Do Parameters Reveal More than Loss for Membership Inference?

TL;DR

This paper demonstrates that effective membership inference attacks require white-box access to model parameters, introducing a new attack method that leverages inverse Hessian computations, challenging prior assumptions about black-box sufficiency.

Contribution

The paper proves that black-box access is insufficient for optimal membership inference in SGD-trained models and introduces the IHA white-box attack utilizing inverse Hessian-vector products.

Findings

White-box access improves inference accuracy.

Inverse Hessian Attack (IHA) exploits model parameters.

Black-box access is inadequate for optimal inference.

Abstract

Membership inference attacks are used as a key tool for disclosure auditing. They aim to infer whether an individual record was used to train a model. While such evaluations are useful to demonstrate risk, they are computationally expensive and often make strong assumptions about potential adversaries' access to models and training environments, and thus do not provide tight bounds on leakage from potential attacks. We show how prior claims around black-box access being sufficient for optimal membership inference do not hold for stochastic gradient descent, and that optimal membership inference indeed requires white-box access. Our theoretical results lead to a new white-box inference attack, IHA (Inverse Hessian Attack), that explicitly uses model parameters by taking advantage of computing inverse-Hessian vector products. Our results show that both auditors and adversaries may be able to benefit from access to model parameters, and we advocate for further research into white-box methods for membership inference.