Membership Inference Attacks Beyond Overfitting

TL;DR

This paper investigates why machine learning models leak training data information beyond overfitting, identifying outliers as vulnerable samples and proposing targeted defenses to improve privacy protections.

Contribution

It reveals that non-overfitted models can still leak information through outliers and suggests defenses specifically targeting these vulnerable data points.

Findings

Outliers within classes are more vulnerable to membership inference attacks.

Non-overfitted models can leak training data information.

Targeted defenses can mitigate vulnerabilities of outlier samples.

Abstract

Membership inference attacks (MIAs) against machine learning (ML) models aim to determine whether a given data point was part of the model training data. These attacks may pose significant privacy risks to individuals whose sensitive data were used for training, which motivates the use of defenses such as differential privacy, often at the cost of high accuracy losses. MIAs exploit the differences in the behavior of a model when making predictions on samples it has seen during training (members) versus those it has not seen (non-members). Several studies have pointed out that model overfitting is the major factor contributing to these differences in behavior and, consequently, to the success of MIAs. However, the literature also shows that even non-overfitted ML models can leak information about a small subset of their training data. In this paper, we investigate the root causes of membership inference vulnerabilities beyond traditional overfitting concerns and suggest targeted defenses. We empirically analyze the characteristics of the training data samples vulnerable to MIAs in models that are not overfitted (and hence able to generalize). Our findings reveal that these samples are often outliers within their classes (e.g., noisy or hard to classify). We then propose potential defensive strategies to protect these vulnerable samples and enhance the privacy-preserving capabilities of ML models. Our code is available at https://github.com/najeebjebreel/mia_analysis.