Generalization and Membership Inference Attack a Practical Perspective
This work addresses privacy risks in machine learning for practitioners by showing how generalization techniques can mitigate MIA, though it is incremental as it builds on existing debates and methods.
The paper tackled the correlation between model generalization and Membership Inference Attack (MIA) success rates by empirically testing augmentation and early stopping techniques, finding that these methods can reduce attack performance by up to 100 times and combining them further decreases effectiveness through added randomness.
With the emergence of new evaluation metrics and attack methodologies for Membership Inference Attacks (MIA), it becomes essential to reevaluate previously accepted assumptions. In this paper, we revisit the longstanding debate regarding the correlation between MIA success rates and model generalization using an empirical approach. We focused on employing augmentation techniques and early stopping to enhance model generalization and examined their impact on MIA success rates. We found that utilizing advanced generalization techniques can significantly decrease attack performance, potentially by up to 100 times. Moreover, combining these methods not only improves model generalization but also reduces attack effectiveness by introducing randomness during training. Additionally, our study confirmed the direct impact of generalization on MIA performance through an analysis of over 1K models in a controlled environment.