Quantifying Membership Privacy via Information Leakage

Saeidian, Sara; Cervia, Giulia; Oechtering, Tobias J.; Skoglund, Mikael

doi:10.1109/tifs.2021.3073804

Cited by 23 publications

(10 citation statements)

References 29 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Example 15: Suppose we want to solve problem (21) with γ = log 2.5 and for a set Π (1) of distributions over an alphabet with four elements defined as Π (1) = {π ∈ ∆ (3) : π = (0.4 − 2δ, 0.3 + δ, 0.15 + 0.5δ, 0.15 + 0.5δ), 0 ≤ δ ≤ 0.1}. To solve the problem, first we need to construct the set Π…”

Section: General Setsmentioning

confidence: 99%

See 1 more Smart Citation

Optimal Maximal Leakage-Distortion Tradeoff

Saeidian

Cervia

Oechtering

et al. 2021

2021 IEEE Information Theory Workshop (ITW)

Self Cite

View full text Add to dashboard Cite

Most methods for publishing data with privacy guarantees introduce randomness into datasets which reduces the utility of the published data. In this paper, we study the privacy-utility tradeoff by taking maximal leakage as the privacy measure and the expected Hamming distortion as the utility measure. We study three different but related problems. First, we assume that the data-generating distribution (i.e., the prior) is known, and we find the optimal privacy mechanism that achieves the smallest distortion subject to a constraint on maximal leakage. Then, we assume that the prior belongs to some set of distributions, and we formulate a min-max problem for finding the smallest distortion achievable for the worst-case prior in the set, subject to a maximal leakage constraint. Lastly, we define a partial order on privacy mechanisms based on the largest distortion they generate. Our results show that when the prior distribution is known, the optimal privacy mechanism fully discloses symbols with the largest prior probabilities, and suppresses symbols with the smallest prior probabilities. Furthermore, we show that sets of priors that contain more uniform distributions lead to larger distortion, while privacy mechanisms that distribute the privacy budget more uniformly over the symbols create smaller worst-case distortion.

show abstract

Section: General Setsmentioning

confidence: 99%

“…For example, no post-processing of the published data can undermine the initial privacy guarantee (i.e., maximal leakage satisfies a data processing inequality) [2]. In addition, maximal leakage can be employed as a tool for studying the privacy guarantees of practical algorithms [3].…”

Section: Introductionmentioning

confidence: 99%

Optimal Maximal Leakage-Distortion Tradeoff

Saeidian

Cervia

Oechtering

et al. 2021

2021 IEEE Information Theory Workshop (ITW)

Self Cite

View full text Add to dashboard Cite

show abstract

“…Also, this metric requires inverting a Hessian which is computationally expensive for large models. Similarly, an information theoretic metric [37] can be used to compute an upper bound on the privacy risks of the PATE framework [35]. Even so, it cannot be used as a standalone metric for record-level membership privacy risk.…”

Section: Related Workmentioning

confidence: 99%

SHAPr: An Efficient and Versatile Membership Privacy Risk Metric for Machine Learning

Duddu¹,

Szyller²,

N.³

2021

Preprint

View full text Add to dashboard Cite

Data used to train machine learning (ML) models can be sensitive. Membership inference attacks (MIAs), attempting to determine whether a particular data record was used to train an ML model, risk violating membership privacy. ML model builders need a principled definition of a metric that enables them to quantify the privacy risk of (a) individual training data records, (b) independently of specific MIAs, (c) efficiently. None of the prior work on membership privacy risk metrics simultaneously meets all of these criteria.We propose such a metric, SHAPr, which uses Shapley values to quantify a model's memorization of an individual training data record by measuring its influence on the model's utility. This memorization is a measure of the likelihood of a successful MIA.Using ten benchmark datasets, we show that SHAPr is effective (precision: 0.94±0.06, recall: 0.88±0.06) in estimating susceptibility of a training data record for MIAs, and is efficient (computable within minutes for smaller datasets and in ≈90 minutes for the largest dataset) .SHAPr is also versatile in that it can be used for other purposes like assessing fairness or assigning valuation for subsets of a dataset. For example, we show that SHAPr correctly captures the disproportionate vulnerability of different subgroups to MIAs.Using SHAPr, we show that the membership privacy risk of a dataset is not necessarily improved by removing high risk training data records, thereby confirming an observation from prior work in a significantly extended setting (in ten datasets, removing up to 50% of data).

show abstract

“…Finally, the threat model of maximal leakage has fewer assumptions about the eavesdropper while [7], [8] assume that the eavesdropper has access to the distortion measure and even the target distortion level shared by the encoder and the decoder. Due to the above advantages, maximal leakage has been adopted in various settings as the secrecy/privacy measure, e.g., membership privacy [10], biometric template protection [11], and information retrieval [12].…”

Section: Introductionmentioning

confidence: 99%

Successive Refinement of Shannon Cipher System Under Maximal Leakage

Wu,

Bai,

Zhou

2023

2023 IEEE International Symposium on Information Theory (ISIT)

View full text Add to dashboard Cite

We study the successive refinement setting of Shannon cipher system (SCS) under the maximal leakage constraint for discrete memoryless sources under bounded distortion measures. Specifically, we generalize the threat model for the point-to-point ratedistortion setting of Issa, Wagner and Kamath (T-IT 2020) to the multiterminal successive refinement setting. Under mild conditions that correspond to partial secrecy, we characterize the asymptotically optimal normalized maximal leakage region for both the joint excess-distortion probability (JEP) and the expected distortion reliability constraints. Under JEP, in the achievability part, we propose a type-based coding scheme, analyze the reliability guarantee for JEP and bound the leakage of the information source through compressed versions. In the converse part, by analyzing a guessing scheme of the eavesdropper, we prove the optimality of our achievability result. Under expected distortion, the achievability part is established similarly to the JEP counterpart. The converse proof proceeds by generalizing the corresponding results for the rate-distortion setting of SCS by Schieler and Cuff (T-IT 2014) to the successive refinement setting. Somewhat surprisingly, the normalized maximal leakage regions under both JEP and expected distortion constraints are identical under certain conditions, although JEP appears to be a stronger reliability constraint.

show abstract

Quantifying Membership Privacy via Information Leakage

Cited by 23 publications

References 29 publications

Optimal Maximal Leakage-Distortion Tradeoff

Optimal Maximal Leakage-Distortion Tradeoff

SHAPr: An Efficient and Versatile Membership Privacy Risk Metric for Machine Learning

Successive Refinement of Shannon Cipher System Under Maximal Leakage

Contact Info

Product

Resources

About