Evaluating the Dynamics of Membership Privacy in Deep Learning
This work addresses privacy threats for machine learning practitioners by providing insights into dynamic privacy leakage, though it is incremental as it builds on existing membership inference attack research.
The paper tackles the problem of understanding when and how deep learning models encode membership information during training, revealing that privacy risks for vulnerable samples are largely determined early in training and correlate with intrinsic learning difficulty.
Membership inference attacks (MIAs) pose a critical threat to the privacy of training data in deep learning. Despite significant progress in attack methodologies, our understanding of when and how models encode membership information during training remains limited. This paper presents a dynamic analytical framework for dissecting and quantifying privacy leakage dynamics at the individual sample level. By tracking per-sample vulnerabilities on an FPR-TPR plane throughout training, our framework systematically measures how factors such as dataset complexity, model architecture, and optimizer choice influence the rate and severity at which samples become vulnerable. Crucially, we discover a robust correlation between a sample's intrinsic learning difficulty, and find that the privacy risk of samples highly vulnerable in the final trained model is largely determined early during training. Our results thus provide a deeper understanding of how privacy risks dynamically emerge during training, laying the groundwork for proactive, privacy-aware model training strategies.