Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Exponential-Family Membership Inference: From LiRA and RMIA to BaVarIA

Rickard Brännvall

Abstract

Membership inference attacks (MIAs) are becoming standard tools for auditing the privacy of machine learning models. The leading attacks -- LiRA (Carlini et al., 2022) and RMIA (Zarifzadeh et al., 2024) -- appear to use distinct scoring strategies, while the recently proposed BASE (Lassila et al., 2025) was shown to be equivalent to RMIA, making it difficult for practitioners to choose among them. We show that all three are instances of a single exponential-family log-likelihood ratio framework, differing only in their distributional assumptions and the number of parameters estimated per data point. This unification reveals a hierarchy (BASE1-4) that connects RMIA and LiRA as endpoints of a spectrum of increasing model complexity. Within this framework, we identify variance estimation as the key bottleneck at small shadow-model budgets and propose BaVarIA, a Bayesian variance inference attack that replaces threshold-based parameter switching with conjugate normal-inverse-gamma priors. BaVarIA yields a Student-t predictive (BaVarIA-t) or a Gaussian with stabilized variance (BaVarIA-n), providing stable performance without additional hyperparameter tuning. Across 12 datasets and 7 shadow-model budgets, BaVarIA matches or improves upon LiRA and RMIA, with the largest gains in the practically important low-shadow-model and offline regimes.

Exponential-Family Membership Inference: From LiRA and RMIA to BaVarIA

Abstract

Membership inference attacks (MIAs) are becoming standard tools for auditing the privacy of machine learning models. The leading attacks -- LiRA (Carlini et al., 2022) and RMIA (Zarifzadeh et al., 2024) -- appear to use distinct scoring strategies, while the recently proposed BASE (Lassila et al., 2025) was shown to be equivalent to RMIA, making it difficult for practitioners to choose among them. We show that all three are instances of a single exponential-family log-likelihood ratio framework, differing only in their distributional assumptions and the number of parameters estimated per data point. This unification reveals a hierarchy (BASE1-4) that connects RMIA and LiRA as endpoints of a spectrum of increasing model complexity. Within this framework, we identify variance estimation as the key bottleneck at small shadow-model budgets and propose BaVarIA, a Bayesian variance inference attack that replaces threshold-based parameter switching with conjugate normal-inverse-gamma priors. BaVarIA yields a Student-t predictive (BaVarIA-t) or a Gaussian with stabilized variance (BaVarIA-n), providing stable performance without additional hyperparameter tuning. Across 12 datasets and 7 shadow-model budgets, BaVarIA matches or improves upon LiRA and RMIA, with the largest gains in the practically important low-shadow-model and offline regimes.
Paper Structure (90 sections, 3 theorems, 56 equations, 12 figures, 13 tables)

This paper contains 90 sections, 3 theorems, 56 equations, 12 figures, 13 tables.

Table of Contents

  1. Introduction
  2. Background
  3. Setup.
  4. Optimal membership score.
  5. LiRA.
  6. RMIA and BASE.
  7. Exponential-Family Framework
  8. Distributional Specializations
  9. Exponential model (loss statistic).
  10. Gaussian model (log-odds statistic).
  11. The BASE Hierarchy
  12. BASE1 (pooled centering).
  13. BASE2 (pooled centering and variance).
  14. BASE3 (separate means, pooled variance).
  15. BASE4 (class-conditional parameters).
  16. ...and 75 more sections

Key Result

Proposition 1

Under the standard implementations: (a) BASE1 on loss with log-sum-exp centering is ROC-equivalent to RMIA at $\gamma = 1$; (b) BASE4 on rescaled logits coincides with LiRA eq:lira.

Figures (12)

  • Figure 1: Log-log ROC curves for CIFAR-10 WideResNet at $K = 8$ (left) and $K = 254$ (right). At small $K$, RMIA's pooled approach is competitive; at large $K$, the Gaussian-family methods dominate. BaVarIA-$t$ bridges the gap, performing well across both regimes.
  • Figure 2: Performance vs. shadow-model budget $K$, averaged over 6 image datasets (left) and 6 tabular datasets (right). Top: AUC; Bottom: TPR@0.01. Shaded regions show $\pm$1 SE over 32 replicates. BaVarIA-$t$ provides the best AUC at all $K$; BaVarIA-$n$ is safer at low FPR for small $K$.
  • Figure 3: BaVarIA Ablation: $\Delta$ vs. LiRA Averaged over 12 Datasets. Left: AUC; Right: TPR@0.01. BaVarIA-$t$'s heavier tails help AUC uniformly but hurt TPR@0.01 at small $K$. BaVarIA-$n$ provides safe improvement on both metrics at $K \geq 16$.
  • Figure 4: Per-datapoint QQ diagnostic: standardized residuals of shadow log-odds (per data point, per class) pooled across datapoints and plotted against $\mathcal{N}(0,1)$ quantiles. Annotations show per-datapoint Anderson-Darling (AD) rejection rates. CIFAR-10 WRN is well-approximated by a Gaussian (${\sim}6\%$ AD rejection); CIFAR-100 ResNet shows heavier tails in the IN class ($74\%$ AD rejection).
  • Figure 5: Online AUC vs. $K$ for the BASE hierarchy (WRN/MLP3 testbeds). BASE3 (pooled variance) overtakes LiRA/BASE4 at moderate $K$; RMIA/BASE1 lags at all budgets.
  • ...and 7 more figures

Theorems & Definitions (5)

  • Proposition 1: Equivalences
  • Corollary 1: LiRA $=$ BASE4
  • proof
  • Corollary 2: BASE $=$ BASE1
  • proof