Bayes-Nash Generative Privacy Protection Against Membership Inference Attacks

Questions

Q1: The derivation of Equation (2) needs more elaboration, what does \theta represent in the equation?

Response:

Equation (2) introduces the Bayes-weighted membership advantage (BWMA) which is an extension of the standard per-individual membership advantage (MA) given by Equation (1). Here, $\theta$ is the prior distribution of the membership information. This extension captures the following additional components of the attacker's decision-making:

1. Prior Knowledge: BWMA leverages the prior distribution $\theta$. This setting allows the model to account for Bayesian decision-making.
2. Heterogenerous Preferences: BWMA introduces a parameter $0<\gamma\leq 1$ to weight the trade-off between the TPR and the FPR. Smaller values of $\gamma$ reflects a stronger preference for maximizing TPR, while larger values prioritize minimizing FPR. When $\lambda=0.5$, the attacker values TPR and FPR equally.

Q2: Inference cost is considered in the attacker's decision but not the defender's. More justifications are needed for such modeling. What will happen if defense cost is also considered?

Response:

Thank you for this question. We indeed account for the defender’s corresponding cost through their total expected loss, which consists of two key components: privacy loss and utility loss. This formulation reflects the inevitable trade-off between privacy and utility in privacy-preserving strategies that the defender aims to optimize. Our proposed privacy protection framework aims to optimally balance the privacy-utility trade-off.

Our approach and theoretical results are general and apply to a wide range of defender's objective functions. These objective functions can be customized to different applications and scenarios, allowing the defender to incorporate various priorities and costs. The only assumption imposed on the defender’s objective function is summarized in Assumption 1, which ensures the relationship between privacy risk and the defender’s loss is meaningful and realistic.

Q3: Does different settings of prior information affect the attacking results?

Response:

We thank the reviewer for this insightful question.

The Bayesian attack, using BGP responses, is indeed the best-performing privacy attack under the given privacy strategy. Our focus on the worst-case scenario privacy risk aims to enhance the robustness of the privacy strategy, aligning with similar worst-case considerations in other privacy frameworks such as differential privacy or Pufferfish privacy.

Yes, different prior information affects the performance of attackers and the resulting privacy risks. Specifically, the attacker’s prior knowledge shapes their inference capabilities, imposing varying levels of privacy risk for the defender. Our framework explicitly accounts for these differences by supporting scenarios where the attacker holds diverse subjective priors. This enables a comprehensive analysis of privacy risks under various assumptions about the attacker’s knowledge. Such flexibility is particularly relevant when the defender is aware of prior privacy risks and can adapt their privacy protection strategies accordingly.

In information security and privacy, addressing key considerations such as the extent to which information must remain hidden, what can be compromised, and what has already been compromised is essential. These considerations align with the goals of achieving accurate and tight characterizations of privacy auditing, accounting, and composition, which ensure effective privacy budget allocation, enhance awareness of privacy risks, and enable adaptive strategies to balance utility and security.

The subjective prior reflects information about what has already been compromised. Our formulation involving subjective priors captures two key scenarios: (1) when the prior privacy risk (i.e., the attacker’s knowledge) is known or evaluated by the defender, and (2) when the privacy risk is accounted for by the defender, such as through knowledge of the number or type of data accesses that have already occurred. This knowledge can be systematically incorporated into the analysis via subjective priors, akin to updated priors in sequential Bayesian updates.

Our proposed game-theoretic BNGP strategy leverages this subjective prior to achieve an optimal balance in the privacy-utility trade-off by addressing core considerations around hiding sensitive information, managing necessary compromises, and mitigating privacy risks effectively.

Q4: What is the difference of experimental settings of results shown in Figure 1a and 1b? According to Figure 1b, does it mean that Bayesian defender is inferior than fixed-threshold LRT defender? (Note that this is an examplar question, I find the results section quite thin and unconvincing).

Response:

Since Q4 is closely related to comment W3, we have addressed this question in our response to W3 above.

We thank the reviewer for their valuable comments and suggestions!

W1. Some notations are confusing.

Response:

We have taken the following steps to improve clarity:

1. Notation Tables: In Appendix A, we have included detailed tables of notations for each section to help readers quickly reference and understand the symbols used throughout the paper.
2. Simplification of Notations: We carefully reviewed and modified the notations throughout the paper based on the reviewer’s suggestions.

