ReproMIA: A Comprehensive Analysis of Model Reprogramming for Proactive Membership Inference Attacks

TL;DR

ReproMIA introduces a proactive, efficient framework leveraging model reprogramming to enhance membership inference attacks, significantly improving privacy leakage detection across diverse models and benchmarks.

Contribution

It presents a novel approach that magnifies latent privacy footprints using model reprogramming, outperforming existing methods in low-FPR regimes across multiple architectures.

Findings

ReproMIA achieves an average of 5.25% higher AUC in LLMs.

ReproMIA improves TPR@1%FPR by 10.68% in LLMs.

ReproMIA outperforms baselines across over ten benchmarks.

Abstract

The pervasive deployment of deep learning models across critical domains has concurrently intensified privacy concerns due to their inherent propensity for data memorization. While Membership Inference Attacks (MIAs) serve as the gold standard for auditing these privacy vulnerabilities, conventional MIA paradigms are increasingly constrained by the prohibitive computational costs of shadow model training and a precipitous performance degradation under low False Positive Rate constraints. To overcome these challenges, we introduce a novel perspective by leveraging the principles of model reprogramming as an active signal amplifier for privacy leakage. Building upon this insight, we present \texttt{ReproMIA}, a unified and efficient proactive framework for membership inference. We rigorously substantiate, both theoretically and empirically, how our methodology proactively induces and magnifies latent privacy footprints embedded within the model's representations. We provide specialized instantiations of \texttt{ReproMIA} across diverse architectural paradigms, including LLMs, Diffusion Models, and Classification Models. Comprehensive experimental evaluations across more than ten benchmarks and a variety of model architectures demonstrate that \texttt{ReproMIA} consistently and substantially outperforms existing state-of-the-art baselines, achieving a transformative leap in performance specifically within low-FPR regimes, such as an average of 5.25\% AUC and 10.68\% TPR@1\%FPR increase over the runner-up for LLMs, as well as 3.70\% and 12.40\% respectively for Diffusion Models.