Membership inference (MI) attack is currently the most popular test for measuring privacy leakage in machine learning models. Given a machine learning model, a data point and some auxiliary information, the goal of an MI~attack is to determine whether the data point was used to train the model. In this work, we study the reliability of membership inference attacks in practice. Specifically, we show that a model owner can plausibly refute the result of a membership inference test on a data point $x$ by constructing a \textit{proof of repudiation} that proves that the model was trained \textit{without} $x$. We design efficient algorithms to construct proofs of repudiation for all data points of the training dataset. Our empirical evaluation demonstrates the practical feasibility of our algorithm by constructing proofs of repudiation for popular machine learning models on MNIST and CIFAR-10. Consequently, our results call for a re-evaluation of the implications of membership inference attacks in practice.
翻译:身份推断( MI) 攻击目前是测量机器学习模型中隐私泄漏的最受欢迎的测试。 在机器学习模型、 数据点和一些辅助信息中, MI~ 攻击的目标是确定数据点是否用于培训模型。 在这项工作中, 我们研究会员推断攻击的可靠性。 具体地说, 我们证明模型拥有者可以通过构建一个证明模型受过培训的\ textit{ non} $x美元的数据推算测试结果, 来令人信服地反驳对数据点( $x) 的会员推断测试结果。 我们设计了高效的算法, 用以为培训数据集中的所有数据点建立拒服兵役证明。 我们的经验评估表明,我们算法的实际可行性, 方法是为MNIST和CIFAR- 10 的流行机器学习模型建立拒绝证据。 因此,我们的结果要求重新评价会员推断攻击的实际影响。</s>