W2. The game-theoretical framework of the interplay between attacker and defender needs more justification.

Response:

The game-theoretic framework is particularly well-suited for modeling the interaction between the defender and attacker due to their inherently interdependent strategies. The defender’s strategy determines the level of privacy protection, directly influencing how much sensitive information is preserved or leaked through the mechanism’s output. At the same time, the attacker’s strategy dictates the extent to which sensitive information can be inferred, resulting in privacy risk for the defender.

From a decision-theoretic perspective, the outcomes for both the defender and the attacker are mutually dependent, creating a natural strategic interaction. Game theory provides a rigorous framework to model these interactions, analyze trade-offs, and derive equilibrium strategies that optimally balance privacy and utility. Its extensive application to security and privacy challenges highlights its relevance, particularly in adversarial decision-making and risk management (Do et al., 2017).

In our work, the defender’s and attacker’s objective functions, defined in Equations (5) and (3) respectively, are naturally modeled as a Bayesian game. The resulting equilibrium captures the worst-case privacy scenario for the defender by explicitly accounting for the rational responses of the attacker.

Do et al. (2017). Game theory for cyber security and privacy. ACM Computing Surveys, 50(2). DOI: 10.1145/3057268.

W3. (also Q4) Experimental results are thin and unconvincing. What is the difference of experimental settings of results shown in Figure 1a and 1b? According to Figure 1b, does it mean that Bayesian defender is inferior than fixed-threshold LRT defender?

Response:

We have thoroughly revised Section 5 (Experiments) to clearly explain the purpose and conclusions of each figure.

In the experiments, the ROC curve measures the performance of the attacker’s MIAs. The closer the ROC curve is to the upper-left corner, the better the MIA performs, indicating a higher true positive rate (TPR) and a lower false positive rate (FPR). This corresponds to greater privacy loss and weaker privacy protection.

Figure 1a compares the defender’s performance against three attackers: Bayesian, fixed-threshold LRT, and adaptive LRT attackers, using the genomic dataset. Please note that there are typos in the original legends: the labels should indicate “Attacker” instead of “Defender,” and the title should read “Defender.”

Figure 1b shows the Bayesian attacker’s performance across three scenarios, where the mechanism is protected by different defense models. Specifically, the Bayesian defender employs the BNGP strategy, the fixed-threshold LRT defender adopts a strategy by best responding to the fixed-threshold LRT attacker, and the adaptive LRT defender uses a strategy by best responding to the adaptive LRT attacker.

As shown in Figure 1b, the ROC of the attacker under the fixed-threshold LRT defender is closest to the upper-left corner, indicating that the Bayesian attacker performs best in this case. This means the fixed-threshold LRT defender offers the weakest privacy robustness and is outperformed by the Bayesian defender using the BNGP strategy. Contrary to the reviewer’s concern, the Bayesian defender is not inferior but rather demonstrates superior privacy protection.

We thank the reviewer for their valuable comments and suggestions!

W1. Cumbersome notation and Lack of Motivating Exposition.

Response:

We thank the reviewer for the valuable feedback on the notations and their impact on readability.

Regarding the notations, we have taken the following steps to improve clarity:

1. Notation Tables: In Appendix A, we have included detailed tables of notations for each section to help readers quickly reference and understand the symbols used throughout the paper.
2. Simplification of Notations: We carefully reviewed and modified the notations throughout the paper based on the reviewer’s suggestions. We sincerely appreciate your valuable feedback and suggestions!

Regarding the motivating exposition, we have taken the following steps:

1. we have significantly improved the introduction to enhance its accessibility and clarity for readers unfamiliar with the concepts in this paper. The revised introduction now follows a structured approach: it clearly outlines the problem, highlights the motivation (Line 31-Line 53), introduces our proposed approach, and conveys the key conceptual contributions (Line 66-Line 81).
2. Specifically, the revised text clearly highlights how the Bayes-Nash Generative Privacy (BNGP) strategy addresses key limitations of standard differential privacy frameworks, including avoiding intractable sensitivity calculations, circumventing worst-case proofs for compositions, and enabling compositions of mechanisms with arbitrary correlations.
3. We have provide explanations for the main results including theorems and propositions.

W2. Explain Main Results Theorem 1

Response:

We appreciate the reviewer's feedback regarding the clarity of the main results and their explanations. We have thoroughly revised and enhanced the presentation of our results and related definitions.

