ML Security PapersQuantifying Membership Disclosure Risk for Tabular Synthetic Data Using Kernel Density Estimators
Rajdeep Pathak , Sayantee Jana
Published on arXiv
2603.10937
Membership Inference Attack
OWASP ML Top 10 — ML04
Key Finding
KDE-based MIA consistently achieves higher F1 scores and sharper risk characterization than the prior data-partitioning baseline across four datasets and six generators without requiring computationally expensive shadow model training.
KDE-MIA
Novel technique introduced
The use of synthetic data has become increasingly popular as a privacy-preserving alternative to sharing real datasets, especially in sensitive domains such as healthcare, finance, and demography. However, the privacy assurances of synthetic data are not absolute, and remain susceptible to membership inference attacks (MIAs), where adversaries aim to determine whether a specific individual was present in the dataset used to train the generator. In this work, we propose a practical and effective method to quantify membership disclosure risk in tabular synthetic datasets using kernel density estimators (KDEs). Our KDE-based approach models the distribution of nearest-neighbour distances between synthetic data and the training records, allowing probabilistic inference of membership and enabling robust evaluation via ROC curves. We propose two attack models: a 'True Distribution Attack', which assumes privileged access to training data, and a more realistic, implementable 'Realistic Attack' that uses auxiliary data without true membership labels. Empirical evaluations across four real-world datasets and six synthetic data generators demonstrate that our method consistently achieves higher F1 scores and sharper risk characterization than a prior baseline approach, without requiring computationally expensive shadow models. The proposed method provides a practical framework and metric for quantifying membership disclosure risk in synthetic data, which enables data custodians to conduct a post-generation risk assessment prior to releasing their synthetic datasets for downstream use. The datasets and codes for this study are available at https://github.com/PyCoder913/MIA-KDE.
Key Contributions
- KDE-based probabilistic membership inference framework that models nearest-neighbor distance distributions between synthetic and training records, enabling ROC curve evaluation at low false positive rates
- Two attack variants: a privileged True Distribution Attack and a practical Realistic Attack using unlabeled auxiliary data — no shadow model training required
- Empirical validation across four real-world tabular datasets and six synthetic data generators showing consistently higher F1 scores than prior distance-based baseline methods
🛡️ Threat Analysis
Paper proposes two novel membership inference attack models (True Distribution Attack and Realistic Attack) that determine whether specific records were in the training data of a synthetic data generator, directly targeting the ML04 threat of membership disclosure. Both attacks outperform prior baselines across four datasets and six generators.