Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

A Critical Review on the Effectiveness and Privacy Threats of Membership Inference Attacks

Najeeb Jebreel, David Sánchez, Josep Domingo-Ferrer

Abstract

Membership inference attacks (MIAs) aim to determine whether a data sample was included in a machine learning (ML) model's training set and have become the de facto standard for measuring privacy leakages in ML. We propose an evaluation framework that defines the conditions under which MIAs constitute a genuine privacy threat, and review representative MIAs against it. We find that, under the realistic conditions defined in our framework, MIAs represent weak privacy threats. Thus, relying on them as a privacy metric in ML can lead to an overestimation of risk and to unnecessary sacrifices in model utility as a consequence of employing too strong defenses.

A Critical Review on the Effectiveness and Privacy Threats of Membership Inference Attacks

Abstract

Membership inference attacks (MIAs) aim to determine whether a data sample was included in a machine learning (ML) model's training set and have become the de facto standard for measuring privacy leakages in ML. We propose an evaluation framework that defines the conditions under which MIAs constitute a genuine privacy threat, and review representative MIAs against it. We find that, under the realistic conditions defined in our framework, MIAs represent weak privacy threats. Thus, relying on them as a privacy metric in ML can lead to an overestimation of risk and to unnecessary sacrifices in model utility as a consequence of employing too strong defenses.
Paper Structure (31 sections, 5 equations, 1 figure, 4 tables)

This paper contains 31 sections, 5 equations, 1 figure, 4 tables.

Table of Contents

  1. Introduction
  2. Related work.
  3. Our contributions.
  4. MIAs and Disclosure Risk
  5. Proposed Evaluation Framework
  6. Condition C0: Sensitive disclosure potential.
  7. Condition C1: Non-overfitted model.
  8. Condition C2: Competitive model.
  9. Condition C3: Reliable membership inference.
  10. Condition C4: Computational feasibility.
  11. Review and Evaluation of Representative MIAs
  12. Condition C0.
  13. Condition C1.
  14. Condition C2.
  15. Condition C3.
  16. ...and 16 more sections

Figures (1)

  • Figure 1: Overview of the proposed evaluation framework for MIAs. Condition C0 relates to the MIA disclosure potential, which critically depends on the data set used to train the target model. Conditions C1--C4 characterize the effectiveness of the MIA itself, which should reliably attack non-overfitted and competitive models at a reasonable computational cost.

Theorems & Definitions (1)

  • definition 1: Membership Inference Security Game