For example, we have slightly modify the Theorem 1 (without changing the original result) and add the following explanation (starting from Line 310 in the revised version):

"By definition, a BNGP strategy $G^{\star}$ responds to the BGP response $H^{\star}$, ensuring the optimal privacy-utility trade-off by considering the worst-case privacy loss when the attacker minimizes $\mathcal{L} _{\textup{CEL}}$. It is important to note that $\mathtt{TPR} , \mathtt{Adv}^\gamma , \widetilde{\mathcal{L}}_D$ are independent of $\mathcal{L} _{\textup{CEL}}$. Theorem 1 establishes that $G^{\star}$ achieves the optimal privacy-utility trade-off given $\widetilde{\mathcal{L}} _{D}$ by leveraging the worst-case privacy risk under the chosen privacy strategy. Specifically, the first inequalities in (i) and (ii) show that, under $G ^{\star}$, an attacker using $H ^{\star}$ achieves the worst-case privacy risk for the defender, and no other attacker can induce a strictly higher privacy loss in terms of $\mathtt{TPR}$ or $\mathtt{Adv}^{0.5}$. The second inequalities in (i) and (ii) further demonstrate that $G ^{\star}$ minimizes the defender's perceived privacy risk, ensuring that no alternative privacy strategy $G'$ achieves a strictly lower privacy loss against the worst-case attacker."

For Definition 4, we have modified the original "$\epsilon$-Bayes Generative Differential Privacy Risk" to the new "$\epsilon$-Bayes Generative Bounded Privacy Response" ($\epsilon$-BGBP response) and provided the following explanation (starting from Line 386 in the revised version):

" An $\epsilon$-BGBP response satisfies both (i) the conditions of a BGP response and (ii) the linear constraints in $\mathtt{DPH}[\vec{G};\epsilon]$. However, the attacker optimizing $\mathcal{L}_{\textup{CEL}}$ does not consider $\mathtt{DPH}[\vec{G};\epsilon]$ as a constraint in their optimization. In other words, $\mathtt{DPH}[\vec{G};\epsilon]$ is not a restriction on the attacker's strategy. Instead, it is the defender’s choice of $\vec{G}$ that must ensure the induced attacker's BGP response also satisfies the constraints in $\mathtt{DPH}[\vec{G};\epsilon]$. That is, $\mathtt{DPH}[\vec{G};\epsilon]$ constrains the defender's optimization problem. "

(Continued on Part 2)

(Continuation of W2)

Response:

To further facilitate our mitivations and the conceptual messages, we have added a new Proposition 5. The original Proposition 5 now becomes Proposition 6 in the revised version. We have added explanation for Proposition 6 in the revised version starting from Line 394:

*" Proposition 6 establishes the necessity and sufficiency of using the BGBP response to implement a pure ($\xi=0$) differentially private mechanism. Consequently, for a composition (or a single mechanism) $\mathcal{M}(\vec{G}^{\star})$ to satisfy $\epsilon$-DP, the defender selects $\vec{G}^{\star}$ based on a given $\epsilon$, ensuring:

$$\vec{G} ^{\star} \in \arg\min _{\vec{G}} \widetilde{\mathcal{L}} _{D}(\vec{G}, \text{s.t. } H ^{\star}), \quad H ^{\star} \in \arg\min\nolimits _{H} \mathcal{L} _{\textup{CEL}}(\vec{G}, H) \cap \mathtt{DPH}[\vec{G};\epsilon].$$

This choice of $\vec{G}^{\star}$ guarantees that $\mathcal{M}(\vec{G})$ is an $\epsilon$-DP mechanism that optimally balances the privacy-utility trade-off for a given privacy risk characterized by $\epsilon$. "*

Question 1. Does the utility loss account for clipping?

Response:

We appreciate the reviewer's question. To clarify:

1. The utility loss function $\ell_U(\|\delta\|_p)$ does not explicitly account for the effect of clipping. However, minimizing $\ell_U(\|\delta\|_p)$ implies minimizing the loss with clipping in our case study of sharing summary statistics of the genomic dataset. Importantly, our approach and the main theoretical results are agnostic to whether clipping is applied. They hold under both clipped and un-clipped scenarios without requiring any specific assumptions tied to either case.
2. Our results are designed to accommodate defender-customized objective functions that reflect the defender’s preferences over the privacy-utility trade-off. This flexibility ensures the applicability of our approach across diverse scenarios with varying trade-off requirements.
3. We have clearly stated the assumptions (Assumption 1) required for the defender’s objective function to ensure the validity of our approach. For further details, please see the revised paper, starting from Line 233, where these assumptions are explicitly outlined.

