Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Generalized Leverage Score for Scalable Assessment of Privacy Vulnerability

Valentin Dorseuil, Jamal Atif, Olivier Cappé

TL;DR

This work addresses the risk of membership inference at the level of individual data points without retraining or shadow-model simulations. It shows that, in Gaussian linear models, the leverage score fully characterizes MIA vulnerability and extends this insight to deep models via the Generalized Leverage Score (GLS) derived through implicit differentiation; GLS includes both regression and classification settings and admits efficient last-layer approximations. Through extensive CIFAR-10 experiments with ResNet-18, GLS demonstrates a strong correlation with LiRA shadow-model attacks and effectively identifies high-risk outliers, while avoiding the computational burden of training multiple shadow models. The approach thus provides a scalable, interpretable auditing tool that complements differential privacy guarantees, highlighting data points that are most susceptible to privacy leakage and guiding targeted risk mitigation.

Abstract

Can the privacy vulnerability of individual data points be assessed without retraining models or explicitly simulating attacks? We answer affirmatively by showing that exposure to membership inference attack (MIA) is fundamentally governed by a data point's influence on the learned model. We formalize this in the linear setting by establishing a theoretical correspondence between individual MIA risk and the leverage score, identifying it as a principled metric for vulnerability. This characterization explains how data-dependent sensitivity translates into exposure, without the computational burden of training shadow models. Building on this, we propose a computationally efficient generalization of the leverage score for deep learning. Empirical evaluations confirm a strong correlation between the proposed score and MIA success, validating this metric as a practical surrogate for individual privacy risk assessment.

Generalized Leverage Score for Scalable Assessment of Privacy Vulnerability

TL;DR

This work addresses the risk of membership inference at the level of individual data points without retraining or shadow-model simulations. It shows that, in Gaussian linear models, the leverage score fully characterizes MIA vulnerability and extends this insight to deep models via the Generalized Leverage Score (GLS) derived through implicit differentiation; GLS includes both regression and classification settings and admits efficient last-layer approximations. Through extensive CIFAR-10 experiments with ResNet-18, GLS demonstrates a strong correlation with LiRA shadow-model attacks and effectively identifies high-risk outliers, while avoiding the computational burden of training multiple shadow models. The approach thus provides a scalable, interpretable auditing tool that complements differential privacy guarantees, highlighting data points that are most susceptible to privacy leakage and guiding targeted risk mitigation.

Abstract

Can the privacy vulnerability of individual data points be assessed without retraining models or explicitly simulating attacks? We answer affirmatively by showing that exposure to membership inference attack (MIA) is fundamentally governed by a data point's influence on the learned model. We formalize this in the linear setting by establishing a theoretical correspondence between individual MIA risk and the leverage score, identifying it as a principled metric for vulnerability. This characterization explains how data-dependent sensitivity translates into exposure, without the computational burden of training shadow models. Building on this, we propose a computationally efficient generalization of the leverage score for deep learning. Empirical evaluations confirm a strong correlation between the proposed score and MIA success, validating this metric as a practical surrogate for individual privacy risk assessment.
Paper Structure (43 sections, 16 theorems, 65 equations, 5 figures, 2 tables, 2 algorithms)

This paper contains 43 sections, 16 theorems, 65 equations, 5 figures, 2 tables, 2 algorithms.

Table of Contents

  1. Introduction
  2. Contributions.
  3. Related Work
  4. Membership Inference Attacks (MIA).
  5. Influence Functions and Data Attribution.
  6. Privacy Auditing and Heterogeneity.
  7. Leverage Scores and Membership Vulnerability
  8. Problem Setting and Definitions
  9. Distinguishing Members from Non-Members
  10. A Membership Inference Attack Perspective
  11. An Influence Point of View
  12. Generalized Leverage Scores ($\operatorname{GLS}$)
  13. Formal Framework and Definition
  14. Analytic Derivation via Implicit Differentiation
  15. GLS for Regression Models
  16. ...and 28 more sections

Key Result

Proposition 3.0

Under the Gaussian noise assumption, the residuals for the $i$-th data point under the member and non-member hypotheses follow distinct multivariate normal distributions: Consequently, the squared norms of the residuals follow scaled Chi-squared distributions:

Figures (5)

  • Figure 1: Spearman's correlation (green line) between LiRA scores and $\operatorname{GLS}$ (trace), and computational time (blue area) for different network depths. Error bars show 95% confidence intervals across 16 models. Computational times are measured on a single A100 GPU.
  • Figure 2: $t$-SNE visualization of the model's final layer representations for the "Frog" class. Point coloring represents the leverage score magnitude, highlighting the geometric distribution of high-leverage samples.
  • Figure 3: Visualization of the 10 images with the Lowest and Highest Generalized Leverage Score.
  • Figure 4: Error trade-off curves ($\alpha= \text{FPR}, \beta=\text{FNR}$) for samples in the $2\%$ highest and lowest $\operatorname{GLS}$ quantiles. Curves represent the mean of 50 LiRA attacks; shaded areas indicate $95\%$ percentile intervals.
  • Figure 5: Theoretical error trade-off curves for different leverage scores $h_{ii}$ for $m=1$.

Theorems & Definitions (29)

  • Proposition 3.0: Residual Distributions
  • Proposition 3.0: Optimal MIA Test
  • Proposition 3.0: MIA Errors Curve
  • Definition 4.0: Generalized Leverage Score
  • Proposition 4.0: Closed-form $\operatorname{GLS}$
  • Proposition 4.0: Multivariate Regression
  • Proposition 4.0: Cross-Entropy Derivatives
  • Proposition 4.0: Binary Logistic Leverage Score
  • Proposition A.0: Residual Distributions
  • proof
  • ...and 19 more