Membership inference attacks (MIAs) are used to test practical privacy of machine learning models. MIAs complement formal guarantees from differential privacy (DP) under a more realistic adversary model. We analyse MIA vulnerability of fine-tuned neural networks both empirically and theoretically, the latter using a simplified model of fine-tuning. We show that the vulnerability of non-DP models when measured as the attacker advantage at a fixed false positive rate reduces according to a simple power law as the number of examples per class increases. A similar power-law applies even for the most vulnerable points, but the dataset size needed for adequate protection of the most vulnerable points is very large.
翻译:成员推理攻击(MIA)用于测试机器学习模型的实际隐私性。在更现实的对手模型下,MIA补充了差分隐私(DP)的形式化保证。我们通过实证和理论分析了微调神经网络的MIA脆弱性,其中理论分析使用了简化的微调模型。研究表明,当以固定误报率下的攻击者优势来衡量时,非DP模型的脆弱性随着每类样本数量的增加按照简单的幂律降低。即使对于最脆弱的点,也存在类似的幂律关系,但为最脆弱点提供充分保护所需的数据集规模非常庞大。