Q2. Are we guaranteed that the equilibrium exists for typical classes of neural networks?

Response: Thank you for this queston. The existence of the equilibrium in our framework depends on whether the neural networks used in the general-sum GAN are ideal or parameterized. We address both cases below.

1. For the ideal, non-parameterized neural networks, the equilibrium exists because these idealized networks can perfrectly represent the true probability distributions. In this case, the BNE is guaranteed to exist because there are no representational constraints.
2. For parameterized neural networks with specific classes of parameters, the guarantee of equilibrium existence depends on the representational capacity of the network. Parameterized neural networks operate within a finite-dimensional parameter space, which constrains the set of functions they can represent. In contrast, the true underlying probability distributions often reside in a richer, infinite-dimensional functional space that cannot always fully captured by finite parameterizations.

This introduces an approximation gap between the distributions representable by the parameterized network and the true underlying distributions. This gap is intrinsic to the parameterization itself and persists even in the theoretical limit of perfect optimization and infinite data. The parameterized networks can approximate the equilibrium in practice. However, the existence of a true equilibrium in this constrained setting depends on the alignment between the parameterized network's capacity and the structure of the distributions.

Q3: Can the authors explain this assumption of Theorem 1 a bit further and speak to whether it is realistic?

Response:

We have summarize this assumption by Assumption 1 in the revised version (Line 233):

Assumption 1. For a given $g _{D}$, the defender's expected loss $\mathcal{L} _{D}(g _{D}, h _{A})$ increases as either $\mathtt{TPR}(h _{A}, g _{D})$ or $\mathtt{Adv}^{0.5}(h _{A}, g _{D})$ increases.

Assumption 1 ensures a meaningful choice of the objective function for privacy-utility trade-off.

This assumption ensures a meaningful formulation of the privacy-utility trade-off by establishing a relationship between the defender’s expected loss and the privacy risk, which depends on the attacker’s strategy, under a given privacy strategy $g _{D}$ (or equivalently G). Specifically, it reflects the intuition that as privacy risk increases (i.e., higher $\mathtt{TPR}(h _{A}, g _{D})$ or $\mathtt{Adv}^{0.5}(h _{A}, g _{D})$, depending on how the attacker responds) the defender, who uses a fixed $g _{D}$, incurs greater loss. Consequently, the defender’s goal is to minimize both the privacy risk and the utility loss.

A common class of loss functions satisfying Assumption 1 includes those where the defender’s expected loss is expressed as an additive combination of privacy risk and utility loss. It is standard practice to quantify privacy loss using measures such as the attacker’s true positive rate ($\mathtt{TPR}$) or membership advantage ($\mathtt{Adv}$).

Furthermore, it is realistic to assume that the utility loss is determined solely by the defender’s privacy protection strategy and remains independent of the attacker’s responses. This is because, for a given privacy strategy $g _{D}$, the utility component of the trade-off is fixed and does not depend on how the attacker responds.

Q4:Curves in Figure 1(a)

Response:

We sincerely thank the reviewer for pointing out the issue and the typo in Figure 1a. We have corrected the legend, which should indicate "Attacker" instead of "Defender".

Regarding the trade-off curve, you are absolutely correct that under the Neyman-Pearson lemman, a Uniformly Most Powerful (UMP) LRT attacker would produce a ROC curve that is continuous, non-decreasing, and concave.

However, in our experiments, the baseline LRT attackers are fixed-threshold LRT and adaptive-threshold LRT attackers (e.g., Sankararaman et al., 2009; Shringarpure & Bustamante, 2015; Venkatesaramani et al., 2021; 2023). These LRT models are in general not UMP tests for any given privacy protection strategies. As such, their resulting trade-off curves are not guaranteed to satisfy the concavity properties associated with UMP tests.

Typographical Issues

Thank you for pointing our these issues! We have corrected the typoes. Regarding the use of the term "risk" (Line 298, Definition 2), we have changed "Bayes Generative Privacy (BGP) risk" to "BGP response".

Thank you for addressing my points about writing/notational clarity in such detail. The paper is easier to read now. Thank you also for the clarification regarding Figure 1a.

