Optimal Membership Inference Bounds for Adaptive Composition of Sampled Gaussian Mechanisms
This work addresses the problem of providing more accurate privacy guarantees against membership inference attacks for machine learning practitioners, offering a substantial improvement over existing DP-based bounds.
The paper tackles the gap between differential privacy (DP) bounds and empirical membership inference (MI) attack performance by deriving tighter bounds for MI advantage and confidence, specifically for the Gaussian mechanism, showing a significant improvement from ≈0.97 to ≈0.36 in an example with DP-SGD at ε=4.
Given a trained model and a data sample, membership-inference (MI) attacks predict whether the sample was in the model's training set. A common countermeasure against MI attacks is to utilize differential privacy (DP) during model training to mask the presence of individual examples. While this use of DP is a principled approach to limit the efficacy of MI attacks, there is a gap between the bounds provided by DP and the empirical performance of MI attacks. In this paper, we derive bounds for the \textit{advantage} of an adversary mounting a MI attack, and demonstrate tightness for the widely-used Gaussian mechanism. We further show bounds on the \textit{confidence} of MI attacks. Our bounds are much stronger than those obtained by DP analysis. For example, analyzing a setting of DP-SGD with $ε=4$ would obtain an upper bound on the advantage of $\approx0.36$ based on our analyses, while getting bound of $\approx 0.97$ using the analysis of previous work that convert $ε$ to membership inference bounds. Finally, using our analysis, we provide MI metrics for models trained on CIFAR10 dataset. To the best of our knowledge, our analysis provides the state-of-the-art membership inference bounds for the privacy.