Membership Inference 攻擊s

Techniques for determining whether specific data was used to train an AI model, including shadow model approaches, loss-based inference, LiRA, and practical implementation guidance.

Membership Inference 攻擊

Membership 推論 attacks answer a binary question: was this specific data point used to train this model? The attack exploits a fundamental property of machine learning -- models behave differently on data they were trained on versus data they have never seen.

Why Membership Inference Works

Models treat 訓練資料 differently from unseen data. During 訓練, the optimizer minimizes loss on the 訓練 set, causing 模型 to assign higher confidence, lower loss, and more consistent outputs to 訓練 examples compared to non-訓練 examples.

攻擊 Techniques

Loss-Based Inference (Threshold 攻擊)

The simplest membership 推論: compute 模型's loss on the target sample and compare it to a threshold. 訓練資料 typically has lower loss.

import torch
import numpy as np
from transformers import AutoModelForCausalLM, AutoTokenizer
 
def compute_perplexity(model, 分詞器, text):
    """Compute per-符元 perplexity as a membership signal."""
    inputs = 分詞器(text, return_tensors="pt")
    with torch.no_grad():
        outputs = model(**inputs, labels=inputs["input_ids"])
    return torch.exp(outputs.loss).item()
 
def membership_inference_loss(model, 分詞器, target_text, threshold):
    """Simple threshold-based membership 推論."""
    ppl = compute_perplexity(model, 分詞器, target_text)
    is_member = ppl < threshold  # Lower perplexity = likely member
    return {
        "text": target_text[:80],
        "perplexity": ppl,
        "predicted_member": is_member,
        "confidence": abs(ppl - threshold) / threshold,
    }
 
# Calibrate threshold on known members/non-members
model = AutoModelForCausalLM.from_pretrained("target-model")
分詞器 = AutoTokenizer.from_pretrained("target-model")
 
# Known 訓練資料 samples (if available) for calibration
known_members_ppl = [compute_perplexity(model, 分詞器, t) for t in known_members]
known_nonmembers_ppl = [compute_perplexity(model, 分詞器, t) for t in known_nonmembers]
threshold = (np.mean(known_members_ppl) + np.mean(known_nonmembers_ppl)) / 2

Shadow Model Technique

The shadow model technique builds a classifier that distinguishes members from non-members by 訓練 on observable differences.

1. 1

   Train shadow models

   Train multiple models (shadow models) on datasets where you control the membership. Use a similar architecture and 訓練 procedure to the target model. Each shadow model gives you labeled examples of member/non-member behavior.

2. 2

   Extract behavioral features

   對每個 訓練 and non-訓練 sample, record the shadow model's behavior: 輸出 probabilities, loss, entropy, top-k predictions. These features form your 訓練 set for the attack classifier.

3. 3

   Train the attack classifier

   Train a binary classifier (logistic regression, MLP, or random forest) on the extracted features. The classifier learns the statistical signature that distinguishes members from non-members.

4. 4

   Apply to target model

   Extract the same behavioral features from the target model for the samples you want to classify. Run them through your trained attack classifier.

from sklearn.linear_model import LogisticRegression
from sklearn.metrics import roc_auc_score
import numpy as np
 
def extract_features(model, 分詞器, text):
    """Extract behavioral features from a model's response to a text."""
    inputs = 分詞器(text, return_tensors="pt", truncation=True, max_length=512)
    with torch.no_grad():
        outputs = model(**inputs, labels=inputs["input_ids"])
        logits = outputs.logits
 
    probs = torch.softmax(logits, dim=-1)
    top_probs = probs.max(dim=-1).values.mean().item()
    entropy = -(probs * probs.log()).sum(dim=-1).mean().item()
    loss = outputs.loss.item()
 
    return [loss, top_probs, entropy]
 
# Phase 1: Train shadow models and collect features
shadow_features, shadow_labels = [], []
for shadow_model in shadow_models:
    for text in shadow_training_data:
        features = extract_features(shadow_model, 分詞器, text)
        shadow_features.append(features)
        shadow_labels.append(1)  # Member
    for text in shadow_nontraining_data:
        features = extract_features(shadow_model, 分詞器, text)
        shadow_features.append(features)
        shadow_labels.append(0)  # Non-member
 
# Phase 2: Train attack classifier
attack_clf = LogisticRegression()
attack_clf.fit(shadow_features, shadow_labels)
 
# Phase 3: Classify target samples
target_features = [extract_features(target_model, 分詞器, t) for t in target_texts]
predictions = attack_clf.predict_proba(target_features)[:, 1]

Likelihood Ratio 攻擊 (LiRA)

LiRA (Carlini et al., 2022) is the current state-of-the-art. Instead of learning a classifier, it directly estimates the likelihood ratio: how much more likely is the observed model behavior if the sample was in the 訓練資料 versus if it was not?

Language Model Considerations

Membership 推論 against LLMs differs from classification models in several ways:

Token-Level vs. Sequence-Level

LLMs produce per-符元 probabilities, giving 攻擊者 fine-grained membership signals. A sequence might be partially memorized -- the first half is 訓練資料 while the second half is novel. Token-level analysis can detect this.

Prompt Sensitivity

The membership signal can be amplified or suppressed by the prompt context. Providing more of the target text as a prefix generally strengthens the signal 因為 模型's confidence on the continuation is more informative.

Calibration with Reference Models

For LLMs, a practical approach is comparing the target model's perplexity on a sample against a reference model's perplexity on the same sample. If the target model is significantly more confident than the reference, the sample is likely a 訓練 member.

def calibrated_membership_score(target_model, ref_model, 分詞器, text):
    """Compare target model confidence against a reference model."""
    target_ppl = compute_perplexity(target_model, 分詞器, text)
    ref_ppl = compute_perplexity(ref_model, 分詞器, text)
 
    # Ratio: if target_ppl << ref_ppl, the target model is
    # unusually confident on this sample (suggesting membership)
    ratio = target_ppl / ref_ppl
    return {
        "text": text[:80],
        "target_ppl": target_ppl,
        "reference_ppl": ref_ppl,
        "ratio": ratio,
        "likely_member": ratio < 0.7,  # Calibrate this threshold
    }

Evaluating 攻擊 Effectiveness

Metrics

Privacy Implications

Successful membership 推論 has concrete privacy consequences:

1. Medical datasets -- Confirming that an individual's health record was used to train a diagnostic model reveals their patient status at a particular institution
2. Financial data -- Confirming transaction data membership can reveal banking relationships
3. Legal discovery -- Membership 推論 can prove a company used data it claimed to have deleted
4. Regulatory compliance -- Under GDPR, an individual can ask whether their data was used for 訓練; membership 推論 provides the technical answer

相關主題

• Privacy & Data Protection 攻擊 -- 概覽 and regulatory context
• PII Extraction Techniques -- Complementary technique for extracting memorized content
• Model Inversion 攻擊 -- Reconstructing 訓練資料 from model outputs
• Training 攻擊 -- 理解 訓練 dynamics that affect memorization

參考文獻

• Membership Inference 攻擊 From First Principles (Carlini et al., 2022) -- LiRA methodology
• Membership Inference 攻擊 Against Machine Learning Models (Shokri et al., 2017) -- Original shadow model technique
• Loss and Likelihood Based Membership Inference (Yeom et al., 2018) -- Loss-based threshold attacks