Membership Inference Attacks from Causal Principles

Membership Inference Attacks (MIAs) are widely used to quantify training data memorization and assess privacy risks. Standard evaluation requires repeated retraining, which is computationally costly for large models. One-run methods (single training with randomized data inclusion) and zero-run methods (post hoc evaluation) are often used instead, though their statistical validity remains unclear. To address this gap, we frame MIA evaluation as a causal inference problem, defining memorization as the causal effect of including a data point in the training set. This novel formulation reveals and formalizes key sources of bias in existing protocols: one-run methods suffer from interference between jointly included points, while zero-run evaluations popular for LLMs are confounded by non-random membership assignment. We derive causal analogues of standard MIA metrics and propose practical estimators for multi-run, one-run, and zero-run regimes with non-asymptotic consistency guarantees. Experiments on real-world data show that our approach enables reliable memorization measurement even when retraining is impractical and under distribution shift, providing a principled foundation for privacy evaluation in modern AI systems.

💡 Research Summary

Membership inference attacks (MIAs) are a cornerstone tool for quantifying how much a machine‑learning model memorizes its training data, thereby exposing privacy risks. Traditional evaluation of MIAs follows a multi‑run protocol: for each data point, a model is trained twice—once with the point included and once without—and the resulting scores are compared. While statistically sound, this approach is infeasible for modern large‑scale models due to the prohibitive computational cost. Consequently, the community has turned to more efficient alternatives: one‑run methods that train a single model on a random subset of data, and zero‑run (post‑hoc) methods that evaluate a fixed, already‑deployed model without any retraining. However, the statistical validity of these shortcuts has remained largely unexamined.

The paper reframes MIA evaluation as a causal inference problem. The inclusion of a data point in the training set is treated as a binary treatment (A_i), and the MIA score (e.g., loss, log‑likelihood) computed on that point after training is the outcome (Y_i). The two potential outcomes (Y_i(1)) and (Y_i(0)) correspond to the model’s score when the point is, respectively, included or excluded from training. Because only one of these worlds is observed for each point, individual treatment effects are not identifiable, but population‑level causal estimands such as the average treatment effect (ATE) can be estimated under appropriate assumptions.

The authors map the three evaluation regimes onto standard causal settings:

• Multi‑run corresponds to a randomized controlled trial (RCT). Treatment assignment is independent and each unit (data point) has its own model, satisfying SUTVA (no interference) and overlap. The ATE coincides with the classic “membership advantage” metric.

• One‑run retains random treatment assignment but introduces interference: all points share a single trained model, so the inclusion of one point can affect the scores of all others. This scenario is an RCT with interference, represented by a causal graph where the shared training set (D_{\text{train}}) mediates between all treatments and outcomes. The paper shows that, under algorithmic stability assumptions (the model’s output changes only modestly when a single training example is added or removed), the ATE remains identifiable and can be consistently estimated despite complete interference.

• Zero‑run lacks random treatment assignment; membership is determined by external factors (e.g., pre‑ versus post‑cutoff documents for LLMs). Consequently, there is confounding: the covariates (X_i) influence both treatment (A_i) and outcome (Y_i). This setting is an observational study with interference, and naïve MIA metrics conflate true memorization with distribution shift between members and non‑members.

To address these biases, the authors introduce causal counterparts to standard MIA metrics (Table 1). The causal membership advantage becomes the ATE (\tau_{\text{ATE}} = \mathbb{E}_{X\sim P_T}