When Better Features Mean Greater Risks: The Performance-Privacy Trade-Off in Contrastive Learning

TL;DR

This paper investigates privacy risks in contrastive learning encoder models, revealing that improved feature extraction capabilities increase privacy leakage, and introduces a novel attack method based on feature vector p-norms that outperforms existing techniques.

Contribution

It systematically analyzes privacy leakage in contrastive learning, and proposes the Embedding Lp-Norm Likelihood Attack (LpLA), a new method leveraging feature vector p-norms for membership inference.

Findings

Advanced encoder architectures increase privacy leakage.

LpLA outperforms existing attacks in effectiveness and robustness.

Privacy risks are significant in self-supervised contrastive learning models.

Abstract

With the rapid advancement of deep learning technology, pre-trained encoder models have demonstrated exceptional feature extraction capabilities, playing a pivotal role in the research and application of deep learning. However, their widespread use has raised significant concerns about the risk of training data privacy leakage. This paper systematically investigates the privacy threats posed by membership inference attacks (MIAs) targeting encoder models, focusing on contrastive learning frameworks. Through experimental analysis, we reveal the significant impact of model architecture complexity on membership privacy leakage: As more advanced encoder frameworks improve feature-extraction performance, they simultaneously exacerbate privacy-leakage risks. Furthermore, this paper proposes a novel membership inference attack method based on the p-norm of feature vectors, termed the Embedding Lp-Norm Likelihood Attack (LpLA). This method infers membership status, by leveraging the statistical distribution characteristics of the p-norm of feature vectors. Experimental results across multiple datasets and model architectures demonstrate that LpLA outperforms existing methods in attack performance and robustness, particularly under limited attack knowledge and query volumes. This study not only uncovers the potential risks of privacy leakage in contrastive learning frameworks, but also provides a practical basis for privacy protection research in encoder models. We hope that this work will draw greater attention to the privacy risks associated with self-supervised learning models and shed light on the importance of a balance between model utility and training data privacy. Our code is publicly available at: https://github.com/SeroneySun/LpLA_code.