A membership inference attack (MIA) against a machine-learning model enables an attacker to determine whether a given data record was part of the model's training data or not. In this paper, we provide an in-depth study of the phenomenon of disparate vulnerability against MIAs: unequal success rate of MIAs against different population subgroups. We first establish necessary and sufficient conditions for MIAs to be prevented, both on average and for population subgroups, using a notion of distributional generalization. Second, we derive connections of disparate vulnerability to algorithmic fairness and to differential privacy. We show that fairness can only prevent disparate vulnerability against limited classes of adversaries. Differential privacy bounds disparate vulnerability but can significantly reduce the accuracy of the model. We show that estimating disparate vulnerability to MIAs by na\"ively applying existing attacks can lead to overestimation. We then establish which attacks are suitable for estimating disparate vulnerability, and provide a statistical framework for doing so reliably. We conduct experiments on synthetic and real-world data finding statistically significant evidence of disparate vulnerability in realistic settings. The code is available at https://github.com/spring-epfl/disparate-vulnerability
翻译:在本文中,我们深入研究了对MIA的不同脆弱性现象:MIA对不同人口分组的不同成功率。我们首先利用分布分布性一般化的概念,为平均和人口分组预防MIA的必要和充分条件,首先为平均和人口分组预防MIA的必要和充分条件,首先利用分配性一般化的概念,为平均和人口分组预防MIA预防工作创造必要和充分的条件;第二,我们从不同的脆弱程度与算法公正和差异隐私差异之间的关联中获取不同联系,使攻击者能够确定某一数据记录是否属于模型培训数据数据数据数据数据的一部分。我们表明,公平只能防止特定数据记录作为模型培训数据培训数据的一部分,而使特定数据记录成为该模型培训数据的一部分。不同的隐私有差异性隐私权,但可以大大降低模型的准确性。我们表明,通过使用现有攻击的反“反”来估计对MIA的不同脆弱性的不同程度,可能会导致过高估计。然后我们确定哪些攻击适合估计不同脆弱性,并提供如此可靠的统计框架。我们进行合成和现实世界数据实验,以合成和真实世界数据找到在现实环境中不同脆弱程度的脆弱性具有重要统计证据的重要证据的证据证据的证据证据。这个代码可在http://http:///Gs://ginalisu/giru/flisu/flini/flilini/fli/fli/s/flam/flini/s/s/s/com/s/s/s/s/slam/s/sco可提供。该代码。