Canary in a Coalmine: Better Membership Inference with Ensembled Adversarial Queries
Authors: Yuxin Wen, Arpit Bansal, Hamid Kazemi, Eitan Borgnia, Micah Goldblum, Jonas Geiping, Tom Goldstein
ICLR 2023 | Conference PDF | Archive PDF | Plain Text | LLM Run Details
| Reproducibility Variable | Result | LLM Response |
|---|---|---|
| Research Type | Experimental | In this section, we first show that the Canary attack can reliably improve Li RA results under different datasets and different models for both online and offline settings. Further, we investigate the algorithm thoroughly through a series of ablation studies. 4 EXPERIMENTS |
| Researcher Affiliation | Academia | Yuxin Wen University of Maryland ywen@umd.edu Arpit Bansal University of Maryland Hamid Kazemi University of Maryland Eitan Borgnia University of Chicago Micah Goldblum New York University Jonas Geiping University of Maryland Tom Goldstein University of Maryland |
| Pseudocode | Yes | Algorithm 1 Canary Algorithm |
| Open Source Code | Yes | Code is available at https://github.com/Yuxin Wen Rick/canary-in-a-coalmine |
| Open Datasets | Yes | We first train 65 wide Res Nets (WRN28-10) (Zagoruyko & Komodakis, 2016) with random even splits of 50000 images to reach 92% and 71% test accuracy for CIFAR-10 and CIFAR-100 respectively. For MNIST, we train 65 8-layer Res Nets (He et al., 2016) with random even splits to reach 97% test accuracy. |
| Dataset Splits | No | The paper mentions using "random even splits of 50000 images" for training models and testing on 5000 samples, but it does not explicitly specify a separate validation dataset split used for hyperparameter tuning or early stopping of the models being trained/attacked. It relies on standard dataset splits and describes the shadow model setup for membership inference, which is not a dataset split for validation. |
| Hardware Specification | Yes | All experiments in this paper are conducted by one NVIDIA RTX A4000 with 16GB of GPU memory |
| Software Dependencies | No | The paper mentions using Adam (Kingma & Ba, 2014) for optimization, but it does not provide specific version numbers for any software libraries, frameworks, or dependencies (e.g., Python, PyTorch, TensorFlow versions). |
| Experiment Setup | Yes | For the hyperparameters in the Canary attack, we empirically choose ε = 2 for CIFAR-10 & CIFAR-100 and ε = 6 for MNIST... We sample b = 2 shadow models for each iteration and optimize each query for 40 optimization steps using Adam (Kingma & Ba, 2014) with a learning rate of 0.05. For L and Lout, we choose to directly minimize/maximize the logits before a softmax on the target label. |