Do Parameters Reveal More than Loss for Membership Inference?
This work addresses the problem of accurately assessing data leakage risks for machine learning practitioners and auditors, though it is incremental in advancing white-box attack methods.
The paper tackles the problem of membership inference attacks for disclosure auditing by showing that black-box access is insufficient for optimal attacks under stochastic gradient descent, and introduces a new white-box attack called IHA that uses inverse-Hessian vector products. The result demonstrates that white-box access is necessary for optimal inference, with IHA outperforming prior methods in experiments.
Membership inference attacks are used as a key tool for disclosure auditing. They aim to infer whether an individual record was used to train a model. While such evaluations are useful to demonstrate risk, they are computationally expensive and often make strong assumptions about potential adversaries' access to models and training environments, and thus do not provide tight bounds on leakage from potential attacks. We show how prior claims around black-box access being sufficient for optimal membership inference do not hold for stochastic gradient descent, and that optimal membership inference indeed requires white-box access. Our theoretical results lead to a new white-box inference attack, IHA (Inverse Hessian Attack), that explicitly uses model parameters by taking advantage of computing inverse-Hessian vector products. Our results show that both auditors and adversaries may be able to benefit from access to model parameters, and we advocate for further research into white-box methods for membership inference.