Population MIA attack

[AceOfSpades06]

Hi Community,

I am trying to use ML_privacy_meter to better understand attacks in Machine learning. I have gone through the source code of Population Metric in the Metric.py file but I am finding it difficult to understand the work behind this Membership Inference attack. I would appreciate it if anyone can give me some references or explanations regarding its works.

Thank you.

[changhongyan123]

Hi @Siddharth2000 ,

The membership inference attack aims to determine whether a specific data point was used during the training of a target machine learning model. In our tutorial, we use the loss function as a means of attack, where we calculate the loss on the target data point from the target model to infer its membership. Essentially, this attack exploits the model's generalization error, which means that the model tends to have lower losses on the training dataset compared to the points in the test dataset.

For the population attack, the adversary first computes the loss on the population dataset, which we know is disjoint from the training dataset. This population loss distribution shows how the model performs on unseen data. Next, the adversary computes the loss on each target point and compares it with the loss on the population data. If the target loss is much smaller than most of the population loss, then it is likely that this target point was used for training.

This is an intuitive explanation. For more detailed information, please refer to the paper: Enhanced Membership Inference Attacks against Machine Learning Models.

Let me know if you have any further questions or need further clarification.

[AceOfSpades06]

Thank you for answering the question. From what I understood we are performing hypothesis testing to determine whether a target datapoint is part of training or population. I am looking into how this testing is being performed. Thank you.