Membership Inference Attacks with False Discovery Rate Control

TL;DR

This paper introduces a novel membership inference attack method that guarantees false discovery rate control, addressing a key limitation of existing MIAs and enhancing their reliability in various settings.

Contribution

The paper proposes a new MIA technique that provides FDR guarantees and can be integrated with existing methods as a post-hoc wrapper.

Findings

The method effectively controls false discovery rate in experiments.

It can be applied in black-box and lifelong learning scenarios.

Theoretical analysis supports its reliability.

Abstract

Recent studies have shown that deep learning models are vulnerable to membership inference attacks (MIAs), which aim to infer whether a data record was used to train a target model or not. To analyze and study these vulnerabilities, various MIA methods have been proposed. Despite the significance and popularity of MIAs, existing works on MIAs are limited in providing guarantees on the false discovery rate (FDR), which refers to the expected proportion of false discoveries among the identified positive discoveries. However, it is very challenging to ensure the false discovery rate guarantees, because the underlying distribution is usually unknown, and the estimated non-member probabilities often exhibit interdependence. To tackle the above challenges, in this paper, we design a novel membership inference attack method, which can provide the guarantees on the false discovery rate. Additionally, we show that our method can also provide the marginal probability guarantee on labeling true non-member data as member data. Notably, our method can work as a wrapper that can be seamlessly integrated with existing MIA methods in a post-hoc manner, while also providing the FDR control. We perform the theoretical analysis for our method. Extensive experiments in various settings (e.g., the black-box setting and the lifelong learning setting) are also conducted to verify the desirable performance of our method.