SHAPr: An Efficient and Versatile Membership Privacy Risk Metric for
Machine Learning
- URL: http://arxiv.org/abs/2112.02230v1
- Date: Sat, 4 Dec 2021 03:45:49 GMT
- Title: SHAPr: An Efficient and Versatile Membership Privacy Risk Metric for
Machine Learning
- Authors: Vasisht Duddu, Sebastian Szyller, N. Asokan
- Abstract summary: Data used to train machine learning (ML) models can be sensitive.
Membership inference attacks (MIAs) attempt to determine whether a particular data record was used to train an ML model, risk violating membership privacy.
We propose SHAPr, which uses Shapley values to quantify a model's memorization of an individual training data record by measuring its influence on the model's utility.
- Score: 13.952586561595473
- License: http://arxiv.org/licenses/nonexclusive-distrib/1.0/
- Abstract: Data used to train machine learning (ML) models can be sensitive. Membership
inference attacks (MIAs), attempting to determine whether a particular data
record was used to train an ML model, risk violating membership privacy. ML
model builders need a principled definition of a metric that enables them to
quantify the privacy risk of (a) individual training data records, (b)
independently of specific MIAs, (c) efficiently. None of the prior work on
membership privacy risk metrics simultaneously meets all of these criteria.
We propose such a metric, SHAPr, which uses Shapley values to quantify a
model's memorization of an individual training data record by measuring its
influence on the model's utility. This memorization is a measure of the
likelihood of a successful MIA.
Using ten benchmark datasets, we show that SHAPr is effective (precision:
0.94$\pm 0.06$, recall: 0.88$\pm 0.06$) in estimating susceptibility of a
training data record for MIAs, and is efficient (computable within minutes for
smaller datasets and in ~90 minutes for the largest dataset).
SHAPr is also versatile in that it can be used for other purposes like
assessing fairness or assigning valuation for subsets of a dataset. For
example, we show that SHAPr correctly captures the disproportionate
vulnerability of different subgroups to MIAs.
Using SHAPr, we show that the membership privacy risk of a dataset is not
necessarily improved by removing high risk training data records, thereby
confirming an observation from prior work in a significantly extended setting
(in ten datasets, removing up to 50% of data).
Related papers
- Pseudo-Probability Unlearning: Towards Efficient and Privacy-Preserving Machine Unlearning [59.29849532966454]
We propose PseudoProbability Unlearning (PPU), a novel method that enables models to forget data to adhere to privacy-preserving manner.
Our method achieves over 20% improvements in forgetting error compared to the state-of-the-art.
arXiv Detail & Related papers (2024-11-04T21:27:06Z) - Evaluating Large Language Model based Personal Information Extraction and Countermeasures [63.91918057570824]
Large language model (LLM) can be misused by attackers to accurately extract various personal information from personal profiles.
LLM outperforms conventional methods at such extraction.
prompt injection can mitigate such risk to a large extent and outperforms conventional countermeasures.
arXiv Detail & Related papers (2024-08-14T04:49:30Z) - Range Membership Inference Attacks [17.28638946021444]
We introduce the class of range membership inference attacks (RaMIAs), testing if the model was trained on any data in a specified range.
We show that RaMIAs can capture privacy loss more accurately and comprehensively than MIAs on various types of data.
arXiv Detail & Related papers (2024-08-09T15:39:06Z) - Lost in the Averages: A New Specific Setup to Evaluate Membership Inference Attacks Against Machine Learning Models [6.343040313814916]
Membership Inference Attacks (MIAs) are used to evaluate the propensity of a machine learning (ML) model to memorize an individual record.
We propose a new, specific evaluation setup for MIAs against ML models.
We show that the risk estimates given by the current setup lead to many records being misclassified as low risk.
arXiv Detail & Related papers (2024-05-24T10:37:38Z) - Do Membership Inference Attacks Work on Large Language Models? [141.2019867466968]
Membership inference attacks (MIAs) attempt to predict whether a particular datapoint is a member of a target model's training data.
We perform a large-scale evaluation of MIAs over a suite of language models trained on the Pile, ranging from 160M to 12B parameters.
We find that MIAs barely outperform random guessing for most settings across varying LLM sizes and domains.
arXiv Detail & Related papers (2024-02-12T17:52:05Z) - Practical Membership Inference Attacks against Fine-tuned Large Language Models via Self-prompt Calibration [32.15773300068426]
Membership Inference Attacks (MIAs) aim to infer whether a target data record has been utilized for model training or not.
We propose a Membership Inference Attack based on Self-calibrated Probabilistic Variation (SPV-MIA)
Specifically, since memorization in LLMs is inevitable during the training process and occurs before overfitting, we introduce a more reliable membership signal.
arXiv Detail & Related papers (2023-11-10T13:55:05Z) - Assessing Privacy Risks in Language Models: A Case Study on
Summarization Tasks [65.21536453075275]
We focus on the summarization task and investigate the membership inference (MI) attack.
We exploit text similarity and the model's resistance to document modifications as potential MI signals.
We discuss several safeguards for training summarization models to protect against MI attacks and discuss the inherent trade-off between privacy and utility.
arXiv Detail & Related papers (2023-10-20T05:44:39Z) - Approximate, Adapt, Anonymize (3A): a Framework for Privacy Preserving
Training Data Release for Machine Learning [3.29354893777827]
We introduce a data release framework, 3A (Approximate, Adapt, Anonymize), to maximize data utility for machine learning.
We present experimental evidence showing minimal discrepancy between performance metrics of models trained on real versus privatized datasets.
arXiv Detail & Related papers (2023-07-04T18:37:11Z) - Membership Inference Attacks against Synthetic Data through Overfitting
Detection [84.02632160692995]
We argue for a realistic MIA setting that assumes the attacker has some knowledge of the underlying data distribution.
We propose DOMIAS, a density-based MIA model that aims to infer membership by targeting local overfitting of the generative model.
arXiv Detail & Related papers (2023-02-24T11:27:39Z) - Learning to be a Statistician: Learned Estimator for Number of Distinct
Values [54.629042119819744]
Estimating the number of distinct values (NDV) in a column is useful for many tasks in database systems.
In this work, we focus on how to derive accurate NDV estimations from random (online/offline) samples.
We propose to formulate the NDV estimation task in a supervised learning framework, and aim to learn a model as the estimator.
arXiv Detail & Related papers (2022-02-06T15:42:04Z) - Enhanced Membership Inference Attacks against Machine Learning Models [9.26208227402571]
Membership inference attacks are used to quantify the private information that a model leaks about the individual data points in its training set.
We derive new attack algorithms that can achieve a high AUC score while also highlighting the different factors that affect their performance.
Our algorithms capture a very precise approximation of privacy loss in models, and can be used as a tool to perform an accurate and informed estimation of privacy risk in machine learning models.
arXiv Detail & Related papers (2021-11-18T13:31:22Z)
This list is automatically generated from the titles and abstracts of the papers in this site.
This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.