Enhanced Membership Inference Attacks against Machine Learning Models

Ye, Jiayuan; Maddi, Aadyaa; Murakonda, Sasi Kumar; Shokri, Reza

doi:10.48550/arxiv.2111.09679

Cited by 11 publications

(32 citation statements)

References 41 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…As observed by [28,13], the optimal adversary performs a hypothesis test with respect to the posterior probabilities with the two hypotheses being:…”

Section: Optimal Membership Inference Via Hypothesis Testingmentioning

confidence: 99%

Parameters or Privacy: A Provable Tradeoff Between Overparameterization and Membership Inference

Tan¹,

Mason²,

Javadi³

et al. 2022

Preprint

View full text Add to dashboard Cite

A surprising phenomenon in modern machine learning is the ability of a highly overparameterized model to generalize well (small error on the test data) even when it is trained to memorize the training data (zero error on the training data). This has led to an arms race towards increasingly overparameterized models (c.f., deep learning). In this paper, we study an underexplored hidden cost of overparameterization: the fact that overparameterized models are more vulnerable to privacy attacks, in particular the membership inference attack that predicts the (potentially sensitive) examples used to train a model. We significantly extend the relatively few empirical results on this problem by theoretically proving for an overparameterized linear regression model with Gaussian data that the membership inference vulnerability increases with the number of parameters. Moreover, a range of empirical studies indicates that more complex, nonlinear models exhibit the same behavior. Finally, we study different methods for mitigating such attacks in the overparameterized regime, such as noise addition and regularization, and conclude that simply reducing the parameters of an overparameterized model is an effective strategy to protect it from membership inference without greatly decreasing its generalization error.

show abstract

“…As observed by [28,13], the optimal adversary performs a hypothesis test with respect to the posterior probabilities with the two hypotheses being:…”

Section: Optimal Membership Inference Via Hypothesis Testingmentioning

confidence: 99%

Parameters or Privacy: A Provable Tradeoff Between Overparameterization and Membership Inference

Tan¹,

Mason²,

Javadi³

et al. 2022

Preprint

View full text Add to dashboard Cite

show abstract

“…The attack fails to achieve a TPR better than random chance at any FPR below 20%-it is therefore ineffective at confidently breaching the privacy of its members. Prior papers that do report ROC curves summarize them by the AUC (Area Under the Curve) [18,38,42,55,67,68]. However, as we can see from the curves above, the AUC is not an appropriate measure of an attack's efficacy, since the AUC averages over all false-positive rates, including high error rates that are irrelevant for a practical attack.…”

Section: B Evaluating Membership Inference Attacksmentioning

confidence: 99%

“…We directly turn this observation into a membership inference attack by computing per-example hardness scores [36,54,67,68]. By training models on random samples of data from the distribution D, we obtain empirical estimates of the distributions Qin and Qout for any example (x, y).…”

Section: Estimating the Likelihood-ratiomentioning

confidence: 99%

Membership Inference Attacks From First Principles

Carlini¹,

Chien²,

Nasr³

et al. 2021

Preprint

View full text Add to dashboard Cite

A membership inference attack allows an adversary to query a trained machine learning model to predict whether or not a particular example was contained in the model's training dataset. These attacks are currently evaluated using average-case "accuracy" metrics that fail to characterize whether the attack can confidently identify any members of the training set. We argue that attacks should instead be evaluated by computing their true-positive rate at low (e.g., ≤ 0.1%) false-positive rates, and find most prior attacks perform poorly when evaluated in this way. To address this we develop a Likelihood Ratio Attack (LiRA) that carefully combines multiple ideas from the literature. Our attack is 10× more powerful at low false-positive rates, and also strictly dominates prior attacks on existing metrics.

show abstract

“…Recent works argue that a practically relevant threat model of membership inference is to confidently predict training set membership of a few samples rather than guessing well on average (Watson et al, 2021;Carlini et al, 2021a;Ye et al, 2021). Such membership inference attacks are evaluated using true and false positive rates.…”

Section: Privacy Attacksmentioning

confidence: 99%

Defending against Reconstruction Attacks with Rényi Differential Privacy

Stock¹,

Шилов²,

Mironov³

et al. 2022

Preprint

View full text Add to dashboard Cite

Reconstruction attacks allow an adversary to regenerate data samples of the training set using access to only a trained model. It has been recently shown that simple heuristics can reconstruct data samples from language models, making this threat scenario an important aspect of model release. Differential privacy is a known solution to such attacks, but is often used with a relatively large privacy budget (ε ≥ 8) which does not translate to meaningful guarantees. In this paper we show that, for a same mechanism, we can derive privacy guarantees for reconstruction attacks that are better than the traditional ones from the literature. In particular, we show that larger privacy budgets do not protect against membership inference, but can still protect extraction of rare secrets. We show experimentally that our guarantees hold against various language models, including GPT-2 finetuned on Wikitext-103.

show abstract

Enhanced Membership Inference Attacks against Machine Learning Models

Cited by 11 publications

References 41 publications

Parameters or Privacy: A Provable Tradeoff Between Overparameterization and Membership Inference

Parameters or Privacy: A Provable Tradeoff Between Overparameterization and Membership Inference

Membership Inference Attacks From First Principles

Defending against Reconstruction Attacks with Rényi Differential Privacy

Contact Info

Product

Resources

About