Quantifying the impact of individual data samples on machine learning models is an open research problem. This is particularly relevant when complex and high-dimensional relationships have to be learned from a limited sample of the data generating distribution, such as in deep learning. It was previously shown that, in these cases, models rely not only on extracting patterns which are helpful for generalisation, but also seem to be required to incorporate some of the training data more or less as is, in a process often termed memorisation. This raises the question: if some memorisation is a requirement for effective learning, what are its privacy implications? In this work we unify a broad range of previous definitions and perspectives on memorisation in ML, discuss their interplay with model generalisation and their implications of these phenomena on data privacy. Moreover, we systematise methods allowing practitioners to detect the occurrence of memorisation or quantify it and contextualise our findings in a broad range of ML learning settings. Finally, we discuss memorisation in the context of privacy attacks, differential privacy (DP) and adversarial actors.

翻译：量化单个数据样本对机器学习模型的影响是一个开放性问题。当需要从数据生成分布的有限样本中学习复杂的高维关系时（例如在深度学习中），这一问题尤为突出。先前研究表明，在这些情况下，模型不仅依赖于提取有助于泛化的模式，而且似乎还需要以近乎原始的方式融入部分训练数据——这一过程常被称为记忆化。这引出一个问题：如果一定程度的记忆化是实现有效学习的必要条件，那么它将带来怎样的隐私影响？本文统一了机器学习领域中关于记忆化的广泛定义与视角，探讨了其与模型泛化的相互作用，以及这些现象对数据隐私的影响。此外，我们系统梳理了帮助从业者检测或量化记忆化现象的方法，并在多种机器学习学习场景中对其发现进行了情境化分析。最后，我们讨论了隐私攻击、差分隐私及对抗性攻击背景下的记忆化问题。