Machine learning poses severe privacy concerns as it is shown that the learned models can reveal sensitive information about their training data. Many works have investigated the effect of widely-adopted data augmentation (DA) and adversarial training (AT) techniques, termed data enhancement in the paper, on the privacy leakage of machine learning models. Such privacy effects are often measured by membership inference attacks (MIAs), which aim to identify whether a particular example belongs to the training set or not. We propose to investigate privacy from a new perspective called memorization. Through the lens of memorization, we find that previously deployed MIAs produce misleading results as they are less likely to identify samples with higher privacy risks as members compared to samples with low privacy risks. To solve this problem, we deploy a recent attack that can capture the memorization degrees of individual samples for evaluation. Through extensive experiments, we unveil non-trivial findings about the connections between three important properties of machine learning models, including privacy, generalization gap, and adversarial robustness. We demonstrate that, unlike existing results, the generalization gap is shown not highly correlated with privacy leakage. Moreover, stronger adversarial robustness does not necessarily imply that the model is more susceptible to privacy attacks.
翻译:许多工作都调查了广泛采用的数据增强(DA)和对抗性培训(AT)技术(在文件中称为数据增强)对机器学习模型隐私泄漏的影响。这类隐私影响往往以成员推论攻击(MIAs)衡量,其目的是确定某个特定例子是否属于培训组。我们提议从称为记忆化的新角度调查隐私问题。我们从记忆化的角度发现,以前部署的MIA产生误导性结果,因为与隐私风险低的样本相比,它们不太可能发现隐私风险较高的样本。为了解决这一问题,我们最近部署的攻击可以捕捉个别样本的记忆度,以供评估。通过广泛的实验,我们公布关于机器学习模型的三种重要属性(包括隐私、一般化差距和对抗性强力)之间联系的非重大调查结果。我们证明,与现有结果不同,一般化差距与隐私渗漏没有高度关联。此外,更强大的对抗性强的隐私性强势性不一定意味着攻击的模型具有更大的脆弱性。