ML Security PapersTraining data membership inference via Gaussian process meta-modeling: a post-hoc analysis approach
Yongchao Huang 1, Pengfei Zhang 2, Shahzad Mumtaz 1
Published on arXiv
2510.21846
Membership Inference Attack
OWASP ML Top 10 — ML04
Key Finding
GP-MIA achieves high membership inference accuracy across synthetic, tabular, vision, and NLP datasets without requiring shadow models or multiple model queries.
GP-MIA
Novel technique introduced
Membership inference attacks (MIAs) test whether a data point was part of a model's training set, posing serious privacy risks. Existing methods often depend on shadow models or heavy query access, which limits their practicality. We propose GP-MIA, an efficient and interpretable approach based on Gaussian process (GP) meta-modeling. Using post-hoc metrics such as accuracy, entropy, dataset statistics, and optional sensitivity features (e.g. gradients, NTK measures) from a single trained model, GP-MIA trains a GP classifier to distinguish members from non-members while providing calibrated uncertainty estimates. Experiments on synthetic data, real-world fraud detection data, CIFAR-10, and WikiText-2 show that GP-MIA achieves high accuracy and generalizability, offering a practical alternative to existing MIAs.
Key Contributions
- GP-MIA: a Gaussian process-based membership inference attack using post-hoc metrics (accuracy, entropy, dataset statistics, optional gradient/NTK features) from a single trained model
- Eliminates the need for shadow models or heavy query access while providing calibrated uncertainty estimates
- Demonstrated effectiveness across diverse settings: synthetic data, fraud detection, CIFAR-10, and WikiText-2
🛡️ Threat Analysis
GP-MIA is a membership inference attack that determines whether specific data points were included in a model's training set — the core definition of ML04. It proposes a novel GP-based classifier using post-hoc metrics (accuracy, entropy, gradients, NTK) as an alternative to shadow model and LiRA-style attacks.