Bootstrap Aggregation for Point-based Generalized Membership Inference Attacks

TL;DR

This paper presents a novel generalized membership inference attack method that uses bootstrap aggregation to evaluate the vulnerability of individual data points in a model's training set, even with limited data and different model architectures.

Contribution

It introduces a new attack approach that extends membership inference to all data points using data partitioning and multiple reference models, improving attack efficiency and applicability.

Findings

Smaller reference training sets lead to stronger attacks.

Attack models can be trained on different architectures than the target.

Effective even without access to the full original dataset.

Abstract

An efficient scheme is introduced that extends the generalized membership inference attack to every point in a model's training data set. Our approach leverages data partitioning to create variable sized training sets for the reference models. We then train an attack model for every single training example for a reference model configuration based upon output for each individual point. This allows us to quantify the membership inference attack vulnerability of each training data point. Using this approach, we discovered that smaller amounts of reference model training data led to a stronger attack. Furthermore, the reference models do not need to be of the same architecture as the target model, providing additional attack efficiencies. The attack may also be performed by an adversary even when they do not have the complete original data set.