Membership inference (MI) attacks exploit the fact that machine learning
algorithms sometimes leak information about their training data through the
learned model. In this work, we study membership inference in the white-box
setting in order to exploit the internals of a model, which have not been
effectively utilized by previous work. Leveraging new insights about how
overfitting occurs in deep neural networks, we show how a model's idiosyncratic
use of features can provide evidence for membership to white-box
attackers---even when the model's black-box behavior appears to generalize
well---and demonstrate that this attack outperforms prior black-box methods.
Taking the position that an effective attack should have the ability to provide
confident positive inferences, we find that previous attacks do not often
provide a meaningful basis for confidently inferring membership, whereas our
attack can be effectively calibrated for high precision. Finally, we examine
popular defenses against MI attacks, finding that (1) smaller generalization
error is not sufficient to prevent attacks on real models, and (2) while
small-$\epsilon$-differential privacy reduces the attack's effectiveness, this
often comes at a significant cost to the model's accuracy; and for larger
$\epsilon$ that are sometimes used in practice (e.g., $\epsilon=16$), the
attack can achieve nearly the same accuracy as on the unprotected model.

本研究通过对深度神经网络如何发生过拟合的新认识，研究了成员推断攻击，并展示了如何利用模型的内部来提供攻击者成员身份的证据，该攻击方法可校准，并可以有效地进行高精度的成员推论。同时，对于流行的成员推断攻击防御方法，发现较小的一阶差分隐私并不能防止攻击，而较大的隐私预算则使得攻击几乎具有与未受保护的模型相同的准确性。