RelaxLoss: Defending Membership Inference Attacks without Losing Utility
This addresses privacy threats for machine learning practitioners by providing an effective defense against MIAs without compromising utility, though it appears incremental as it builds on known connections between loss distributions and vulnerability.
The paper tackles the problem of defending against membership inference attacks (MIAs) in machine learning models by proposing RelaxLoss, a novel training framework that narrows the generalization gap and reduces privacy leakage. The result shows that RelaxLoss consistently outperforms state-of-the-art defenses on five datasets, with resilience against MIAs and preserved or improved model utility.
As a long-term threat to the privacy of training data, membership inference attacks (MIAs) emerge ubiquitously in machine learning models. Existing works evidence strong connection between the distinguishability of the training and testing loss distributions and the model's vulnerability to MIAs. Motivated by existing results, we propose a novel training framework based on a relaxed loss with a more achievable learning target, which leads to narrowed generalization gap and reduced privacy leakage. RelaxLoss is applicable to any classification model with added benefits of easy implementation and negligible overhead. Through extensive evaluations on five datasets with diverse modalities (images, medical data, transaction records), our approach consistently outperforms state-of-the-art defense mechanisms in terms of resilience against MIAs as well as model utility. Our defense is the first that can withstand a wide range of attacks while preserving (or even improving) the target model's utility. Source code is available at https://github.com/DingfanChen/RelaxLoss