How to Combine Membership-Inference Attacks on Multiple Updated Machine Learning Models

Authors: Matthew Jagielski (Google Research), Stanley Wu (Northeastern University), Alina Oprea (Northeastern University), Jonathan Ullman (Northeastern University), Roxana Geambasu (Columbia University)

Volume: 2023
Issue: 3
Pages: 211–232

Download PDF

Abstract: A large body of research has shown that machine learning models are vulnerable to membership inference (MI) attacks that violate the privacy of the participants in the training data. Most MI research focuses on the case of a single standalone model, while production machine-learning platforms often update models over time, on data that often shifts in distribution, giving the attacker more information. This paper proposes new attacks that take advantage of one or more model updates to improve MI. A key part of our approach is to leverage rich information from standalone MI attacks mounted separately against the original and updated models, and to combine this information in specific ways to improve attack effectiveness. We propose a set of combination functions and tuning methods for each, and present both analytical and quantitative justification for various options. Our results on four public datasets show that our attacks are effective at using update information to give the adversary a significant advantage over attacks on standalone models, but also compared to a prior MI attack that takes advantage of model updates in a related machine-unlearning setting. We perform the first measurements of the impact of distribution shift on MI attacks with model updates, and show that a more drastic distribution shift results in significantly higher MI risk than a gradual shift. We also show that our attacks are effective at auditing differentially private fine tuning. We make our code public on Github:

Keywords: membership inference, machine learning, update, entry inference, distribution shift

Copyright in PoPETs articles are held by their authors. This article is published under a Creative Commons Attribution 4.0 license.