Optimization algorithms that seek flatter minima, such as Sharpness-Aware Minimization (SAM), are credited with improved generalization and robustness to noise. We ask whether such gains impact membership privacy. Surprisingly, we find that SAM is more prone to Membership Inference Attacks (MIA) than classical SGD across multiple datasets and attack methods, despite achieving lower test error. This suggests that the geometric mechanism of SAM that improves generalization simultaneously exacerbates membership leakage. We investigate this phenomenon through extensive analysis of memorization and influence scores. Our results reveal that SAM is more capable of capturing atypical subpatterns, leading to higher memorization scores of samples. Conversely, SGD depends more heavily on majority features, exhibiting worse generalization on atypical subgroups and lower memorization. Crucially, this characteristic of SAM can be linked to lower variance in the prediction confidence of unseen samples, thereby amplifying membership signals. Finally, we model SAM under a perfectly interpolating linear regime and theoretically show that sharpness regularization inherently reduces variance, guaranteeing a higher MIA advantage for confidence and likelihood ratio attacks.
翻译:寻求更平坦极小值的优化算法(如锐度感知最小化)被认为能提升泛化能力与噪声鲁棒性。本文探讨此类收益是否会影响成员隐私。令人惊讶的是,我们发现尽管SAM在多个数据集上实现了更低的测试误差,但其比经典SGD更易遭受成员推理攻击,且该结论在不同攻击方法中均成立。这表明SAM改善泛化的几何机制同时加剧了成员信息泄露。我们通过深入分析记忆化程度与影响分数来研究此现象。结果显示,SAM更擅长捕捉非典型子模式,导致样本记忆化分数更高;相反,SGD更依赖主体特征,在非典型子群上泛化能力更差且记忆化程度更低。关键在于,SAM的特性可关联到未见样本预测置信度的更低方差,从而放大了成员推断信号。最后,我们在完全插值的线性机制下对SAM建模,从理论上证明锐度正则化本质上会降低方差,这为置信度攻击与似然比攻击提供了更高的MIA优势保证。