Membership inference (MI) attacks try to determine if a data sample was used to train a machine learning model. For foundation models trained on unknown Web data, MI attacks can be used to detect copyrighted training materials, measure test set contamination, or audit machine unlearning. Unfortunately, we find that evaluations of MI attacks for foundation models are flawed, because they sample members and non-members from different distributions. For 8 published MI evaluation datasets, we show that blind attacks -- that distinguish the member and non-member distributions without looking at any trained model -- outperform state-of-the-art MI attacks. Existing evaluations thus tell us nothing about membership leakage of a foundation model's training data.

翻译：成员推断攻击旨在判断某个数据样本是否被用于训练机器学习模型。对于基于未知网络数据训练的基础模型，此类攻击可用于检测受版权保护的训练材料、衡量测试集污染程度或验证机器遗忘效果。然而，我们发现当前针对基础模型的成员推断攻击评估存在缺陷，因其从不同分布中分别采样成员与非成员数据。通过对8个已公开的成员推断评估数据集进行实验，我们证明盲攻击方法——即在不观察任何已训练模型的情况下直接区分成员与非成员分布——能够超越现有最先进的成员推断攻击。这表明现有评估方法完全无法反映基础模型训练数据的成员信息泄露情况。