Sequential Membership Inference Attacks

TL;DR

This paper introduces Sequential Membership Inference (SeMI) attacks that exploit model sequences over time to improve privacy auditing, demonstrating higher attack power and tighter privacy assessments.

Contribution

The paper presents SeMI*, an optimal attack leveraging model sequences for more effective membership inference, and develops practical white-box and black-box SeMI attacks.

Findings

SeMI* outperforms snapshot-independent baselines in attack power.

Accessing model sequences yields more powerful MI attacks.

SeMI attacks provide tighter privacy audits by controlling insertion time.

Abstract

Modern AI models are not static. They go through multiple updates in their lifecycles. We propose to design Sequential Membership Inference (SeMI) attacks leading to tighter privacy audits by exploiting the sequence of models and injecting a target canary at a controlled insertion time. First, for empirical mean computation, we develop SeMI*, an {optimal SeMI attack to identify the presence of a target inserted at a specific insertion step}. We derive the power of SeMI* to show that accessing the model sequence yields more powerful MI attacks than scrutinising only the final model. SeMI* exhibits an isolation property -- its power depends on the statistics obtained right before and after insertion of the target. Leveraging this insight, we develop practical white-box (accessing model gradients) and black-box (accessing loss) SeMI attacks against models trained with (DP-)SGD. Across datasets and models trained with (DP-)SGD, our experiments show that SeMI attacks achieve higher powers than snapshot-independent baselines, and yield tighter privacy audits thanks to (a) control over the insertion time and (b) observations across the model sequence.