Defending Membership Inference Attacks via Privacy-aware Sparsity Tuning
Qiang Hu, Hengxiang Zhang, Hongxin Wei
TL;DR
This paper introduces PAST, a privacy-aware sparsity tuning method that adaptively regularizes model parameters based on their privacy sensitivity, significantly reducing membership inference risks while maintaining utility.
Contribution
The paper proposes PAST, a novel adaptive regularization technique that selectively sparsifies parameters impacting privacy, improving the privacy-utility tradeoff in over-parameterized models.
Findings
PAST effectively reduces membership inference attack success rates.
PAST achieves a better privacy-utility balance compared to traditional regularization methods.
Extensive experiments validate the superiority of PAST in privacy preservation.
Abstract
Over-parameterized models are typically vulnerable to membership inference attacks, which aim to determine whether a specific sample is included in the training of a given model. Previous Weight regularizations (e.g., L1 regularization) typically impose uniform penalties on all parameters, leading to a suboptimal tradeoff between model utility and privacy. In this work, we first show that only a small fraction of parameters substantially impact the privacy risk. In light of this, we propose Privacy-aware Sparsity Tuning (PAST), a simple fix to the L1 Regularization, by employing adaptive penalties to different parameters. Our key idea behind PAST is to promote sparsity in parameters that significantly contribute to privacy leakage. In particular, we construct the adaptive weight for each parameter based on its privacy sensitivity, i.e., the gradient of the loss gap with respect to the…
Peer Reviews
Decision·Submitted to ICLR 2025
I believe it is a very strong paper. It combines an interesting and novel observation (privacy sensitivity is distributed unevenly across model parameters) with a simple yet effective method to utilise this observation to solve a concrete and well-known problem of defending against MIAs. The empirical evidence is also thorough and convincing. * The paper uses clever technique - computing gradient of the loss gap - to estimate each individual parameter's contribution to the privacy risk. It yiel
As far as I can see, authors do not consider SOTA shadow-model based attacks like LiRA ([Carlini et al., 2022](https://arxiv.org/abs/2112.03570)) and Attack R ([Ye et al., 2022](https://arxiv.org/abs/2111.09679)). It would be important to understand whether their findings hold for a strong MIA adversary capable of trainings shadow models.
The authors perform a through analysis on the distribution of model parameters and its effects on privacy attacks. It is expected to see that only a small portion of parameters contribute to the privacy leakage. The following sparsity technique also makes sense.
While I agree that in general the average loss of members and non-members are different, shrinking this gap with the proposed sparsity technique can be effective to those loss-based (or related) MIAs. But it may not be able to defense against other more advanced state of the art MIAs. Here are my two main concerns: 1. The evaluation metric for privacy is out of dated, this metric has been criticized in many recent MIAs [R1] D. Hintersdorf, L. Struppek, and K. Kersting, “To trust or not to t
This paper acknowledges the different impacts of parameters on privacy leakage and proposes an adaptive approach to promote privacy-aware weight specifications for each parameter. This is an important consideration for privacy protection. In addition, the paper involves extensive numerical experiments to show the superiority of the proposed PAST.
There are flaws and issues in the motivation of considering the loss gap, the consistency between the attacker advantage and the loss gap as the functional proxy of privacy risk, the experimental setup, and the characterizations related to the privacy-utility tradeoff. I would be open to increasing the score if the authors can adequately address my concerns during the rebuttal. Comment 1: The rationale for using the loss gap as a proxy risk for privacy is unclear. Specifically, the reference
Videos
No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.
Taxonomy
TopicsPrivacy-Preserving Technologies in Data · Cryptography and Data Security · Access Control and Trust
MethodsL1 Regularization