Membership Inference Attacks From First Principles

TL;DR

This paper introduces a new likelihood ratio attack for membership inference that significantly outperforms previous methods at low false-positive rates, emphasizing the importance of evaluation metrics that reflect confident identification of training data members.

Contribution

The paper proposes LiRA, a novel attack that combines existing ideas to improve membership inference performance at low false-positive rates, and advocates for more meaningful evaluation metrics.

Findings

LiRA is 10x more powerful at low false-positive rates

Most prior attacks perform poorly under stricter evaluation metrics

Evaluation should focus on true-positive rate at low false-positive thresholds

Abstract

A membership inference attack allows an adversary to query a trained machine learning model to predict whether or not a particular example was contained in the model's training dataset. These attacks are currently evaluated using average-case "accuracy" metrics that fail to characterize whether the attack can confidently identify any members of the training set. We argue that attacks should instead be evaluated by computing their true-positive rate at low (e.g., <0.1%) false-positive rates, and find most prior attacks perform poorly when evaluated in this way. To address this we develop a Likelihood Ratio Attack (LiRA) that carefully combines multiple ideas from the literature. Our attack is 10x more powerful at low false-positive rates, and also strictly dominates prior attacks on existing metrics.