Dissecting Distribution Inference
This work addresses security risks for machine learning practitioners by providing insights into realistic black-box threats and effective defenses, though it is incremental in refining attack and defense strategies.
The paper tackles the problem of understanding distribution inference attacks on machine learning models by developing a new black-box attack that outperforms existing white-box methods, and it finds that a simple re-sampling defense is highly effective while noise-based defenses are ineffective.
A distribution inference attack aims to infer statistical properties of data used to train machine learning models. These attacks are sometimes surprisingly potent, but the factors that impact distribution inference risk are not well understood and demonstrated attacks often rely on strong and unrealistic assumptions such as full knowledge of training environments even in supposedly black-box threat scenarios. To improve understanding of distribution inference risks, we develop a new black-box attack that even outperforms the best known white-box attack in most settings. Using this new attack, we evaluate distribution inference risk while relaxing a variety of assumptions about the adversary's knowledge under black-box access, like known model architectures and label-only access. Finally, we evaluate the effectiveness of previously proposed defenses and introduce new defenses. We find that although noise-based defenses appear to be ineffective, a simple re-sampling defense can be highly effective. Code is available at https://github.com/iamgroot42/dissecting_distribution_inference