Open vickyqi7 opened 5 years ago
If the output is not confidence value then the attack reduces to using one-hot encoding of the predicted label for determine membership inference and the attack performance will likely drop in this case. As for our motivating example, you are thinking in a scenario where there is a one-to-one mapping between medical dosage and diseases. However in reality medical dosage and diseases might not be exactly correlated: certain diseases might be prescribed with similar medicines, and prescription is also conditioned on patient's medical history and other examination etc. Just given a pair of (clinical record, medical dosage), I don't see how one can accurately guess whether a patient has a certain disease. With the help of membership inference, the chance of revealing the disease can be higher. Does this make sense to you?
Thank you for your reply.I think I see what your mean.
Hello, Dr.song. I read your paper《Membership Inference Attacks Against Machine Learning Models》 the other day. I am very interested in it, but I have two questions about it. First, your attack requires the confidence values of the target model output. What if the output is not the confidence values? Second, the example you use, that is, a certain patient's clinical record was used to train a model associated with a disease determine the appropriate medicine dosage. If I input this person's information and the model outputs his medicine dosage, then this person must suffer from this disease and there is no need for member inference attacks, so what is the meaning of this article?I would appreciate your reply.