A Critical Review on the Effectiveness and Privacy Threats of Membership Inference Attacks

TL;DR

This paper critically reviews membership inference attacks (MIAs), proposing an evaluation framework that shows MIAs often pose weak privacy threats under realistic conditions, cautioning against overestimating privacy risks.

Contribution

It introduces a framework for assessing the true privacy threat of MIAs and demonstrates that under realistic scenarios, MIAs are less threatening than previously thought.

Findings

MIAs are weak privacy threats under realistic conditions

Current use of MIAs may overestimate privacy risks

Strong defenses can unnecessarily reduce model utility

Abstract

Membership inference attacks (MIAs) aim to determine whether a data sample was included in a machine learning (ML) model's training set and have become the de facto standard for measuring privacy leakages in ML. We propose an evaluation framework that defines the conditions under which MIAs constitute a genuine privacy threat, and review representative MIAs against it. We find that, under the realistic conditions defined in our framework, MIAs represent weak privacy threats. Thus, relying on them as a privacy metric in ML can lead to an overestimation of risk and to unnecessary sacrifices in model utility as a consequence of employing too strong defenses.