Dynamic Probabilistic Noise Injection for Membership Inference Defense

TL;DR

This paper introduces DynaNoise, an adaptive noise injection method at inference time that adjusts noise based on query sensitivity to defend against membership inference attacks while preserving model accuracy.

Contribution

The paper proposes DynaNoise, a novel adaptive inference-time defense that modulates noise based on query sensitivity, improving privacy protection without significant accuracy loss.

Findings

DynaNoise significantly reduces attack success rates.

It maintains competitive model accuracy.

It outperforms existing defenses on benchmark datasets.

Abstract

Membership Inference Attacks (MIAs) expose privacy risks by determining whether a specific sample was part of a model's training set. These threats are especially serious in sensitive domains such as healthcare and finance. Traditional mitigation techniques, such as static differential privacy, rely on injecting a fixed amount of noise during training or inference. However, this often leads to a detrimental trade-off: the noise may be insufficient to counter sophisticated attacks or, when increased, can substantially degrade model accuracy. To address this limitation, we propose DynaNoise, an adaptive inference-time defense that modulates injected noise based on per-query sensitivity. DynaNoise estimates risk using measures such as Shannon entropy and scales the noise variance accordingly, followed by a smoothing step that re-normalizes the perturbed outputs to preserve predictive utility. We further introduce MIDPUT (Membership Inference Defense Privacy-Utility Trade-off), a scalar metric that captures both privacy gains and accuracy retention. Our evaluation on several benchmark datasets demonstrates that DynaNoise substantially lowers attack success rates while maintaining competitive accuracy, achieving strong overall MIDPUT scores compared to state-of-the-art defenses.