Quantifying Information Leakage in Machine Learning Models via Leave-One-Out Distinguishability

We introduce an analytical framework to quantify the changes in a machine learning algorithm's output distribution following the inclusion or removal of a few data points in its training set, a notion we define as leave-one-out distinguishability (LOOD). This allows us to measure data memorization, information leakage, and the influence of training data points in machine learning.

The paper introduces an analytical framework to quantify the changes in a machine learning model's output distribution when a few data points are added to or removed from the training set. This notion is defined as leave-one-out distinguishability (LOOD). Key highlights: LOOD can be used to measure data memorization, information leakage, and the influence of training data points on model predictions. The authors use Gaussian Processes (GPs) to model the randomness of machine learning algorithms and validate LOOD with empirical analysis of leakage using membership inference attacks. The analytical framework enables investigating the causes of leakage, such as the influence of activation functions on data memorization. The method allows identifying queries that disclose the most information about the training data in the leave-one-out setting, which can be used for accurate reconstruction of training data. The authors prove that under certain conditions, the differing data point itself is a stationary point of LOOD, suggesting it incurs maximal leakage. Experiments show that optimizing LOOD can recover the differing data point with high visual similarity, demonstrating the potential for data reconstruction attacks. The authors analyze how the choice of activation function affects the magnitude of information leakage, proving that smooth activations like GeLU induce higher leakage than non-smooth activations like ReLU.

"We observe over 140× speed up for estimating leakage and influence using our framework versus empirically measuring it over retrained models as it is performed in the literature."

"LOOD measures privacy loss in a black-box setting, for specific datasets, and DP determines the maximum (white-box) privacy loss across all possible datasets." "The power of any MIA (true positive rate given a fixed false positive rate) is controlled by the likelihood ratio test of observing the prediction given D versus D' as the training set." "Smooth activations such that GeLU are associated with kernels that are farther away from a low rank all-constant matrix (more expressive) than kernel obtained with non-smooth activations, e.g. ReLU."