MCMC for Bayesian estimation of Differential Privacy from Membership Inference Attacks
This work addresses the need for more realistic privacy auditing in machine learning, though it is incremental as it builds on existing Bayesian and MCMC methods.
The paper tackles the problem of estimating differential privacy parameters from membership inference attacks by proposing a Bayesian framework that uses MCMC to estimate the full posterior distribution, yielding more cautious privacy analyses without assuming worst-case scenarios.
We propose a new framework for Bayesian estimation of differential privacy, incorporating evidence from multiple membership inference attacks (MIA). Bayesian estimation is carried out via a Markov chain Monte Carlo (MCMC) algorithm, named MCMC-DP-Est, which provides an estimate of the full posterior distribution of the privacy parameter (e.g., instead of just credible intervals). Critically, the proposed method does not assume that privacy auditing is performed with the most powerful attack on the worst-case (dataset, challenge point) pair, which is typically unrealistic. Instead, MCMC-DP-Est jointly estimates the strengths of MIAs used and the privacy of the training algorithm, yielding a more cautious privacy analysis. We also present an economical way to generate measurements for the performance of an MIA that is to be used by the MCMC method to estimate privacy. We present the use of the methods with numerical examples with both artificial and real data.