Optimal Membership Inference Bounds for Adaptive Composition of Sampled
Gaussian Mechanisms
- URL: http://arxiv.org/abs/2204.06106v1
- Date: Tue, 12 Apr 2022 22:36:56 GMT
- Title: Optimal Membership Inference Bounds for Adaptive Composition of Sampled
Gaussian Mechanisms
- Authors: Saeed Mahloujifar, Alexandre Sablayrolles, Graham Cormode, Somesh Jha
- Abstract summary: Given a trained model and a data sample, membership-inference (MI) attacks predict whether the sample was in the model's training set.
A common countermeasure against MI attacks is to utilize differential privacy (DP) during model training to mask the presence of individual examples.
In this paper, we derive bounds for the textitadvantage of an adversary mounting a MI attack, and demonstrate tightness for the widely-used Gaussian mechanism.
- Score: 93.44378960676897
- License: http://arxiv.org/licenses/nonexclusive-distrib/1.0/
- Abstract: Given a trained model and a data sample, membership-inference (MI) attacks
predict whether the sample was in the model's training set. A common
countermeasure against MI attacks is to utilize differential privacy (DP)
during model training to mask the presence of individual examples. While this
use of DP is a principled approach to limit the efficacy of MI attacks, there
is a gap between the bounds provided by DP and the empirical performance of MI
attacks. In this paper, we derive bounds for the \textit{advantage} of an
adversary mounting a MI attack, and demonstrate tightness for the widely-used
Gaussian mechanism. We further show bounds on the \textit{confidence} of MI
attacks. Our bounds are much stronger than those obtained by DP analysis. For
example, analyzing a setting of DP-SGD with $\epsilon=4$ would obtain an upper
bound on the advantage of $\approx0.36$ based on our analyses, while getting
bound of $\approx 0.97$ using the analysis of previous work that convert
$\epsilon$ to membership inference bounds.
Finally, using our analysis, we provide MI metrics for models trained on
CIFAR10 dataset. To the best of our knowledge, our analysis provides the
state-of-the-art membership inference bounds for the privacy.
Related papers
- Scalable DP-SGD: Shuffling vs. Poisson Subsampling [61.19794019914523]
We provide new lower bounds on the privacy guarantee of the multi-epoch Adaptive Linear Queries (ABLQ) mechanism with shuffled batch sampling.
We show substantial gaps when compared to Poisson subsampling; prior analysis was limited to a single epoch.
We introduce a practical approach to implement Poisson subsampling at scale using massively parallel computation.
arXiv Detail & Related papers (2024-11-06T19:06:16Z) - Closed-Form Bounds for DP-SGD against Record-level Inference [18.85865832127335]
We focus on the popular DP-SGD algorithm, and derive simple closed-form bounds.
We obtain bounds for membership inference that match state-of-the-art techniques.
We present a novel data-dependent bound against attribute inference.
arXiv Detail & Related papers (2024-02-22T09:26:16Z) - Gaussian Membership Inference Privacy [22.745970468274173]
We propose a novel and practical privacy notion called $f$-Membership Inference Privacy ($f$-MIP)
We derive a family of $f$-MIP guarantees that we refer to as $mu$-Gaussian Membership Inference Privacy ($mu$-GMIP) by theoretically analyzing likelihood ratio-based membership inference attacks on gradient descent (SGD)
arXiv Detail & Related papers (2023-06-12T17:57:05Z) - Analyzing Privacy Leakage in Machine Learning via Multiple Hypothesis
Testing: A Lesson From Fano [83.5933307263932]
We study data reconstruction attacks for discrete data and analyze it under the framework of hypothesis testing.
We show that if the underlying private data takes values from a set of size $M$, then the target privacy parameter $epsilon$ can be $O(log M)$ before the adversary gains significant inferential power.
arXiv Detail & Related papers (2022-10-24T23:50:12Z) - Bounding Membership Inference [28.64031194463754]
We provide a tighter bound on the accuracy of any MI adversary when a training algorithm provides $epsilon$-DP.
Our scheme enables $epsilon$-DP users to employ looser DP guarantees when training their model to limit the success of any MI adversary.
arXiv Detail & Related papers (2022-02-24T17:54:15Z) - On the Practicality of Differential Privacy in Federated Learning by
Tuning Iteration Times [51.61278695776151]
Federated Learning (FL) is well known for its privacy protection when training machine learning models among distributed clients collaboratively.
Recent studies have pointed out that the naive FL is susceptible to gradient leakage attacks.
Differential Privacy (DP) emerges as a promising countermeasure to defend against gradient leakage attacks.
arXiv Detail & Related papers (2021-01-11T19:43:12Z) - Investigating Membership Inference Attacks under Data Dependencies [26.70764798408236]
Training machine learning models on privacy-sensitive data has opened the door to new attacks that can have serious privacy implications.
One such attack, the Membership Inference Attack (MIA), exposes whether or not a particular data point was used to train a model.
We evaluate the defence under the restrictive assumption that all members of the training set, as well as non-members, are independent and identically distributed.
arXiv Detail & Related papers (2020-10-23T00:16:46Z) - Multi-label Contrastive Predictive Coding [125.03510235962095]
Variational mutual information (MI) estimators are widely used in unsupervised representation learning methods such as contrastive predictive coding (CPC)
We introduce a novel estimator based on a multi-label classification problem, where the critic needs to jointly identify multiple positive samples at the same time.
We show that using the same amount of negative samples, multi-label CPC is able to exceed the $log m$ bound, while still being a valid lower bound of mutual information.
arXiv Detail & Related papers (2020-07-20T02:46:21Z) - Toward Adversarial Robustness via Semi-supervised Robust Training [93.36310070269643]
Adrial examples have been shown to be the severe threat to deep neural networks (DNNs)
We propose a novel defense method, the robust training (RT), by jointly minimizing two separated risks ($R_stand$ and $R_rob$)
arXiv Detail & Related papers (2020-03-16T02:14:08Z)
This list is automatically generated from the titles and abstracts of the papers in this site.
This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.