Hyperparameters in Score-Based Membership Inference Attacks

TL;DR

This paper investigates how hyperparameters affect score-based membership inference attacks and introduces a method to select hyperparameters without prior knowledge, showing comparable attack effectiveness and analyzing privacy risks in differentially private transfer learning.

Contribution

It demonstrates that hyperparameters are not needed from the target model for effective MIAs in transfer learning and proposes a distribution-matching approach for hyperparameter selection.

Findings

Hyperparameters are not essential for effective MIAs in transfer learning.

Distribution-matching approach yields shadow models with similar attack performance.

HPO in differentially private transfer learning does not significantly increase privacy risks.

Abstract

Membership Inference Attacks (MIAs) have emerged as a valuable framework for evaluating privacy leakage by machine learning models. Score-based MIAs are distinguished, in particular, by their ability to exploit the confidence scores that the model generates for particular inputs. Existing score-based MIAs implicitly assume that the adversary has access to the target model's hyperparameters, which can be used to train the shadow models for the attack. In this work, we demonstrate that the knowledge of target hyperparameters is not a prerequisite for MIA in the transfer learning setting. Based on this, we propose a novel approach to select the hyperparameters for training the shadow models for MIA when the attacker has no prior knowledge about them by matching the output distributions of target and shadow models. We demonstrate that using the new approach yields hyperparameters that lead to an attack near indistinguishable in performance from an attack that uses target hyperparameters to train the shadow models. Furthermore, we study the empirical privacy risk of unaccounted use of training data for hyperparameter optimization (HPO) in differentially private (DP) transfer learning. We find no statistically significant evidence that performing HPO using training data would increase vulnerability to MIA.