I perhaps did not emphasize this strongly enough in my original review but I remain concerned about the privacy guarantees provided by your framework. Real models do of course have finite representational capacity and thus we don't seem to have a general assurance of convergence to some equilibrium. There does not appear to be a theoretical analysis of the privacy risk due to finite representational capacity of the attacker nor due to incomplete training of the GAN. After all it is not possible to train for an infinite anmount of time with an infinite amount of data.

I also remain unconvinced in the empirical evidence for the strength of your privacy model. Figure 1a does not show the optimal alpha-LRT attacker. The adaptive threshold attacker is also not shown completely, so it doesn't seem possible to fully compare to the Bayesian attacker.

I am also having some trouble understanding the theoretical guarantee of Theorem 2. It is not clear to me how one would set about finding an aligned prior. This seems critical for ensuring a meaningful privacy guarantee.

There is also a connection to existing privacy guarantees of the DP framework through Proposition 6 but this seems to be mostly a connection in definition-only. This result would be strengthened by an algorithm or explanation how to train the network so as to ensure all BGP responses are in fact eps-BGBP. In any case, it is still not clear what improvement is offered over the existing DP framework.

I thank the authors for their efforts in addressing my comments, especially for the new optimal LRT plot.

Nonetheless, I remain highly concerned about the privacy guarantees of your proposed framework. You are of course correct that privacy accounting for standard DP has outstanding computational and exactness issues. You are also correct that optimal privacy-utility tradeoffs are not fully understood in the standard DP framework. These issues essentially lead to pessemistic upper bounds on the privacy loss and thus unnecessary utility loss. As far as I can tell, however, your framework does not provide a guarantee (upper bound) on the privacy leakage. Theorem 1, for instance, asserts that the privacy loss under the proxy CEL attacker loss leads to no worse privacy leakage than under the true Nash equilibrium, yet there is no characterization of the Nash equilibrium privacy loss. Theorem 2 also does not provide a bound on the Bayesian privacy risk. Worse still, incomplete training of the GAN may also lead to additional privacy loss that is not accounted for in your framework. Under the standard DP setting, incomplete training does not result in an incorrect privacy loss guarantee.

Overall, I think extending the standard DP framework to the Bayesian setting is a very nice direction and I greatly appreciate the authors efforts to improve the clarity of their work. However, due to a lack of a hard guarantee on the privacy leakage in both the idealized case (GAN fully trained) as well as the realistic case (GAN unfully trained), I will leave my score as it is.

We thank the reviewer for their valuable comments and suggestions!

W1: Since v(p, b) and the loss function be analyzed are proxies, the analysis of the approximation error should be provided.

Response:

As demonstrated in Section 3.1, the proxies we have chosen do not induce approximation errors. Instead, these proxy-based formulations allow the defender to achieve the most robust privacy protection strategies for any objective function that captures the privacy-utility trade-off while satisfying Assumption 1. This ensures that the defender’s strategy directly aligns with the true optimization objective, eliminating the need for additional approximations or error-prone surrogates.

W2. Complexity Analysis and Runtime of Experiments

Response:

In Appendix P.9, we have included a comprehensive complexity analysis of both the Attacker (D) and Defender (G) neural network architectures. This analysis describes the number of trainable parameters and the computational complexity for both networks, accounting for their input dimensions, hidden layer configurations, and output dimensions. Specifically, we analyze the dominant operations, such as the forward passes through linear layers, and provide clear expressions for the overall computational complexity.

Regarding runtime, the experiments were conducted using an NVIDIA A40 48G GPU with PyTorch as the deep learning framework. While precise runtimes for individual forward or training passes were not recorded, most experiments completed within 2 hours, with the most computationally intensive configurations taking up to 6 hours. These durations reflect the computational feasibility of our framework, given the complexity of the tasks and the scale of the models.

Q1: In Eqn.2, why the coefficient of two terms are different (1-$\gamma$, $\gamma$)?

Response:

We thank the reviewer for their question. Equation (2) introduces the Bayes-weighted membership advantage (BWMA), which extends the standard per-individual membership advantage (MA) in Equation (1). This extension incorporates the following considerations to model the attacker's decision-making process more comprehensively:

1. Prior Knowledge: BWMA leverages the prior distribution $\theta$ of the membership information. This reflects the attacker's Bayesian decision-making, accounting for their prior knowledge about the dataset.

