Impact of Dataset Properties on Membership Inference Vulnerability of Deep Transfer Learning

TL;DR

This paper investigates how dataset size and properties influence the susceptibility of fine-tuned neural networks to membership inference attacks, revealing a power-law relationship and the impact of dataset size on privacy protection.

Contribution

It provides both empirical and theoretical analysis of MIA vulnerability in transfer learning, highlighting the effect of dataset properties on privacy risks.

Findings

Vulnerability decreases with more examples per class following a power law.

Large dataset sizes are required to protect the most vulnerable points.

Empirical and theoretical models align in describing MIA vulnerability.

Abstract

Membership inference attacks (MIAs) are used to test practical privacy of machine learning models. MIAs complement formal guarantees from differential privacy (DP) under a more realistic adversary model. We analyse MIA vulnerability of fine-tuned neural networks both empirically and theoretically, the latter using a simplified model of fine-tuning. We show that the vulnerability of non-DP models when measured as the attacker advantage at a fixed false positive rate reduces according to a simple power law as the number of examples per class increases. A similar power-law applies even for the most vulnerable points, but the dataset size needed for adequate protection of the most vulnerable points is very large.