Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

MCMC for Bayesian estimation of Differential Privacy from Membership Inference Attacks

Ceren Yildirim, Kamer Kaya, Sinan Yildirim, Erkay Savas

TL;DR

This work tackles empirical privacy assessment for differential privacy by grounding it in a Bayesian framework that leverages multiple membership inference attacks (MIAs). It introduces MCMC-DP-Est, a latent-variable Markov chain Monte Carlo method that jointly infers the DP privacy parameter $\epsilon$ and an attack-strength parameter $s$ from observed false-positive and false-negative counts across several challenge bases, without presuming the strongest possible attack. The method builds a hierarchical model linking $\epsilon$, $\delta$, and MIA performance, and provides a practical way to measure MIA performance via LiRA-inspired loss statistics. Experiments on artificial data and real data (MNIST) show that the approach yields coherent posterior distributions for $\epsilon$ and $s$, with results aligning with attack performance and robust to varying randomness. The framework supports combining multiple MIAs and attack strategies, enabling cautious privacy auditing that avoids overconfident estimates tied to idealized, strongest-attack assumptions.

Abstract

We propose a new framework for Bayesian estimation of differential privacy, incorporating evidence from multiple membership inference attacks (MIA). Bayesian estimation is carried out via a Markov chain Monte Carlo (MCMC) algorithm, named MCMC-DP-Est, which provides an estimate of the full posterior distribution of the privacy parameter (e.g., instead of just credible intervals). Critically, the proposed method does not assume that privacy auditing is performed with the most powerful attack on the worst-case (dataset, challenge point) pair, which is typically unrealistic. Instead, MCMC-DP-Est jointly estimates the strengths of MIAs used and the privacy of the training algorithm, yielding a more cautious privacy analysis. We also present an economical way to generate measurements for the performance of an MIA that is to be used by the MCMC method to estimate privacy. We present the use of the methods with numerical examples with both artificial and real data.

MCMC for Bayesian estimation of Differential Privacy from Membership Inference Attacks

TL;DR

This work tackles empirical privacy assessment for differential privacy by grounding it in a Bayesian framework that leverages multiple membership inference attacks (MIAs). It introduces MCMC-DP-Est, a latent-variable Markov chain Monte Carlo method that jointly infers the DP privacy parameter and an attack-strength parameter from observed false-positive and false-negative counts across several challenge bases, without presuming the strongest possible attack. The method builds a hierarchical model linking , , and MIA performance, and provides a practical way to measure MIA performance via LiRA-inspired loss statistics. Experiments on artificial data and real data (MNIST) show that the approach yields coherent posterior distributions for and , with results aligning with attack performance and robust to varying randomness. The framework supports combining multiple MIAs and attack strategies, enabling cautious privacy auditing that avoids overconfident estimates tied to idealized, strongest-attack assumptions.

Abstract

We propose a new framework for Bayesian estimation of differential privacy, incorporating evidence from multiple membership inference attacks (MIA). Bayesian estimation is carried out via a Markov chain Monte Carlo (MCMC) algorithm, named MCMC-DP-Est, which provides an estimate of the full posterior distribution of the privacy parameter (e.g., instead of just credible intervals). Critically, the proposed method does not assume that privacy auditing is performed with the most powerful attack on the worst-case (dataset, challenge point) pair, which is typically unrealistic. Instead, MCMC-DP-Est jointly estimates the strengths of MIAs used and the privacy of the training algorithm, yielding a more cautious privacy analysis. We also present an economical way to generate measurements for the performance of an MIA that is to be used by the MCMC method to estimate privacy. We present the use of the methods with numerical examples with both artificial and real data.

Paper Structure

This paper contains 29 sections, 3 theorems, 35 equations, 8 figures, 1 table, 6 algorithms.

Table of Contents

  1. Introduction
  2. Related work
  3. Bayesian estimation of privacy
  4. Joint probabilistic model for privacy- and MIA-related variables
  5. Observed error counts
  6. True error probabilities
  7. Priors for privacy and attack strengths
  8. Joint probability distribution
  9. Estimating privacy via MCMC
  10. The MIA attack and measuring its performance
  11. The MIA design
  12. Learning $H_{0}$ and $H_{1}$ and deciding:
  13. Measuring the performance of the MIA
  14. Experiments
  15. Privacy estimation with artificial test performance results
  16. ...and 14 more sections

Key Result

Theorem 1

$\mathcal{A}$ is $(\epsilon, \delta)$-DP if and only if, for any $D \in \mathcal{Z}^{n}$ and $z \in \mathcal{Z}$, and a decision rule $\phi$, the MIA $(D, z, \phi, \mathcal{A}, \alpha, \beta)$ satisfies $(\alpha, \beta) \in \mathcal{R}(\epsilon, \delta)$, where See Figure fig: privacy error regions (top left) for an illustration of $\mathcal{R}(\epsilon, \delta)$.

Figures (8)

  • Figure 1: Top Left: $\mathcal{R}(\alpha, \beta)$, the unconstrained prior domain ($s = 0$) for $\alpha, \beta$ of an MIA. Top Right: $\mathcal{R}_{0.6}(\alpha, \beta)$, prior domain for $s = 0.6$. Bottom Left: The dependency structure of the variables involved (a fixed $\delta$ is assumed). Bottom Right: Realization of the variables. $\epsilon$ and $s$ set the blue and green lines, respectively; $(\alpha_{i}, \beta_{i})$ and $(X_{i}/N_{i,0}, Y_{i}/N_{i,1})$ are shown with red and black points, resp.
  • Figure 2: Left:$90\%$ CI for $\epsilon$ vs $s$. Right:$90 \%$ CI for $\epsilon$ vs $N$.
  • Figure 3: Posterior distributions for $\epsilon, s$ from multiple attacks. Top: Weak attacks. Bottom: Strong attacks. The gray area in left-most plots are "histograms" of $\epsilon$ for the test according to the posterior distribution of $\epsilon$ (the symmetric counterpart is omitted).
  • Figure 4: $(X, Y)$ counts for $\mathcal{A}_{1}, \ldots, \mathcal{A}_{4}$. For output perturbation, $\sigma = 0.1$ was used.
  • Figure 5: Error counts and privacy estimation for $\mathcal{A}_{4}$ with $\sigma \in [0.01, 0.05, 0.1]$
  • ...and 3 more figures

Theorems & Definitions (10)

  • Definition 1: DP
  • Definition 2: Challenge base
  • Definition 3: MIA
  • Theorem 1
  • Remark 1
  • Remark 2: The special case $s = 1$
  • Remark 3: Dependent challenge bases and MIAs
  • Proposition 1
  • Proposition 1
  • proof