Papers
Topics
Authors
Recent
Gemini 2.5 Flash
Gemini 2.5 Flash
157 tokens/sec
GPT-4o
8 tokens/sec
Gemini 2.5 Pro Pro
46 tokens/sec
o3 Pro
4 tokens/sec
GPT-4.1 Pro
38 tokens/sec
DeepSeek R1 via Azure Pro
28 tokens/sec
2000 character limit reached

Better Membership Inference Privacy Measurement through Discrepancy (2405.15140v1)

Published 24 May 2024 in cs.LG

Abstract: Membership Inference Attacks have emerged as a dominant method for empirically measuring privacy leakage from machine learning models. Here, privacy is measured by the {\em{advantage}} or gap between a score or a function computed on the training and the test data. A major barrier to the practical deployment of these attacks is that they do not scale to large well-generalized models -- either the advantage is relatively low, or the attack involves training multiple models which is highly compute-intensive. In this work, inspired by discrepancy theory, we propose a new empirical privacy metric that is an upper bound on the advantage of a family of membership inference attacks. We show that this metric does not involve training multiple models, can be applied to large Imagenet classification models in-the-wild, and has higher advantage than existing metrics on models trained with more recent and sophisticated training recipes. Motivated by our empirical results, we also propose new membership inference attacks tailored to these training losses.

