Data is the foundation of most science. Unfortunately, sharing data can be obstructed by the risk of violating data privacy, impeding research in fields like healthcare. Synthetic data is a potential solution. It aims to generate data that has the same distribution as the original data, but that does not disclose information about individuals. Membership Inference Attacks (MIAs) are a common privacy attack, in which the attacker attempts to determine whether a particular real sample was used for training of the model. Previous works that propose MIAs against generative models either display low performance -- giving the false impression that data is highly private -- or need to assume access to internal generative model parameters -- a relatively low-risk scenario, as the data publisher often only releases synthetic data, not the model. In this work we argue for a realistic MIA setting that assumes the attacker has some knowledge of the underlying data distribution. We propose DOMIAS, a density-based MIA model that aims to infer membership by targeting local overfitting of the generative model. Experimentally we show that DOMIAS is significantly more successful at MIA than previous work, especially at attacking uncommon samples. The latter is disconcerting since these samples may correspond to underrepresented groups. We also demonstrate how DOMIAS' MIA performance score provides an interpretable metric for privacy, giving data publishers a new tool for achieving the desired privacy-utility trade-off in their synthetic data.

翻译：数据是大多数科学领域的基础。然而，数据共享可能因违反数据隐私的风险而受阻，这阻碍了医疗保健等领域的研究。合成数据是一种潜在的解决方案，旨在生成与原始数据分布相同但不泄露个体信息的数据。成员推断攻击是一种常见的隐私攻击，攻击者试图判断特定真实样本是否用于模型训练。以往针对生成模型的成员推断攻击研究，要么性能低下——造成数据高度隐私的虚假印象，要么需要假设可访问内部生成模型参数——这属于相对低风险场景，因为数据发布者通常仅发布合成数据而非模型本身。本研究提出一种更现实的成员推断攻击场景，假设攻击者对底层数据分布具有一定了解。我们提出DOMIAS，一种基于密度的成员推断攻击模型，通过定位生成模型的局部过拟合来推断成员身份。实验表明，DOMIAS在成员推断攻击中的成功率显著高于以往工作，尤其在攻击罕见样本时表现突出。后者令人担忧，因为这些样本可能对应数据中的弱势群体。我们还展示了DOMIAS的成员推断攻击性能得分如何作为隐私的可解释度量，为数据发布者提供新工具，以在其合成数据中实现理想的隐私-效用权衡。