FERMI: Exploiting Relations for Membership Inference Against Tabular Diffusion Models
For privacy auditors, FERMI reveals that relational auxiliary information can significantly increase privacy risks in multi-table tabular diffusion models, challenging current privacy assessments.
FERMI improves membership inference attacks against tabular diffusion models by exploiting relational structure, achieving up to 53% higher TPR@0.1FPR in white-box and 22% in black-box settings over single-table baselines.
Diffusion models are the leading approach for tabular data synthesis and are increasingly used to share sensitive records. Whether they actually protect privacy has become a pressing question. Membership inference attacks are the standard tool for this purpose, yet existing attacks assume a single-table setting and ignore the multi-relational structure of real sensitive data. A core challenge in assessing privacy risks from membership inference attacks in multi-table settings is how to leverage auxiliary information from relations associated with the target table, such as its parent tables. Particularly, we study a practical setting in which such auxiliary information is available only when training the attack model. At inference time, the attacker observes only the attribute values of the target record from the target table. We propose FERMI (FEature-mapping for Relational Membership Inference), which resolves this gap by enriching single-table features with relational membership signal. Across three tabular diffusion architectures and three real-world relational datasets, FERMI consistently improves attack performance over single-table baselines, with TPR@$0.1$FPR rising by up to 53% over the single-table baseline in the white-box setting and 22% in the black-box setting.