Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Impact of Dataset Properties on Membership Inference Vulnerability of Deep Transfer Learning

Marlon Tobaben, Hibiki Ito, Joonas Jälkö, Yuan He, Antti Honkela

TL;DR

This work reveals a power-law relationship between membership inference vulnerability and the number of examples per class, $S$, in deep transfer learning when attacking a fine-tuned Vision Transformer head with LiRA. It develops a theoretical framework using a simplified fine-tuning model and a high-dimensional sphere-based model to derive a closed-form form for per-example and average-case vulnerability, showing $\log(\textsc{tpr}-\textsc{fpr})$ scales as $-\tfrac{1}{2}\log S$ plus data-dependent terms. The authors corroborate the theory with extensive experiments across diverse datasets and backbones, demonstrate a practical dataset-vulnerability predictor, and analyze per-sample vulnerability, illustrating that large $S$ can substantially mitigate risk but may still be insufficient to meet DP-style guarantees unless data requirements are extreme. They also map MIA vulnerabilities to DP bounds to illustrate the practical gap between empirical privacy risk and formal guarantees, highlighting the importance of DP in settings where strong protection is required. Overall, the work provides a quantitative link between dataset properties and privacy risk under non-DP transfer learning, with implications for privacy budgeting and data collection strategies in sensitive applications.

Abstract

Membership inference attacks (MIAs) are used to test practical privacy of machine learning models. MIAs complement formal guarantees from differential privacy (DP) under a more realistic adversary model. We analyse MIA vulnerability of fine-tuned neural networks both empirically and theoretically, the latter using a simplified model of fine-tuning. We show that the vulnerability of non-DP models when measured as the attacker advantage at a fixed false positive rate reduces according to a simple power law as the number of examples per class increases. A similar power-law applies even for the most vulnerable points, but the dataset size needed for adequate protection of the most vulnerable points is very large.

Impact of Dataset Properties on Membership Inference Vulnerability of Deep Transfer Learning

TL;DR

This work reveals a power-law relationship between membership inference vulnerability and the number of examples per class, , in deep transfer learning when attacking a fine-tuned Vision Transformer head with LiRA. It develops a theoretical framework using a simplified fine-tuning model and a high-dimensional sphere-based model to derive a closed-form form for per-example and average-case vulnerability, showing scales as plus data-dependent terms. The authors corroborate the theory with extensive experiments across diverse datasets and backbones, demonstrate a practical dataset-vulnerability predictor, and analyze per-sample vulnerability, illustrating that large can substantially mitigate risk but may still be insufficient to meet DP-style guarantees unless data requirements are extreme. They also map MIA vulnerabilities to DP bounds to illustrate the practical gap between empirical privacy risk and formal guarantees, highlighting the importance of DP in settings where strong protection is required. Overall, the work provides a quantitative link between dataset properties and privacy risk under non-DP transfer learning, with implications for privacy budgeting and data collection strategies in sensitive applications.

Abstract

Membership inference attacks (MIAs) are used to test practical privacy of machine learning models. MIAs complement formal guarantees from differential privacy (DP) under a more realistic adversary model. We analyse MIA vulnerability of fine-tuned neural networks both empirically and theoretically, the latter using a simplified model of fine-tuning. We show that the vulnerability of non-DP models when measured as the attacker advantage at a fixed false positive rate reduces according to a simple power law as the number of examples per class increases. A similar power-law applies even for the most vulnerable points, but the dataset size needed for adequate protection of the most vulnerable points is very large.
Paper Structure (46 sections, 13 theorems, 108 equations, 13 figures, 11 tables)

This paper contains 46 sections, 13 theorems, 108 equations, 13 figures, 11 tables.

Table of Contents

  1. Introduction
  2. Background
  3. Theoretical analysis
  4. Preliminaries
  5. Computing the $\textsc{tpr}$ for LiRA
  6. Per-example MIA vulnerability
  7. A simplified model of the optimal membership inference
  8. Empirical evaluation of MIA vulnerability and dataset properties
  9. Experimental setup
  10. Experimental results
  11. Model to predict dataset vulnerability
  12. Prediction quality on other MIA target models
  13. Individual MIA vulnerability
  14. Comparison between empirical models and universal DP bounds
  15. Discussion
  16. ...and 31 more sections

Key Result

Lemma 0

Suppose that the true distribution of $t_{\bm{x}}$ is of location-scale family with locations $\mu_{\mathrm{in}}(\bm{x}), \mu_{\mathrm{out}}(\bm{x})$ and scale $\sigma(\bm{x})$, and that LiRA models $t_{\bm{x}}$ by $\mathcal{N}(\hat{\mu}_{\mathrm{in}}(\bm{x}), \hat{\sigma}(\bm{x})^2)$ and $\mathcal{ where $F_Z$ is the cdf of $Z$ with the standard location and unit scale, assuming that the inverse

Figures (13)

  • Figure 1: We observe a power-law relation between MIA vulnerability and examples per class (denoted as $S$ or shots) when attacking a fine-tuned ViT-B Head using LiRA. Each colored line denotes a different fine-tuning dataset where $C$ specifies the number of classes. The solid line is median and the error bars the min/max bounds for the Clopper-Pearson CIs over six seeds.
  • Figure 2: Small effect of number of classes $C$ (classes) on MIA vulnerability when attacking a fine-tuned ViT-B Head. The solid line is median and the error bars the min/max bounds for the Clopper-Pearson CIs over 12 seeds ($S=32$).
  • Figure 3: LiRA and RMIA vulnerability ($(\textsc{tpr}-\textsc{fpr})$ at $\textsc{fpr}=0.1$) as a function of shots ($S$) when attacking a ViT-B Head fine-tuned on different datasets. For better visibility, we split the datasets into two panels. We observe the power-law for both attacks, but the RMIA is more unstable than LiRA. The lines display the median over six seeds.
  • Figure 4: Coefficient values for different $\textsc{fpr}$ when fitting a regression model based on \ref{['eq:mia_vul_dataset']} fitted on data from ViT-B (Head) with LiRA (\ref{['tab:vit-function-shots']}). The error bars display the 95% confidence intervals based on Student's t-distribution. Theoretical values in the simplified model is shown by pink dotted lines ($\beta_S = 0.5$ and $\beta_C=0$).
  • Figure 5: Performance of the regression model based on \ref{['eq:mia_vul_dataset']} fitted on data from \ref{['tab:vit-function-shots']}.
  • ...and 8 more figures

Theorems & Definitions (24)

  • Lemma 0: Per-example LiRA vulnerability
  • proof
  • Theorem 1: Per-example LiRA power-law
  • proof
  • Remark 2
  • Corollary 2: Average-case LiRA power-law
  • proof
  • Lemma 2: Per-example LiRA vulnerability
  • proof
  • Lemma 3: Per-example offline LiRA vulnerability
  • ...and 14 more