5/ But the broader message? It's time to give 'parameter access' another serious look in privacy research π¬
Find more details in the paper (accepted to TMLR), w/ Xiao & Dave
π openreview.net/pdf?id=fmKJf...
π» github.com/iamgroot42/a...
4/ The big open question remains: how close are optimal black-box attacks to this theoretical optimum? The gap might be negligible, suggesting black-box methods sufficeβor significant, showing parameter access offers better empirical upper bounds π€
3/ Our work challenges this assumption head-on. By carefully analyzing SGD dynamics, we prove that optimal membership inference requires white-box access to model parameters. Our Inverse Hessian Attack (IHA) serves as a proof of concept that parameter access helps!
2/ Prior work (e.g., proceedings.mlr.press/v97/sablayro...) suggests black-box access is optimal for membership inferenceβassuming SGLD as the learning algorithm. But these assumptions break down for models trained with SGD
1/ Most membership inference attacks (MIAs) have seemingly converged to black-box settings, driven by empirical evidence and theoretical folklore suggesting black-box access was optimal. But what if this assumption missed something critical? π¨
tl;dr? It did π§΅
Temporally shifted data splits in membership inference can be misleading β οΈ Be cautious when interpreting these benchmarks!
