Evaluations of Machine Learning Privacy Defenses are Misleading
About
Empirical defenses for machine learning privacy forgo the provable guarantees of differential privacy in the hope of achieving higher utility while resisting realistic adversaries. We identify severe pitfalls in existing empirical privacy evaluations (based on membership inference attacks) that result in misleading conclusions. In particular, we show that prior evaluations fail to characterize the privacy leakage of the most vulnerable samples, use weak attacks, and avoid comparisons with practical differential privacy baselines. In 5 case studies of empirical privacy defenses, we find that prior evaluations underestimate privacy leakage by an order of magnitude. Under our stronger evaluation, none of the empirical defenses we study are competitive with a properly tuned, high-utility DP-SGD baseline (with vacuous provable guarantees).
Related benchmarks
| Task | Dataset | Result | Rank | |
|---|---|---|---|---|
| Membership Inference Attack Defense | CIFAR100 (test) | Loss (Series)0.54 | 60 | |
| Membership Inference Attack Defense | CIFAR10 | AUC (Loss-Series)62 | 26 | |
| Membership Inference | TinyImageNet | Loss0.52 | 23 | |
| Defense against Membership Inference Attacks | CIFAR10 | Loss Series Score0.58 | 15 | |
| Membership Inference Defense | TinyImageNet (test) | AUC (Loss-Series)0.54 | 15 | |
| Membership Inference Attack Defense | CIFAR100 Half Case | Loss-Series AUC0.61 | 8 | |
| Membership Inference Attack Defense | CIFAR100 Pair Case | Loss-Series AUC0.58 | 8 | |
| Membership Inference | CIFAR10 Pair (test) | Loss11.82 | 8 | |
| Membership Inference Attack Defense | TinyImageNet (Half) | Loss0.53 | 7 | |
| Membership Inference | CIFAR10 Half (test) | Loss Series13.55 | 7 |