Blind Baselines Beat Membership Inference Attacks for Foundation Models
Debeshee Das, Jie Zhang, Florian Tramèr
TL;DR
This work shows that MI evaluations for foundation models are flawed because member/non-member data are often drawn from different distributions. It introduces simple blind attacks—date Detection, bag-of-words, and greedy n-gram methods—that ignore the model yet outperform published MI attacks across eight datasets, highlighting pervasive distribution shifts including temporal, replication, and tail differences. The study systematically analyzes case studies (WikiMIA, BookMIA, Temporal Wiki/arXiv, ArXiv variants, LAION-MI, and Gutenberg) and demonstrates that current evaluations can even be worse than random chance. It then argues for a shift toward IID and well-curated benchmarks (e.g., Pile, DataComp/DataComp-LM) and provides reproducible code to enable credible MI assessment in future work.
Abstract
Membership inference (MI) attacks try to determine if a data sample was used to train a machine learning model. For foundation models trained on unknown Web data, MI attacks are often used to detect copyrighted training materials, measure test set contamination, or audit machine unlearning. Unfortunately, we find that evaluations of MI attacks for foundation models are flawed, because they sample members and non-members from different distributions. For 8 published MI evaluation datasets, we show that blind attacks -- that distinguish the member and non-member distributions without looking at any trained model -- outperform state-of-the-art MI attacks. Existing evaluations thus tell us nothing about membership leakage of a foundation model's training data.