Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Membership Inference Attacks and Privacy in Topic Modeling

Nico Manzonelli, Wanrong Zhang, Salil Vadhan

TL;DR

An attack against topic models that can confidently identify members of the training data in Latent Dirichlet Allocation is proposed, suggesting that the privacy risks associated with generative modeling are not restricted to large neural models.

Abstract

Recent research shows that large language models are susceptible to privacy attacks that infer aspects of the training data. However, it is unclear if simpler generative models, like topic models, share similar vulnerabilities. In this work, we propose an attack against topic models that can confidently identify members of the training data in Latent Dirichlet Allocation. Our results suggest that the privacy risks associated with generative modeling are not restricted to large neural models. Additionally, to mitigate these vulnerabilities, we explore differentially private (DP) topic modeling. We propose a framework for private topic modeling that incorporates DP vocabulary selection as a pre-processing step, and show that it improves privacy while having limited effects on practical utility.

Membership Inference Attacks and Privacy in Topic Modeling

TL;DR

An attack against topic models that can confidently identify members of the training data in Latent Dirichlet Allocation is proposed, suggesting that the privacy risks associated with generative modeling are not restricted to large neural models.

Abstract

Recent research shows that large language models are susceptible to privacy attacks that infer aspects of the training data. However, it is unclear if simpler generative models, like topic models, share similar vulnerabilities. In this work, we propose an attack against topic models that can confidently identify members of the training data in Latent Dirichlet Allocation. Our results suggest that the privacy risks associated with generative modeling are not restricted to large neural models. Additionally, to mitigate these vulnerabilities, we explore differentially private (DP) topic modeling. We propose a framework for private topic modeling that incorporates DP vocabulary selection as a pre-processing step, and show that it improves privacy while having limited effects on practical utility.
Paper Structure (26 sections, 2 theorems, 6 equations, 8 figures, 5 tables, 2 algorithms)

This paper contains 26 sections, 2 theorems, 6 equations, 8 figures, 5 tables, 2 algorithms.

Table of Contents

  1. Introduction
  2. Background and Notation
  3. Latent Dirichlet Allocation
  4. Memorization and Privacy
  5. Membership Inference Attacks
  6. MIAs Against Topic Models
  7. Threat Model
  8. Attack Framework
  9. Designing an Effective Query Statistic $\zeta$
  10. Memorization and Per-Example Hardness
  11. Attack Evaluation Set-Up
  12. Attack Evaluation Results
  13. Private Topic Modeling
  14. Differential Privacy
  15. DP Vocabulary Selection
  16. ...and 11 more sections

Key Result

Theorem 4.1

If $M_1$ for selecting the vocabulary set satisfies $(\varepsilon_1, \delta_1)$-DP and $M_2$ for topic modeling satisfies $(\varepsilon_2, \delta_2)$-DP, then the overall release of $\Phi$ satisfies $(\varepsilon_1 + \varepsilon_2, \delta_1 + \delta_2)$-DP.

Figures (8)

  • Figure 1: Histograms of the statistic $\zeta(\Phi, d)$ evaluated on different types of documents in TweetRumors when $d \in D_{train}$ (blue) and when $d \notin D_{train}$ (orange). Outliers are documents that contains many words that appear infrequently in $D$ and inliers contain many words that appear frequently in $D$. Long documents contain more words than a standard deviation away from the mean document length and short documents contain less. The word count for the inlying document is within one standard deviation of the mean.
  • Figure 2: Online and Offline ROC Attack Comparison on Each Dataset (128 Shadow Models, NIPS $k$=10)
  • Figure 3: Topic coherence as $\varepsilon_1$ increases and LDA is not private. The non-private baseline for topic coherence is very small compared to the figure ($\approx-1117$). The error bars represent one standard deviation from the mean topic coherence.
  • Figure 4: Topic Coherence as $\varepsilon$ Increases. The blue line shows the the results while varying $\varepsilon_1$ for DPSU and holding $\varepsilon_2 = 3$. Orange displays results for varying $\varepsilon_2$ for DP LDA while holding $\varepsilon_1 = 3$.
  • Figure 5: Attack ROCs while varying privacy loss parameters for DPSU and DP LDA. On the right-hand side, we fix $\varepsilon_2 = 5$ for DP LDA and vary $\varepsilon_1 \in \{1,5,10\}$ for DPSU. On the left-hand side, we fix $\varepsilon_1$ and vary $\varepsilon_2$ at the same intervals. We provide the non-private baseline in red for reference.
  • ...and 3 more figures

Theorems & Definitions (5)

  • Definition 2.1: Topic Model
  • Definition 4.1: Differential Privacy Dwork2006aDwork2006b
  • Theorem 4.1: Privacy Guarantee of FDPTM
  • Definition F.1: $k$-Stability pmlr-v30-Guha13
  • Lemma F.1: Composition with Stable Functions pmlr-v30-Guha13