Anonymity Unveiled: A Practical Framework for Auditing Data Use in Deep Learning Models

TL;DR

MembershipTracker presents a practical, MI-based framework for auditing data use in deep learning models by requiring users to lightly mark a tiny subset of their data and applying a novel set-based MI verification to detect whether those samples were in the training set. The two-step data marking (image blending with an out-of-distribution cue plus perceptual noise) amplifies memorization while preserving visual quality, and the set-based MI leverages average losses across a user’s samples to achieve high recall with very low false positives. Evaluations across CIFAR, Tiny ImageNet, CelebA, ArtBench, and large-scale ImageNet training demonstrate near-perfect detection (often 100% recall at zero false positives) with minimal impact on model accuracy, and robustness to a wide range of countermeasures. The approach offers a practical path toward responsible AI by enabling data owners to verify unauthorized data use at scale, though it acknowledges limitations under multi-target defenses and potential for misuse, outlining future work toward generative models and policy considerations.

Abstract

The rise of deep learning (DL) has led to a surging demand for training data, which incentivizes the creators of DL models to trawl through the Internet for training materials. Meanwhile, users often have limited control over whether their data (e.g., facial images) are used to train DL models without their consent, which has engendered pressing concerns. This work proposes MembershipTracker, a practical data auditing tool that can empower ordinary users to reliably detect the unauthorized use of their data in training DL models. We view data auditing through the lens of membership inference (MI). MembershipTracker consists of a lightweight data marking component to mark the target data with small and targeted changes, which can be strongly memorized by the model trained on them; and a specialized MI-based verification process to audit whether the model exhibits strong memorization on the target samples. MembershipTracker only requires the users to mark a small fraction of data (0.005% to 0.1% in proportion to the training set), and it enables the users to reliably detect the unauthorized use of their data (average 0% FPR@100% TPR). We show that MembershipTracker is highly effective across various settings, including industry-scale training on the full-size ImageNet-1k dataset. We finally evaluate MembershipTracker under multiple classes of countermeasures.

Figures (18)

• Figure 1: MembershipTracker is a data provenance tool that operates by: (1) marking the target data (e.g., facial images, artworks) with small and targeted changes, and then (2) initiating a specialized membership inference process to audit whether the target data are used for training the model.
• Figure 2: State-of-the-art MI methods carlini2022membership achieve limited TPR under the low FPR regime (undesirable).
• Figure 3: The two-step data marking process: (1) blend the original samples with OOD feature; (2) inject procedural noise. These subtle changes can induce the target samples to be strongly memorized by the model trained on them.
• Figure 4: Comparison of using the per-instance loss and the average loss across the samples by each user (each contributes 0.1% of the training data) as the signal function for MI verification. The former yields 57.8% TPR@1% FPR; while the latter has 100% TPR (our proposal).
• Figure 5: Visualization of the original and marked samples.