Definition Search Book Streamline Icon: https://streamlinehq.com
References (61)
  1. Deep learning with differential privacy. In Proceedings of the 2016 ACM SIGSAC conference on computer and communications security, pages 308–318, 2016.
  2. Gamin: An adversarial approach to black-box model inversion. arXiv preprint arXiv:1909.11835, 2019.
  3. The secret sharer: Evaluating and testing unintended memorization in neural networks. In 28th USENIX security symposium (USENIX security 19), pages 267–284, 2019.
  4. Membership inference attacks from first principles, 2022.
  5. Gan-leaks: A taxonomy of membership inference attacks against generative models. In Proceedings of the 2020 ACM SIGSAC conference on computer and communications security, pages 343–362, 2020.
  6. Relaxloss: Defending membership inference attacks without losing utility. In International Conference on Learning Representations, 2022.
  7. Unlocking high-accuracy differentially private image classification through scale. arXiv preprint arXiv:2204.13650, 2022.
  8. Imagenet: A large-scale hierarchical image database. In 2009 IEEE conference on computer vision and pattern recognition, pages 248–255. Ieee, 2009.
  9. Calculation of discrepancy measures and applications. A panorama of discrepancy theory, pages 621–678, 2014.
  10. Are diffusion models vulnerable to membership inference attacks? In International Conference on Machine Learning, pages 8717–8730. PMLR, 2023.
  11. Do membership inference attacks work on large language models? arXiv preprint arXiv:2402.07841, 2024.
  12. Calibrating noise to sensitivity in private data analysis. In Theory of Cryptography: Third Theory of Cryptography Conference, TCC 2006, New York, NY, USA, March 4-7, 2006. Proceedings 3, pages 265–284. Springer, 2006.
  13. The algorithmic foundations of differential privacy. Foundations and Trends® in Theoretical Computer Science, 9(3–4):211–407, 2014.
  14. Privacy in pharmacogenetics: An {{\{{End-to-End}}\}} case study of personalized warfarin dosing. In 23rd USENIX security symposium (USENIX Security 14), pages 17–32, 2014.
  15. Practical membership inference attacks against fine-tuned large language models via self-prompt calibration. arXiv preprint arXiv:2311.06062, 2023.
  16. N. Z. Gong and B. Liu. Attribute inference attacks in online social networks. ACM Transactions on Privacy and Security (TOPS), 21(1):1–30, 2018.
  17. Learning convex polytopes with margin. Advances in neural information processing systems, 31, 2018.
  18. S. Haykin. Neural networks: a comprehensive foundation. Prentice Hall PTR, 1994.
  19. Deep residual learning for image recognition. In Proceedings of the IEEE conference on computer vision and pattern recognition, pages 770–778, 2016.
  20. X. He and Y. Zhang. Quantifying and mitigating privacy risks of contrastive learning. In Proceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security, pages 845–863, 2021.
  21. Does clip know my face? arXiv preprint arXiv:2209.07341, 2022.
  22. M4i: Multi-modal models membership inference. Advances in Neural Information Processing Systems, 35:1867–1882, 2022.
  23. Investigating membership inference attacks under data dependencies. In 2023 IEEE 36th Computer Security Foundations Symposium (CSF), pages 473–488. IEEE, 2023.
  24. Towards practical differentially private convex optimization. In 2019 IEEE Symposium on Security and Privacy (SP), pages 299–316. IEEE, 2019.
  25. Revisiting membership inference under realistic assumptions. arXiv preprint arXiv:2005.10881, 2020.
  26. Attriinfer: Inferring user attributes in online social networks using markov random fields. In Proceedings of the 26th International Conference on World Wide Web, pages 1561–1569, 2017.
  27. Large-margin convex polytope machine. Advances in Neural Information Processing Systems, 27, 2014.
  28. Practical membership inference attacks against large-scale multi-modal models: A pilot study. In Proceedings of the IEEE/CVF International Conference on Computer Vision, pages 4871–4881, 2023.
  29. A. Krizhevsky. Learning multiple layers of features from tiny images. Technical report, 2009.
  30. Encodermi: Membership inference against pre-trained encoders in contrastive learning. In Proceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security, pages 2081–2095, 2021.
  31. Domain adaptation: Learning bounds and algorithms. arXiv preprint arXiv:0902.3430, 2009.
  32. Membership inference attacks against diffusion models. In 2023 IEEE Security and Privacy Workshops (SPW), pages 77–83. IEEE, 2023.
  33. Membership inference attacks against language models via neighbourhood comparison. arXiv preprint arXiv:2305.18462, 2023.
  34. Do ssl models have déjà vu? a case of unintended memorization in self-supervised learning. Advances in Neural Information Processing Systems, 36, 2024.
  35. Are your sensitive attributes private? novel model inversion attribute inference attacks on classification models. In 31st USENIX Security Symposium (USENIX Security 22), pages 4579–4596, 2022.
  36. Quantifying privacy risks of masked language models using membership inference attacks. arXiv preprint arXiv:2203.03929, 2022.
  37. When does label smoothing help? Advances in neural information processing systems, 32, 2019.
  38. Adversary instantiation: Lower bounds for differentially private machine learning. In 2021 IEEE Symposium on security and privacy (SP), pages 866–882. IEEE, 2021.
  39. H. Niederreiter. Discrepancy and convex programming. Annali di matematica pura ed applicata, 93:89–97, 1972.
  40. Towards the science of security and privacy in machine learning. arXiv preprint arXiv:1611.03814, 2016.
  41. Automatic differentiation in pytorch. In NIPS-W, 2017.
  42. Pytorch: An imperative style, high-performance deep learning library. Advances in neural information processing systems, 32, 2019.
  43. Language models are unsupervised multitask learners. 2019.
  44. S. Rezaei and X. Liu. On the difficulty of membership inference attacks. In Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition, pages 7892–7900, 2021.
  45. Membership inference attacks against machine learning models. In 2017 IEEE symposium on security and privacy (SP), pages 3–18. IEEE, 2017.
  46. L. Song and P. Mittal. Systematic evaluation of privacy risks of machine learning models. In 30th USENIX Security Symposium (USENIX Security 21), pages 2615–2632, 2021.
  47. S. Song and D. Marn. Introducing a new privacy testing library in tensorflow (2020). URL https://blog. tensorflow. org/2020/06/introducing-new-privacy-testing-library. html.
  48. Llama 2: Open foundation and fine-tuned chat models. arXiv preprint arXiv:2307.09288, 2023.
  49. On the importance of difficulty calibration in membership inference attacks. In International Conference on Learning Representations, 2021.
  50. Canary in a coalmine: Better membership inference with ensembled adversarial queries. arXiv preprint arXiv:2210.10750, 2022.
  51. Does label differential privacy prevent label inference attacks? In International Conference on Artificial Intelligence and Statistics, pages 4336–4347. PMLR, 2023.
  52. Membership inference attacks against text-to-image generation models. 2022.
  53. Privacy risk in machine learning: Analyzing the connection to overfitting, 2018.
  54. Differentially private fine-tuning of language models. In International Conference on Learning Representations, 2021.
  55. Cutmix: Regularization strategy to train strong classifiers with localizable features. In International Conference on Computer Vision (ICCV), 2019.
  56. mixup: Beyond empirical risk minimization, 2018.
  57. The secret revealer: Generative model-inversion attacks against deep neural networks. In Proceedings of the IEEE/CVF conference on computer vision and pattern recognition, pages 253–261, 2020.
  58. Random erasing data augmentation. In Proceedings of the AAAI conference on artificial intelligence, volume 34, pages 13001–13008, 2020.
  59. Deep leakage from gradients. Advances in neural information processing systems, 32, 2019.
  60. Uncertainty, calibration, and membership inference attacks: An information-theoretic perspective. arXiv preprint arXiv:2402.10686, 2024.
  61. G. M. Ziegler. Lectures on polytopes, volume 152. Springer Science & Business Media, 2012.

Summary

We haven't generated a summary for this paper yet.

Ai Sparkles Streamline Icon: https://streamlinehq.com Summarize Now
X Twitter Logo Streamline Icon: https://streamlinehq.com

Tweets