Generalized Leverage Score for Scalable Assessment of Privacy Vulnerability

Can the privacy vulnerability of individual data points be assessed without retraining models or explicitly simulating attacks? We answer affirmatively by showing that exposure to membership inference attack (MIA) is fundamentally governed by a data point's influence on the learned model. We formalize this in the linear setting by establishing a theoretical correspondence between individual MIA risk and the leverage score, identifying it as a principled metric for vulnerability. This characterization explains how data-dependent sensitivity translates into exposure, without the computational burden of training shadow models. Building on this, we propose a computationally efficient generalization of the leverage score for deep learning. Empirical evaluations confirm a strong correlation between the proposed score and MIA success, validating this metric as a practical surrogate for individual privacy risk assessment.

Key Contributions

Theoretical proof that the leverage score is a sufficient statistic for MIA privacy loss distribution in Gaussian linear models under optimal black-box attack
Generalized Leverage Score (GLS) derived via implicit differentiation of training optimality conditions, extending the leverage score to deep learning classifiers and regressors
Empirical validation showing strong correlation between GLS (using a last-layer approximation) and state-of-the-art shadow model MIA success rates, without requiring model retraining

🛡️ Threat Analysis

Membership Inference Attack

The paper is entirely focused on characterizing per-sample exposure to membership inference attacks; it proves leverage score governs MIA risk in linear models and extends it to deep learning as a scalable surrogate for individual MIA vulnerability assessment, validated against state-of-the-art shadow model attacks like LiRA.