TMI! Finetuned Models Leak Private Information from their Pretraining Data

TL;DR

This paper introduces TMI, a novel attack that can infer whether specific data was part of a model's pretraining set by analyzing a finetuned model, revealing privacy risks in transfer learning.

Contribution

The paper proposes a new membership inference attack, TMI, that exploits memorization in finetuned models to reveal pretraining data membership, highlighting privacy vulnerabilities.

Findings

TMI successfully infers pretraining data membership across vision and language tasks.

The attack remains effective even with differential privacy during finetuning.

Open-source implementation is available for reproducibility.

Abstract

Transfer learning has become an increasingly popular technique in machine learning as a way to leverage a pretrained model trained for one task to assist with building a finetuned model for a related task. This paradigm has been especially popular for $\textit{privacy}$ in machine learning, where the pretrained model is considered public, and only the data for finetuning is considered sensitive. However, there are reasons to believe that the data used for pretraining is still sensitive, making it essential to understand how much information the finetuned model leaks about the pretraining data. In this work we propose a new membership-inference threat model where the adversary only has access to the finetuned model and would like to infer the membership of the pretraining data. To realize this threat model, we implement a novel metaclassifier-based attack, $\textbf{TMI}$, that leverages the influence of memorized pretraining samples on predictions in the downstream task. We evaluate $\textbf{TMI}$ on both vision and natural language tasks across multiple transfer learning settings, including finetuning with differential privacy. Through our evaluation, we find that $\textbf{TMI}$ can successfully infer membership of pretraining examples using query access to the finetuned model. An open-source implementation of $\textbf{TMI}$ can be found on GitHub: https://github.com/johnmath/tmi-pets24.