TAMIS: Tailored Membership Inference Attacks on Synthetic Data
Paul Andrey, Batiste Le Bars, Marc Tommasi
TL;DR
This paper addresses privacy risks in synthetic data released by differential-privacy aware graphical-model SDG methods. It introduces TAMIS, a tailored membership inference attack that first recovers the graphical model used to generate synthetic data directly from the synthetic data, and then applies likelihood-based scores to detect membership via DOMIAS style density ratios. The authors show TAMIS matches or improves upon the state-of-the-art MAMA-MIA on replicas of the SNAKE challenge, with lower computational cost and reduced attacker knowledge requirements, particularly for MST. They also analyze graph recovery accuracy and attack performance across MST and PrivBayes, including cross-targeted evaluations and different activation schemes, highlighting practical implications for assessing DP SDG privacy. The work suggests that aligning MIAs with the generative structure yields stronger, more efficient privacy assessments and motivates future work on activation strategies and broader threat models.
Abstract
Membership Inference Attacks (MIA) enable to empirically assess the privacy of a machine learning algorithm. In this paper, we propose TAMIS, a novel MIA against differentially-private synthetic data generation methods that rely on graphical models. This attack builds upon MAMA-MIA, a recently-published state-of-the-art method. It lowers its computational cost and requires less attacker knowledge. Our attack is the product of a two-fold improvement. First, we recover the graphical model having generated a synthetic dataset by using solely that dataset, rather than shadow-modeling over an auxiliary one. This proves less costly and more performant. Second, we introduce a more mathematically-grounded attack score, that provides a natural threshold for binary predictions. In our experiments, TAMIS achieves better or similar performance as MAMA-MIA on replicas of the SNAKE challenge.