ML Security PapersEnsembling Membership Inference Attacks Against Tabular Generative Models
Joshua Ward 1, Yuxuan Yang 2, Chi-Hua Wang 1, Guang Cheng 1
Published on arXiv
2509.05350
Membership Inference Attack
OWASP ML Top 10 — ML04
Key Finding
Unsupervised ensemble MIAs empirically outperform all individual attack strategies as a regret-minimizing approach across diverse tabular generative models and dataset domains.
Ensemble MIA
Novel technique introduced
Membership Inference Attacks (MIAs) have emerged as a principled framework for auditing the privacy of synthetic data generated by tabular generative models, where many diverse methods have been proposed that each exploit different privacy leakage signals. However, in realistic threat scenarios, an adversary must choose a single method without a priori guarantee that it will be the empirically highest performing option. We study this challenge as a decision theoretic problem under uncertainty and conduct the largest synthetic data privacy benchmark to date. Here, we find that no MIA constitutes a strictly dominant strategy across a wide variety of model architectures and dataset domains under our threat model. Motivated by these findings, we propose ensemble MIAs and show that unsupervised ensembles built on individual attacks offer empirically more robust, regret-minimizing strategies than individual attacks.
Key Contributions
- Largest synthetic tabular data privacy benchmark to date, showing no single MIA is a strictly dominant strategy across model architectures and dataset domains
- Unsupervised ensemble MIA that aggregates individual attacks into a regret-minimizing strategy under adversarial uncertainty
- Decision-theoretic framing of MIA selection as a problem under uncertainty, motivating the ensemble approach
🛡️ Threat Analysis
The paper's primary contribution is ensemble Membership Inference Attacks (MIAs) that determine whether specific records were in the training data of tabular generative models — the canonical ML04 threat.