In a Membership Inference (MI) game, an attacker tries to infer whether a target point was included or not in the input of an algorithm. Existing works show that some target points are easier to identify, while others are harder. This paper explains the target-dependent hardness of membership attacks by studying the powers of the optimal attacks in a fixed-target MI game. We characterise the optimal advantage and trade-off functions of attacks against the empirical mean in terms of the Mahalanobis distance between the target point and the data-generating distribution. We further derive the impacts of two privacy defences, i.e. adding Gaussian noise and sub-sampling, and that of target misspecification on optimal attacks. As by-products of our novel analysis of the Likelihood Ratio (LR) test, we provide a new covariance attack which generalises and improves the scalar product attack. Also, we propose a new optimal canary-choosing strategy for auditing privacy in the white-box federated learning setting. Our experiments validate that the Mahalanobis score explains the hardness of fixed-target MI games.

翻译：在成员推断（MI）博弈中，攻击者试图推断目标点是否被包含在算法的输入中。现有研究表明，某些目标点更容易被识别，而另一些则更难。本文通过研究固定目标MI博弈中最优攻击的效能，解释了成员攻击的目标依赖难度。我们依据目标点与数据生成分布之间的马氏距离，刻画了针对经验均值的最优攻击优势函数与权衡函数。进一步推导了两种隐私防御机制（即添加高斯噪声和子采样）以及目标设定错误对最优攻击的影响。作为对似然比（LR）检验新分析的副产品，我们提出了一种新的协方差攻击，该攻击推广并改进了标量积攻击。此外，我们提出了一种新的最优"金丝雀"选择策略，用于白盒联邦学习场景下的隐私审计。实验验证了马氏分数能够解释固定目标MI博弈的难度。