Uncovering Memorization in Timeseries Imputation models: LBRM Membership Inference and its link to attribute Leakage

TL;DR

This paper reveals privacy vulnerabilities in time series imputation models, demonstrating novel membership and attribute inference attacks that can extract sensitive training data and characteristics, raising privacy concerns in critical applications.

Contribution

Introduces a two-stage attack framework with a novel membership inference method and the first attribute inference attack for time series models, applicable to various architectures and training scenarios.

Findings

Membership attack achieves high detection accuracy

Attribute inference predicts sensitive data with 90% precision

Attacks are effective on attention-based and autoencoder models

Abstract

Deep learning models for time series imputation are now essential in fields such as healthcare, the Internet of Things (IoT), and finance. However, their deployment raises critical privacy concerns. Beyond the well-known issue of unintended memorization, which has been extensively studied in generative models, we demonstrate that time series models are vulnerable to inference attacks in a black-box setting. In this work, we introduce a two-stage attack framework comprising: (1) a novel membership inference attack based on a reference model that improves detection accuracy, even for models robust to overfitting-based attacks, and (2) the first attribute inference attack that predicts sensitive characteristics of the training data for timeseries imputation model. We evaluate these attacks on attention-based and autoencoder architectures in two scenarios: models that are trained from scratch, and fine-tuned models where the adversary has access to the initial weights. Our experimental results demonstrate that the proposed membership attack retrieves a significant portion of the training data with a tpr@top25% score significantly higher than a naive attack baseline. We show that our membership attack also provides a good insight of whether attribute inference will work (with a precision of 90% instead of 78% in the genral case).