Machine learning models, in particular deep neural networks, are currently an integral part of various applications, from healthcare to finance. However, using sensitive data to train these models raises concerns about privacy and security. One method that has emerged to verify if the trained models are privacy-preserving is Membership Inference Attacks (MIA), which allows adversaries to determine whether a specific data point was part of a model's training dataset. While a series of MIAs have been proposed in the literature, only a few can achieve high True Positive Rates (TPR) in the low False Positive Rate (FPR) region (0.01%~1%). This is a crucial factor to consider for an MIA to be practically useful in real-world settings. In this paper, we present a novel approach to MIA that is aimed at significantly improving TPR at low FPRs. Our method, named learning-based difficulty calibration for MIA(LDC-MIA), characterizes data records by their hardness levels using a neural network classifier to determine membership. The experiment results show that LDC-MIA can improve TPR at low FPR by up to 4x compared to the other difficulty calibration based MIAs. It also has the highest Area Under ROC curve (AUC) across all datasets. Our method's cost is comparable with most of the existing MIAs, but is orders of magnitude more efficient than one of the state-of-the-art methods, LiRA, while achieving similar performance.

翻译：机器学习模型，特别是深度神经网络，已成为从医疗保健到金融等各领域应用中不可或缺的组成部分。然而，使用敏感数据训练这些模型引发了人们对隐私和安全性的担忧。成员推理攻击作为一种验证训练模型是否具有隐私保护能力的方法应运而生，它使攻击者能够判断特定数据点是否属于模型的训练数据集。尽管文献中已提出一系列MIA方法，但仅有少数能在低误报率区域（0.01%~1%）实现较高的真阳性率。这对于MIA在实际场景中的实用价值至关重要。本文提出一种新型MIA方法，旨在显著提升低FPR下的TPR。我们的方法称为基于学习难度校准的MIA，通过神经网络分类器根据数据记录的难度级别进行特征化以判定成员身份。实验结果表明，与其他基于难度校准的MIA相比，LDC-MIA在低FPR下的TPR最高可提升4倍，并且在所有数据集上均取得最高的ROC曲线下面积。本方法的计算成本与现有大多数MIA相当，但在达到相近性能的同时，较当前最先进方法LiRA具有数量级上的效率优势。