Transfer learning has become an increasingly popular technique in machine learning as a way to leverage a pretrained model trained for one task to assist with building a finetuned model for a related task. This paradigm has been especially popular for privacy in machine learning, where the pretrained model is considered public, and only the data for finetuning is considered sensitive. However, there are reasons to believe that the data used for pretraining is still sensitive, making it essential to understand how much information the finetuned model leaks about the pretraining data. In this work we propose a new membership-inference threat model where the adversary only has access to the finetuned model and would like to infer the membership of the pretraining data. To realize this threat model, we implement a novel metaclassifier-based attack, TMI, that leverages the influence of memorized pretraining samples on predictions in the downstream task. We evaluate TMI on both vision and natural language tasks across multiple transfer learning settings, including finetuning with differential privacy. Through our evaluation, we find that TMI can successfully infer membership of pretraining examples using query access to the finetuned model.

翻译：迁移学习已成为机器学习中日益流行的技术，其利用为一项任务预训练的模型来辅助构建相关任务的微调模型。这一范式在机器学习隐私领域尤为常见，其中预训练模型被视为公开，而仅微调数据被视为敏感。然而，有理由相信预训练数据仍具敏感性，因此理解微调模型泄露预训练数据信息的程度至关重要。本文提出一种新的成员推断威胁模型，其中攻击者仅能访问微调模型，并试图推断预训练数据的成员身份。为实现该威胁模型，我们设计了一种基于元分类器的新型攻击方法TMI，该方法利用记忆化预训练样本在下游任务预测中的影响力。我们在包括差分隐私微调在内的多种迁移学习设置下，对视觉和自然语言任务评估了TMI。评估结果表明，TMI能够通过查询微调模型成功推断预训练样本的成员身份。