Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Mitigating Privacy Risk in Membership Inference by Convex-Concave Loss

Zhenlong Liu, Lei Feng, Huiping Zhuang, Xiaofeng Cao, Hongxin Wei

TL;DR

This paper tackles privacy leakage from membership inference attacks by showing that convex loss functions inherently reduce training loss variance, which can amplify vulnerability to MIAs. It proposes Convex-Concave Loss (CCL), a general framework that adds a concave term to a convex loss (e.g., cross-entropy), driving higher loss variance during training and thus reducing attack advantage. The authors provide theoretical justification showing how convexity suppresses variance while concavity can boost it, and they derive gradient bounds ensuring convergence. Empirical results across five datasets (including CIFAR-10/100 and ImageNet) demonstrate that CCL achieves a state-of-the-art balance in the privacy-utility trade-off, improving robustness to multiple MIA types while preserving or improving accuracy. The work offers a practical defense that can be tuned via a single hyperparameter $\alpha$ and contributes insight into how loss landscape shaping affects privacy in neural networks.

Abstract

Machine learning models are susceptible to membership inference attacks (MIAs), which aim to infer whether a sample is in the training set. Existing work utilizes gradient ascent to enlarge the loss variance of training data, alleviating the privacy risk. However, optimizing toward a reverse direction may cause the model parameters to oscillate near local minima, leading to instability and suboptimal performance. In this work, we propose a novel method -- Convex-Concave Loss, which enables a high variance of training loss distribution by gradient descent. Our method is motivated by the theoretical analysis that convex losses tend to decrease the loss variance during training. Thus, our key idea behind CCL is to reduce the convexity of loss functions with a concave term. Trained with CCL, neural networks produce losses with high variance for training data, reinforcing the defense against MIAs. Extensive experiments demonstrate the superiority of CCL, achieving state-of-the-art balance in the privacy-utility trade-off.

Mitigating Privacy Risk in Membership Inference by Convex-Concave Loss

TL;DR

This paper tackles privacy leakage from membership inference attacks by showing that convex loss functions inherently reduce training loss variance, which can amplify vulnerability to MIAs. It proposes Convex-Concave Loss (CCL), a general framework that adds a concave term to a convex loss (e.g., cross-entropy), driving higher loss variance during training and thus reducing attack advantage. The authors provide theoretical justification showing how convexity suppresses variance while concavity can boost it, and they derive gradient bounds ensuring convergence. Empirical results across five datasets (including CIFAR-10/100 and ImageNet) demonstrate that CCL achieves a state-of-the-art balance in the privacy-utility trade-off, improving robustness to multiple MIA types while preserving or improving accuracy. The work offers a practical defense that can be tuned via a single hyperparameter and contributes insight into how loss landscape shaping affects privacy in neural networks.

Abstract

Machine learning models are susceptible to membership inference attacks (MIAs), which aim to infer whether a sample is in the training set. Existing work utilizes gradient ascent to enlarge the loss variance of training data, alleviating the privacy risk. However, optimizing toward a reverse direction may cause the model parameters to oscillate near local minima, leading to instability and suboptimal performance. In this work, we propose a novel method -- Convex-Concave Loss, which enables a high variance of training loss distribution by gradient descent. Our method is motivated by the theoretical analysis that convex losses tend to decrease the loss variance during training. Thus, our key idea behind CCL is to reduce the convexity of loss functions with a concave term. Trained with CCL, neural networks produce losses with high variance for training data, reinforcing the defense against MIAs. Extensive experiments demonstrate the superiority of CCL, achieving state-of-the-art balance in the privacy-utility trade-off.
Paper Structure (47 sections, 8 theorems, 35 equations, 6 figures, 1 table)

This paper contains 47 sections, 8 theorems, 35 equations, 6 figures, 1 table.

Table of Contents

  1. Introduction
  2. Background
  3. Setup.
  4. Membership Inference Attacks.
  5. Loss variance.
  6. Theoretical Motivation
  7. Convex function decreases the loss variance
  8. Can concave functions increase the loss variance?
  9. Our Proposed Method
  10. Convex-concave loss.
  11. Gradient analysis.
  12. Experiments
  13. Setups
  14. Datasets.
  15. Training details.
  16. ...and 32 more sections

Key Result

Theorem 3.1

Given a twice continuously differentiable function $\ell \in C^2(0,1]$ such that $\ell(1) = 0$ and $\ell'(x) < 0, \forall x \in (0,1]$. If $\ell$ is strictly convex, then where $A = -\ell^{\prime} (1)>0$, $B \geqslant 0$ is a non-negative lower bound of $\ell^{\prime \prime}(x)$.

Figures (6)

  • Figure 1: The mean and variance of loss under different epochs. Models are trained on CIFAR-10 with Resnet-34 using Cross-entropy loss (CE) and Focal loss (FL).
  • Figure 2: Comparisons of seven defense mechanisms on CIFAR-10 dataset utilizing Resnet34 architecture. Each subplot is allocated to a distinct attack method, wherein individual curves represent the performance of a defense mechanism under different hyperparameter settings. The horizontal axis represents the target models' test accuracy (the higher the better), and the vertical axis represents the corresponding attack advantage (defined in Definition \ref{['def: adv']}, the lower the better). To underscore the disparity between the defense methods and the vanilla (undefended model), we plot the dotted line originating from the vanilla results.
  • Figure 3: Comparisons of seven defense mechanisms on CIFAR-100 dataset utilizing Densenet121 architecture. Each subplot is allocated to a distinct attack method, wherein individual curves represent the performance of a defense mechanism under different hyperparameter settings. The horizontal axis represents the target models' test accuracy (the higher the better), and the vertical axis represents the corresponding attack advantage (defined in Definition \ref{['def: adv']}, the lower the better). To underscore the disparity between the defense methods and the vanilla (undefended model), we plot the dotted line originating from the vanilla results.
  • Figure 4: The effect of $\alpha$ on utility (test accuracy), privacy (highest attack advantage), and loss variance.
  • Figure 5: Convergence analysis of CCL on CIFAR-10 dataset
  • ...and 1 more figures

Theorems & Definitions (13)

  • Theorem 3.1
  • Theorem 3.2
  • Definition 4.1: Concave Term
  • Proposition 4.2
  • Theorem 6.1
  • Lemma 6.2
  • Lemma 6.3
  • proof
  • proof
  • Lemma 3.1
  • ...and 3 more