Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Uncovering Memorization in Timeseries Imputation models: LBRM Membership Inference and its link to attribute Leakage

Faiz Taleb, Ivan Gazeau, Maryline Laurent

Abstract

Deep learning models for time series imputation are now essential in fields such as healthcare, the Internet of Things (IoT), and finance. However, their deployment raises critical privacy concerns. Beyond the well-known issue of unintended memorization, which has been extensively studied in generative models, we demonstrate that time series models are vulnerable to inference attacks in a black-box setting. In this work, we introduce a two-stage attack framework comprising: (1) a novel membership inference attack based on a reference model that improves detection accuracy, even for models robust to overfitting-based attacks, and (2) the first attribute inference attack that predicts sensitive characteristics of the training data for timeseries imputation model. We evaluate these attacks on attention-based and autoencoder architectures in two scenarios: models that are trained from scratch, and fine-tuned models where the adversary has access to the initial weights. Our experimental results demonstrate that the proposed membership attack retrieves a significant portion of the training data with a tpr@top25% score significantly higher than a naive attack baseline. We show that our membership attack also provides a good insight of whether attribute inference will work (with a precision of 90% instead of 78% in the genral case).

Uncovering Memorization in Timeseries Imputation models: LBRM Membership Inference and its link to attribute Leakage

Abstract

Deep learning models for time series imputation are now essential in fields such as healthcare, the Internet of Things (IoT), and finance. However, their deployment raises critical privacy concerns. Beyond the well-known issue of unintended memorization, which has been extensively studied in generative models, we demonstrate that time series models are vulnerable to inference attacks in a black-box setting. In this work, we introduce a two-stage attack framework comprising: (1) a novel membership inference attack based on a reference model that improves detection accuracy, even for models robust to overfitting-based attacks, and (2) the first attribute inference attack that predicts sensitive characteristics of the training data for timeseries imputation model. We evaluate these attacks on attention-based and autoencoder architectures in two scenarios: models that are trained from scratch, and fine-tuned models where the adversary has access to the initial weights. Our experimental results demonstrate that the proposed membership attack retrieves a significant portion of the training data with a tpr@top25% score significantly higher than a naive attack baseline. We show that our membership attack also provides a good insight of whether attribute inference will work (with a precision of 90% instead of 78% in the genral case).
Paper Structure (37 sections, 7 equations, 3 figures, 7 tables, 1 algorithm)

This paper contains 37 sections, 7 equations, 3 figures, 7 tables, 1 algorithm.

Table of Contents

  1. Introduction
  2. Paper Organization.
  3. Related Work
  4. A new Membership Inference Attack based on memorization
  5. Constructing the Reference Model for Benchmarking
  6. Evaluating Predictions and Determining Membership
  7. Definition of Threshold $\theta$
  8. Experimentation Methodology
  9. Metrics.
  10. Datasets.
  11. Naive loss attack.
  12. Experimentation Scenarios.
  13. Scenario 1:
  14. Scenario 2 (fine-tuning):
  15. Training models $\mathcal{T}$ and $\mathcal{R}$ .
  16. ...and 22 more sections

Figures (3)

  • Figure 1: Illustrative overview of the LBRM attack pipeline: the attacker compares predictions from the target and reference models to infer membership.
  • Figure 2: MIA + AIA pipeline. The attacker computes LBRM on the seen portion to obtain a series-level risk score, ranks series, selects the Top-$q\%$ high-risk set, and runs AIA on unseen regions of those series.
  • Figure 3: AIA precision on unseen parts of the time series. "Top‑25%" indicates selecting whole sequences based on their LBRM score computed from the part accessible to the attacker.