SoK: Challenges in Tabular Membership Inference Attacks
Cristina Pêra, Tânia Carvalho, Maxime Cordy, Luís Antunes
TL;DR
This paper investigates Membership Inference Attacks (MIAs) in tabular data across centralized and Federated Learning (FL) settings, identifying gaps in prior work and proposing a taxonomy based on attacker access. It conducts extensive empirical evaluations using shadow-model and surrogate (LiRA/RMIA) attacks, plus metric-based approaches, across nine datasets, and examines defenses including regularization, differential privacy, and secure aggregation. The findings show generally poor MIA performance on tabular data, but reveal pronounced vulnerability for single-outs and strong transferability of attacks across surrogate models, with outsider FL attacks posing nontrivial privacy risks. Overall, the work highlights the need for robust, dataset-specific privacy auditing and defense strategies in tabular settings and FL, and points to future directions such as data augmentation and adaptive attack strategies to improve MIA assessments.
Abstract
Membership Inference Attacks (MIAs) are currently a dominant approach for evaluating privacy in machine learning applications. Despite their significance in identifying records belonging to the training dataset, several concerns remain unexplored, particularly with regard to tabular data. In this paper, first, we provide an extensive review and analysis of MIAs considering two main learning paradigms: centralized and federated learning. We extend and refine the taxonomy for both. Second, we demonstrate the efficacy of MIAs in tabular data using several attack strategies, also including defenses. Furthermore, in a federated learning scenario, we consider the threat posed by an outsider adversary, which is often neglected. Third, we demonstrate the high vulnerability of single-outs (records with a unique signature) to MIAs. Lastly, we explore how MIAs transfer across model architectures. Our results point towards a general poor performance of these attacks in tabular data which contrasts with previous state-of-the-art. Notably, even attacks with limited attack performance can still successfully expose a large portion of single-outs. Moreover, our findings suggest that using different surrogate models makes MIAs more effective.
