Data and Model Dependencies of Membership Inference Attack

TL;DR

This paper empirically analyzes how data and model properties influence the success of Membership Inference Attacks (MIA) on machine learning models, revealing multiple factors that jointly contribute to vulnerability and proposing regularization-based defenses.

Contribution

It provides the first comprehensive empirical study on data and model dependencies affecting MIA vulnerability and introduces regularization techniques based on these properties to mitigate attacks.

Findings

Multiple data and model properties jointly influence MIA success.

Regularization based on data and model properties can reduce MIA accuracy by up to 25%.

Model overfitting alone does not fully explain MIA vulnerability.

Abstract

Machine learning (ML) models have been shown to be vulnerable to Membership Inference Attacks (MIA), which infer the membership of a given data point in the target dataset by observing the prediction output of the ML model. While the key factors for the success of MIA have not yet been fully understood, existing defense mechanisms such as using L2 regularization \cite{10shokri2017membership} and dropout layers \cite{salem2018ml} take only the model's overfitting property into consideration. In this paper, we provide an empirical analysis of the impact of both the data and ML model properties on the vulnerability of ML techniques to MIA. Our results reveal the relationship between MIA accuracy and properties of the dataset and training model in use. In particular, we show that the size of shadow dataset, the class and feature balance and the entropy of the target dataset, the configurations and fairness of the training model are the most influential factors. Based on those experimental findings, we conclude that along with model overfitting, multiple properties jointly contribute to MIA success instead of any single property. Building on our experimental findings, we propose using those data and model properties as regularizers to protect ML models against MIA. Our results show that the proposed defense mechanisms can reduce the MIA accuracy by up to 25\% without sacrificing the ML model prediction utility.