Membership Inference Attacks against Machine Learning Models
This addresses privacy risks for users of machine learning services, particularly in sensitive domains like healthcare, by exposing vulnerabilities in widely used commercial models.
The paper tackles the problem of machine learning models leaking information about their training data through membership inference attacks, where an adversary can determine if a specific record was part of the training set, and shows that commercial models from providers like Google and Amazon are vulnerable to such attacks.
We quantitatively investigate how machine learning models leak information about the individual data records on which they were trained. We focus on the basic membership inference attack: given a data record and black-box access to a model, determine if the record was in the model's training dataset. To perform membership inference against a target model, we make adversarial use of machine learning and train our own inference model to recognize differences in the target model's predictions on the inputs that it trained on versus the inputs that it did not train on. We empirically evaluate our inference techniques on classification models trained by commercial "machine learning as a service" providers such as Google and Amazon. Using realistic datasets and classification tasks, including a hospital discharge dataset whose membership is sensitive from the privacy perspective, we show that these models can be vulnerable to membership inference attacks. We then investigate the factors that influence this leakage and evaluate mitigation strategies.