Membership Inference Attacks (MIAs) expose privacy risks by determining whether a specific sample was part of a model's training set. These threats are especially serious in sensitive domains such as healthcare and finance. Traditional mitigation techniques, such as static differential privacy, rely on injecting a fixed amount of noise during training or inference. However, this often leads to a detrimental trade-off: the noise may be insufficient to counter sophisticated attacks or, when increased, can substantially degrade model accuracy. To address this limitation, we propose DynaNoise, an adaptive inference-time defense that modulates injected noise based on per-query sensitivity. DynaNoise estimates risk using measures such as Shannon entropy and scales the noise variance accordingly, followed by a smoothing step that re-normalizes the perturbed outputs to preserve predictive utility. We further introduce MIDPUT (Membership Inference Defense Privacy-Utility Trade-off), a scalar metric that captures both privacy gains and accuracy retention. Our evaluation on several benchmark datasets demonstrates that DynaNoise substantially lowers attack success rates while maintaining competitive accuracy, achieving strong overall MIDPUT scores compared to state-of-the-art defenses.

翻译：成员推理攻击通过判断特定样本是否属于模型训练集来暴露隐私风险，此类威胁在医疗和金融等敏感领域尤为严重。传统防御技术（如静态差分隐私）依赖于在训练或推理阶段注入固定强度的噪声，但这通常会导致两难权衡：噪声强度不足时难以抵御复杂攻击，而增强噪声又会显著降低模型准确性。为突破这一局限，我们提出DynaNoise——一种基于查询敏感度动态调节噪声强度的自适应推理阶段防御方法。该方法通过香农熵等度量指标评估风险，并据此调整噪声方差，随后通过平滑步骤对扰动后的输出进行重归一化以保持预测效用。我们进一步提出MIDPUT（成员推理防御的隐私-效用权衡指标），该标量指标可同时量化隐私增益与精度保持程度。在多个基准数据集上的实验表明，DynaNoise能显著降低攻击成功率，同时保持具有竞争力的模型精度，相较于现有先进防御方法获得了更优的MIDPUT综合评分。