On the Privacy Effect of Data Enhancement via the Lens of Memorization

TL;DR

This paper investigates the privacy implications of data enhancement in machine learning through memorization analysis, revealing that traditional privacy metrics may be misleading and that privacy, generalization, and robustness are interconnected in complex ways.

Contribution

It introduces a memorization-based perspective for privacy evaluation, challenging existing metrics, and explores the relationships among privacy, generalization, and robustness.

Findings

Memorization-based attack captures individual privacy risks more accurately.

Privacy leakage is less correlated with generalization gap than previously thought.

No inherent trade-off between adversarial robustness and privacy.

Abstract

Machine learning poses severe privacy concerns as it has been shown that the learned models can reveal sensitive information about their training data. Many works have investigated the effect of widely adopted data augmentation and adversarial training techniques, termed data enhancement in the paper, on the privacy leakage of machine learning models. Such privacy effects are often measured by membership inference attacks (MIAs), which aim to identify whether a particular example belongs to the training set or not. We propose to investigate privacy from a new perspective called memorization. Through the lens of memorization, we find that previously deployed MIAs produce misleading results as they are less likely to identify samples with higher privacy risks as members compared to samples with low privacy risks. To solve this problem, we deploy a recent attack that can capture individual samples' memorization degrees for evaluation. Through extensive experiments, we unveil several findings about the connections between three essential properties of machine learning models, including privacy, generalization gap, and adversarial robustness. We demonstrate that the generalization gap and privacy leakage are less correlated than those of the previous results. Moreover, there is not necessarily a trade-off between adversarial robustness and privacy as stronger adversarial robustness does not make the model more susceptible to privacy attacks.