: Memorization is relative. Advances in Neural Information Processing Systems, 35:13263–13276.
  8. Label-only membership inference attacks. In International conference on machine learning, pages 1964–1974. PMLR.
  9. Can synthetic data enable data sharing in financial services? https://oecd.ai/en/wonk/synthetic-data-financial-services.
  10. What neural networks memorize and why: discovering the long tail via influence estimation. In Proceedings of the 34th International Conference on Neural Information Processing Systems, NIPS ’20, Red Hook, NY, USA. Curran Associates Inc.
  11. The creation and use of the sipp synthetic beta v7.0. https://www.census.gov/library/working-papers/2018/adrm/SIPP-Synthetic-Beta.html.
  12. Logan: Membership inference attacks against generative models. Proceedings on Privacy Enhancing Technologies, 2019:133–152.
  13. Hazy (2019). Synthpop. https://github.com/hazy/synthpop.
  14. Deep residual learning for image recognition. In Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition (CVPR).
  15. Resolving individuals contributing trace amounts of dna to highly complex mixtures using high-density snp genotyping microarrays. PLoS genetics, 4(8):e1000167.
  16. Tapas: a toolbox for adversarial privacy auditing of synthetic data. arXiv preprint arXiv:2211.06550.
  17. Learning multiple layers of features from tiny images. https://www.cs.toronto.edu/~kriz/cifar.html.
  18. FFCV: Accelerating training by removing data bottlenecks. In Computer Vision and Pattern Recognition (CVPR). https://github.com/libffcv/ffcv/. commit xxxxxxx.
  19. Stolen memories: Leveraging model memorization for calibrated {{\{{White-Box}}\}} membership inference. In 29th USENIX security symposium (USENIX Security 20), pages 1605–1622.
  20. Medical imaging and privacy in the era of artificial intelligence: myth, fallacy, and the future. Journal of the American College of Radiology, 17(9):1159–1162.
  21. Achilles’ heels: vulnerable record identification in synthetic data publishing. In European Symposium on Research in Computer Security, pages 380–399. Springer.
  22. Comprehensive privacy analysis of deep learning: Passive and active white-box inference attacks against centralized and federated learning. In 2019 IEEE symposium on security and privacy (SP), pages 739–753. IEEE.
  23. Office for National Statistics (2011). Census microdata teaching files. https://www.ons.gov.uk/census/2011census/2011censusdata/censusmicrodata/microdatateachingfile. This work is licensed under the Open Government License v3.0. To view a copy of this license, please visit https://www.nationalarchives.gov.uk/doc/open-government-licence/version/3/.
  24. Pytorch: An imperative style, high-performance deep learning library. In Advances in Neural Information Processing Systems 32, pages 8024–8035. Curran Associates, Inc.
  25. Scikit-learn: Machine learning in python. Journal of machine learning research, 12(Oct):2825–2830.
  26. Knock knock, who’s there? membership inference on aggregate location data. arXiv preprint arXiv:1708.06145.
  27. Ml-leaks: Model and data independent membership inference attacks and defenses on machine learning models. arXiv preprint arXiv:1806.01246.
  28. Genomic privacy and limits of individual detection in a pool. Nature genetics, 41(9):965–967.
  29. Membership inference attacks against machine learning models. In 2017 IEEE symposium on security and privacy (SP), pages 3–18. IEEE.
  30. Synthetic data – anonymisation groundhog day.
  31. Synthetic Data Expert Group, Financial Conduct Authority (2024). Report: Using synthetic data in financial services. https://www.fca.org.uk/publications/corporate-documents/report-using-synthetic-data-financial-services.
  32. Privacy risk in machine learning: Analyzing the connection to overfitting. In 2018 IEEE 31st Computer Security Foundations Symposium (CSF), pages 268–282, Los Alamitos, CA, USA. IEEE Computer Society.
  33. Privbayes: Private data release via bayesian networks. ACM Trans. Database Syst., 42(4).
User Edit Pencil Streamline Icon: https://streamlinehq.com
Authors (4)
  1. Florent Guépin (5 papers)
  2. Matthieu Meeus (12 papers)
  3. Yves-Alexandre de Montjoye (33 papers)
  4. Nataša Krčo (2 papers)
X Twitter Logo Streamline Icon: https://streamlinehq.com

Tweets