Please note: This PhD seminar will take place in DC 2314 and online.
Thomas Humphries, PhD candidate
David R. Cheriton School of Computer Science
Supervisor: Professor Florian Kerschbaum
Training machine learning models on privacy-sensitive data has become a popular practice, driving innovation in ever-expanding fields. This has opened the door to privacy attacks, such as the Membership Inference Attack (MIA), which exposes whether a particular data point was used to train a model. A growing body of literature uses Differentially Private (DP) training algorithms as a defence against such attacks.
In this talk, I demonstrate a mismatch between the protection offered by DP and the capabilities of an MIA attacker. MIAs are typically evaluated under the restrictive assumption that all members of the training set, as well as non-members, are independent and identically distributed. Under this assumption, it has been proven that DP protects against MIA attacks, and we show how to tighten this proof. However, this independence assumption does not hold for many real-world use cases. We conduct a series of empirical evaluations with off-the-shelf MIAs using training sets built from real-world data showing different types of dependencies among samples. Our results reveal that training set dependencies can severely increase the performance of MIAs and argue that DP does not provide meaningful protection (the privacy parameter ε scales with the training set size n) in this more general case.
To attend this PhD seminar in person, please go to DC 2314. You can also attend virtually on BigBlueButton.