A Critical Review on the Effectiveness and Privacy Threats of Membership Inference Attacks

Membership inference attacks (MIAs) aim to determine whether a data sample was included in a machine learning (ML) model's training set and have become the de facto standard for measuring privacy leakages in ML. We propose an evaluation framework that defines the conditions under which MIAs constitute a genuine privacy threat, and review representative MIAs against it. We find that, under the realistic conditions defined in our framework, MIAs represent weak privacy threats. Thus, relying on them as a privacy metric in ML can lead to an overestimation of risk and to unnecessary sacrifices in model utility as a consequence of employing too strong defenses.

Key Contributions

Proposes evaluation framework defining five necessary conditions for MIAs to constitute genuine privacy threats: disclosure potential, applicability to non-overfitted models, applicability to production models, attack reliability, and computational feasibility
Reviews representative MIAs against this framework, finding they represent weak privacy threats under realistic conditions
Challenges the justification for utility-sacrificing defenses like differential privacy when MIA effectiveness collapses with anti-overfitting training, realistic membership priors, and proper threshold calibration

🛡️ Threat Analysis

Membership Inference Attack

Paper comprehensively analyzes membership inference attacks (MIAs) - determining whether specific data points were in training sets. Proposes evaluation framework and reviews representative MIAs, examining their effectiveness under realistic conditions including non-overfitted models, skewed priors, and computational feasibility.