2. Heterogeneous Preferences: BWMA introduces the parameter $0 < \gamma \leq 1$ to capture the trade-off between true positive rate (TPR) and false positive rate (FPR). The coefficients $(1-\gamma)$ and $\gamma$ represent the attacker's weighted preferences for maximizing TPR and minimizing FPR, respectively:

   • A smaller $\gamma$ emphasizes maximizing TPR, reflecting scenarios where the attacker prioritizes correctly identifying members of the dataset.
   • A larger $\gamma$ prioritizes minimizing FPR, corresponding to scenarios where the attacker seeks to reduce false positives.
   • When $\gamma = 0.5$, the attacker values TPR and FPR equally, leading to a balanced trade-off.

Thus, the coefficients $(1-\gamma)$ and $\gamma$ are designed to introduce flexibility in modeling diverse attacker strategies based on their preferences. This extension ensures that the BWMA captures a broader spectrum of attacker behaviors, enhancing the applicability of the framework.

We thank the reviewer for their valuable comments and suggestions!

W1. The writing of the introduction is a bit confusing for someone who is not already familiar with the concepts used in this paper. It would help to rephrase it but also to provide an outline of the structure of the paper.

Response:

In the revised version, we have significantly improved the introduction to enhance its accessibility and clarity for readers unfamiliar with the concepts in this paper. The revised introduction now follows a structured approach: it clearly outlines the problem, highlights the motivation, introduces our proposed approach, and conveys the key conceptual contributions.

We have simplified the language to make the motivation and novelty of our approach more explicit. Specifically, the revised text clearly highlights how the Bayes-Nash Generative Privacy (BNGP) strategy addresses key limitations of standard differential privacy frameworks, including avoiding intractable sensitivity calculations, circumventing worst-case proofs for compositions, and enabling compositions of mechanisms with arbitrary correlations.

Additionally, we have added an outline of the paper structure at the end of the introduction to guide readers through the organization of the paper. This structure provides a clear roadmap for the subsequent sections.

W2. Overall, the writing of the paper is highly technical and while the detailed proofs of the different lemma and theorems are given in Appendices, it would be great to provide some intuition or a sketch in the main paper.

Response:

In the appendixes, we have made the following revisions to improve accessibility for readers.

• In Appendix A, we have included tables of notations categorized by sections to enhance clarity and make it easier for readers to follow the technical details.
• In Appendix B, we provide descriptions and intuitive explanations for the proof of each theoretical result.

W3. Some information are currently missing in the description of the experiments such as the value of the parameter epsilon used as well as the experimental details for the Adult and MNIST dataset.

Response:

We thank the reviewer for pointing out the missing details in the description of the experiments.

The section of experiments (Section 5) has been extensively revised to enhance clarity.

The value of $\epsilon$ in Figure 1c is $1.25 \times 10^{5}$ (Appendix P.3 provides detailed explanation). The experiment for Figure 1c shows an example that illustrate the advantages of the Bayesian defender (i.e., using the BNGP strategy) over the standard DP in addressing defender-customized objectives for the privacy-utility trade-off when the same utility loss is maintained in the trade-off. Figure 1c shows that even with equal utility loss, the $\epsilon$-DP defense can incur significantly greater privacy loss under the Bayesian attack.

Experimental details for Adult and MNIST dataset are provided in Appendix P.5.

W4. The framework considered that the data of each participant is just a binary value while in the majority of the setting (such as learning a machine learning model), the profile of the user is a feature vector.

Response:

We appreciate the reviewer's observation regarding the binary representation of the participant data. To clarify:

1. Our framework and results are established under general settings where each data point is represented as a feature vector. The theoretical guarantees and methodology explicitly account for such general cases, rather than being specific to binary attributes.
2. The membership vector is binary because it represents the two possible states for each individual $k$: inclusion in the dataset (i.e., $b_{k}=1$) and and exclusion from the dataset (i.e., $b_{k}=0$). This binary distinction pertains to the dataset membership status and does not limit the attributes of the data points themselves.
3. The case study in Section 4 specifically focuses on genomic datasets, where the attributes of each data point are binary due to the nature of Single Nucleotide Variants (SNVs). This example illustrates the applicability of our framework in such contexts.
4. Our experiments also include results on non-binary attribute datasets, such as MNIST.