Membership inference attacks (MIA) aim to detect if a particular data point was used in training a machine learning model. Recent strong attacks have high computational costs and inconsistent performance under varying conditions, rendering them unreliable for practical privacy risk assessment. We design a novel, efficient, and robust membership inference attack (RMIA) which accurately differentiates between population data and training data of a model, with minimal computational overhead. We achieve this by a more accurate modeling of the null hypothesis setting in our likelihood ratio tests, and effectively leveraging both reference models and reference data samples from the population. Our algorithm exhibits superior test power (true-positive rate) compared to prior methods, throughout the TPR-FPR curve including at extremely low false-positive rates (as low as 0). Under computation constraints, where only a limited number of pre-trained reference models (as few as 1) are available, and also when we vary other elements of the attack, our method performs exceptionally well, unlike some prior attacks that approach random guessing. RMIA outperforms the prior work in all configurations of the attack setup. RMIA lays the algorithmic groundwork for practical yet accurate and reliable privacy risk analysis in machine learning.

翻译：成员推断攻击旨在检测特定数据点是否被用于训练机器学习模型。近期强力攻击的计算成本高昂，且在不同条件下的性能表现不一致，使其无法可靠地用于实际隐私风险评估。我们设计了一种新型、高效且鲁棒的成员推断攻击（RMIA），该攻击能以最小计算开销精准区分模型的种群数据与训练数据。通过在我们的似然比测试中对零假设设定进行更精确的建模，并有效利用种群中的参考模型和参考数据样本，我们实现了这一目标。与先前方法相比，我们的算法在真阳性率-假阳性率曲线全程，包括极低假阳性率（低至0）下，均展现出更优的检验效力（真阳性率）。在计算受限条件下，如仅有有限数量的预训练参考模型（少至1个）可用，以及攻击其他元素变化时，我们的方法表现异常出色——这与某些接近随机猜测的先前攻击截然不同。RMIA 在所有攻击配置下均优于先前工作。RMIA 为机器学习中实用、精准且可靠的隐私风险分析奠定了算法基础。