Gen-LRA: Towards a Principled Membership Inference Attack for Generative Models

No further questions.

• Can you expand the related work to also include the shadow-modeling based MIAs?

• To truly understand the contribution, could you implement the shadow-modeling based MIAs [1,2,3] as well and report their results? Right now, the Gen-LRA method seems to be better than the prior work you consider, and does so with limited assumptions for the attacker and with limited computational cost. How does this change when the attacker now (i) has knowledge of the training algorithm and (ii) has the computational resources to train shadow models? Could authors implement these shadow-model MIAs and report the results alongside Gen-LRA? This would help to position the method and its results in the literature, giving a clear understanding of the impact of certain assumptions and computational cost on the MIA results.

• Similarly, the work on shadow modeling MIAs also discusses disparate vulnerability of outliers [1,2,3]. Stadler et al [1] finds outliers to be more vulnerable than randomly selected records, while Meeus et al [3] proposes a method to identify more vulnerable records. Could authors have more elaborate results for the outlier discussion (e.g. show MIA results for outliers vs random points across datasets) and relate these findings to prior work? While the fact that Gen-LRA focuses on outliers is distinct from distance-based methods, these findings might not be very different than the ones in shadow-modeling based MIAs.

1.The manuscript lacks a clear explanation of the practical utility of applying MIA to synthetic data. It remains unclear why synthetic data was chosen as the focus, rather than real-world or other benchmark datasets. The authors are encouraged to provide references in the Related Work section to strengthen the justification for studying synthetic data specifically. Expounding on the unique relevance of synthetic data to MIA would better demonstrate the necessity and contributions of this study. 2.Several typographical errors and repeated references are present in the reference section, such as on Line 527 and Line 729. A thorough review of the references is recommended to ensure accuracy and consistency across all citations.

First, I would like to point out that I am not fully up-to-date on the literature regarding membership inference attacks, especially those involving tabular data. As a result, I may be unable to assess the novelty of this work and might not be familiar with the common settings examined in recent literature.

1. The paper assumes the reference data is available to the attacker. This does not seem to be very realistic to me. Section 1 discussed that a common scenario for synthetic data release is that the data owner wants to release data for open research. This implies that such data is not available to the public before that (if such data is already available, then there is no motivation or value for the data owner to release an additional dataset). That means that the attacker does not have access to the reference data either. The prior work I knew often considered attacks that do not make such assumptions (e.g., https://arxiv.org/pdf/1705.07663 and https://arxiv.org/pdf/1909.03935).

   The paper claims that this setting is realistic in Section 2: "We assume this in practice because this represents a plausible scenario for the owner of S as an attacker may be able to find comparable data in the real world..." Unfortuantely, I do not fully understand this example. It would be great if the author can explain it in more detail in the rebuttal.

2. Continuing on the above point, the paper needs to make it clearer what assumptions each of the baseline methods in Section 5 make. Which of them also makes the assumption that reference data is available to the attacker? This would clarify whether the claimed improvement comes from the relaxation of the assumptions or the fundamental advances of the algorithm itself.

3. The paper only evaluates the proposed algorithm on tabular data. But this is not reflected in the title and abstract. By reading only the title and the abstract, the readers might be misled to think that the paper proposes and evaluates the attack on diverse data types.

   I think it is important to clarify that, as the proposed approach relies on kernel density estimation, which (as discussed in the paper) does not scale well with the data dimension. (The proposed approach relies on dimension-reduction techniques to tackle the issue.) Therefore, it is unclear if such a pipeline can work well on other more high-dimensional and complicated data such as images and text.

4. How do you determine the kernel size and the type of the kernel in the experiments? Is the algorithm sensitive to that?

5. Section 5 mentioned that "For Gen-LRA, we found that the choice of k can have a small impact on the performance of the attack (See Appendix A.3), we therefore use the results of the best k choice for each run as the goal for an MIA is to characterize the maximal empirical privacy risk." I understand that choosing the best k could help "characterize the maximal empirical privacy risk". However, this table is mainly for comparing between different baselines. The comparison would be unfair if you chose the best hyper-parameter for your own approach while not doing that for the baseline methods.

6. The discussion in Section 6.2 is nice, but it would be more self-contained if the paper could describe how DCR works in the main text.

Other minor questions:

1. Section 1: "We demonstrate that Gen-LRA identifies a different source of privacy leakage relative to other commonly used MIAs." It would be better to clarify what "the different source" means here. I could only understand it after reading Section 5.

2. Line 116 and 117: what are M and D? These notations do not seem consistent with what was used before.

3. Line 127: typo on the left quotation mark

4. Line 266: missing a )

1. Although I could follow the gist of the idea, some of the notation is not precisely defined. $p_{\mathbb{P} \cup x*}$. It might be clearer to skip Eq.s 3/4 and jump to Eq 5.
2. Do you have any ideas for how to generalize this to forms of data that are not amenable to KDEs (even after applying PCA)?
3. Section 5.3 is not clear to me. What exactly is the experiment here, and what is it supposed to demonstrate?