Inquiries regarding the details of the shadow experiment.

[zhaisf]

Thank you for your inspiring work！

But I have one more question that arises from the closed issue:

You can assume we are in a shadow environment: training a shadow model with a known member/nonmember splitting and determining a threshold/NN according to this known splitting. After we get the threshold/NN, we could apply them to any real victim models (which we don't know the membership splitting).

We have some results to show that the threshold obtained from the shadow environment can be transferred to the real victim models:

Method Attack Target AUC ASR SecMI_stat Shadow Model 0.881 0.811 SecMI_stat Victim Model - 0.804 SecMI_NNs Shadow Model 0.951 0.888 SecMI_NNs Victim Model - 0.893

Could you please describe how to construct the training data for the "shadow models"? When training a shadow model, do you assume that the adversary already knows the distribution of the dataset? (Or can obtain some of the training data?)

[jinhaoduan]

Yes, we assume the adversary already knows the distribution but they don't know which split is used in the training set. Please refer to Definition A (Membership inference security game) of Membership Inference Attacks From First Principles.

[zhaisf]

I see, thank you for your response！

Additionally, do you assume that the training steps / finetuning steps for training the shadow model and the target model is also the same in the shadow experiments?

[jinhaoduan]

Yes, in our evaluation, we set all the hyper-parameters to be the same except for the training split.

[zhaisf]

Got it. Thanks !