Current browse context:
cs.CR
Change to browse by:
References & Citations
Computer Science > Cryptography and Security
Title: Revisiting Membership Inference Under Realistic Assumptions
(Submitted on 21 May 2020 (v1), revised 21 Jun 2020 (this version, v2), latest version 13 Jan 2021 (v5))
Abstract: Membership inference attacks on models trained using machine learning have been shown to pose significant privacy risks. However, previous works on membership inference assume a balanced prior distribution where the adversary randomly chooses target records from a pool that has equal numbers of members and non-members. Such an assumption of balanced prior is unrealistic in practical scenarios. This paper studies membership inference attacks under more realistic assumptions. First, we consider skewed priors where a non-member is more likely to occur than a member record. For this, we use metric based on positive predictive value (PPV) in conjunction with membership advantage for privacy leakage evaluation, since PPV considers the prior. Second, we consider adversaries that can select inference thresholds according to their attack goals. For this, we develop a threshold selection procedure that improves inference attacks. We also propose a new membership inference attack called Merlin which outperforms previous attacks. Our experimental evaluation shows that while models trained without privacy mechanisms are vulnerable to membership inference attacks in balanced prior settings, there appears to be negligible privacy risk in the skewed prior setting. Code for our experiments can be found here: this https URL
Submission history
From: Bargav Jayaraman [view email][v1] Thu, 21 May 2020 20:17:42 GMT (2632kb,D)
[v2] Sun, 21 Jun 2020 17:24:39 GMT (3309kb,D)
[v3] Wed, 9 Sep 2020 16:57:30 GMT (11850kb,D)
[v4] Sat, 3 Oct 2020 13:37:57 GMT (5919kb,D)
[v5] Wed, 13 Jan 2021 20:44:44 GMT (5449kb,D)
Link back to: arXiv, form interface, contact.