Evaluating the Dynamics of Membership Privacy in Deep Learning

TL;DR

This paper introduces a dynamic analytical framework to understand how membership privacy risks evolve during deep learning training, revealing early indicators of vulnerability and influencing privacy-preserving strategies.

Contribution

It presents a novel framework for tracking privacy leakage at the individual sample level throughout training, enhancing understanding of when and how privacy risks emerge.

Findings

Privacy risk correlates with sample difficulty.

Vulnerable samples are identified early in training.

Training factors influence privacy leakage dynamics.

Abstract

Membership inference attacks (MIAs) pose a critical threat to the privacy of training data in deep learning. Despite significant progress in attack methodologies, our understanding of when and how models encode membership information during training remains limited. This paper presents a dynamic analytical framework for dissecting and quantifying privacy leakage dynamics at the individual sample level. By tracking per-sample vulnerabilities on an FPR-TPR plane throughout training, our framework systematically measures how factors such as dataset complexity, model architecture, and optimizer choice influence the rate and severity at which samples become vulnerable. Crucially, we discover a robust correlation between a sample's intrinsic learning difficulty, and find that the privacy risk of samples highly vulnerable in the final trained model is largely determined early during training. Our results thus provide a deeper understanding of how privacy risks dynamically emerge during training, laying the groundwork for proactive, privacy-aware model training strategies.