Blind Baselines Beat Membership Inference Attacks for Foundation Models

Add code
Jun 23, 2024
Debeshee Das, Jie Zhang, Florian Tramèr
Figure 1 for Blind Baselines Beat Membership Inference Attacks for Foundation Models
Figure 2 for Blind Baselines Beat Membership Inference Attacks for Foundation Models
Figure 3 for Blind Baselines Beat Membership Inference Attacks for Foundation Models
Figure 4 for Blind Baselines Beat Membership Inference Attacks for Foundation Models

Share this with someone who'll enjoy it:

Twitter IconFacebook IconLinkedin IconWhatsapp IconMessenger Icon

Membership inference (MI) attacks try to determine if a data sample was used to train a machine learning model. For foundation models trained on unknown Web data, MI attacks can be used to detect copyrighted training materials, measure test set contamination, or audit machine unlearning. Unfortunately, we find that evaluations of MI attacks for foundation models are flawed, because they sample members and non-members from different distributions. For 8 published MI evaluation datasets, we show that blind attacks -- that distinguish the member and non-member distributions without looking at any trained model -- outperform state-of-the-art MI attacks. Existing evaluations thus tell us nothing about membership leakage of a foundation model's training data.

View paper onarxiv icon

Share this with someone who'll enjoy it:

Twitter IconFacebook IconLinkedin IconWhatsapp IconMessenger Icon