A Bayesian Approach to Membership Inference for Statistical Release
Pith reviewed 2026-06-29 06:43 UTC · model grok-4.3
The pith
A Bayesian decision framework using population Bayesian networks enables more effective membership inference attacks than marginal-based methods.
A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.
Core claim
We develop a framework based on Bayesian decision-making which can incorporate prior information about the population to launch more effective, specialized attacks. We prove its equivalence to an optimal variant of the likelihood ratio test attack for two populations with strong attribute dependency. We implement our program in the Roulette probabilistic programming language and show experimentally that it outperforms the likelihood ratio test and inner product attacks on five commonly used BNs, where the population dependency structure is too complex for the existing attacks to be manually adapted.
What carries the argument
The Bayesian decision-making framework that uses a probabilistic program to compute the posterior probability of an individual's membership given the released statistics and the Bayesian network model of the population.
If this is right
- The new attack can incorporate additional information about attribute dependencies to improve effectiveness.
- It is equivalent to the optimal likelihood ratio test for populations with strong attribute dependency.
- It outperforms the likelihood ratio test and inner product attacks on five commonly used Bayesian networks.
- The framework allows specialization of attacks when parties have access to similarly structured data.
Where Pith is reading between the lines
- If attackers can obtain Bayesian networks from related datasets like census data, privacy analyses must account for this auxiliary information.
- Defending against such attacks may require mechanisms that obscure dependency structures in addition to adding noise to statistics.
- This approach could be extended to other privacy settings where the attacker has a model of the data distribution.
Load-bearing premise
The attacker has an accurate Bayesian network that correctly captures the attribute dependency structure of the underlying population.
What would settle it
An experiment where the Bayesian attack fails to outperform standard attacks despite the attacker using a correct Bayesian network model of the population would falsify the claim of improved effectiveness.
Figures
read the original abstract
The membership inference problem for publicly released statistics from a private dataset is well-studied. When developing and formally analyzing attack strategies, however, the focus has been on attacks that model the population using only its marginals. In practice, these attacks can perform well on various populations, however most formal analysis is for populations that follow a product distribution. These strategies may fail to leverage useful information about the population that is important for understanding a realistic privacy threat. In this work, we explore the impact of providing an attacker with additional information about the attribute dependency structure of the population, motivated by examples where multiple parties may have access to similarly structured data, for example the US Census and the IRS. To model this scenario, we re-frame the membership inference problem with respect to a population represented as a Bayesian network (BN). We develop a framework based on Bayesian decision-making which can incorporate prior information about the population to launch more effective, specialized attacks. To evaluate our framework, we introduce a specific attack instantiation which computes the Bayesian posterior using a probabilistic program, and prove its equivalence to an optimal variant of the likelihood ratio test attack for two populations with strong attribute dependency. We implement our program in the Roulette probabilistic programming language and show experimentally that it outperforms the likelihood ratio test and inner product attacks on five commonly used BNs, where the population dependency structure is too complex for the existing attacks to be manually adapted.
Editorial analysis
A structured set of objections, weighed in public.
Referee Report
Summary. The manuscript develops a Bayesian decision-theoretic framework for membership inference attacks on statistical releases from private datasets. The population is modeled as a Bayesian network to capture attribute dependencies (motivated by scenarios like Census/IRS data sharing), an attack is instantiated via probabilistic programming to compute membership posteriors, equivalence to an optimal likelihood-ratio test variant is proved for the restricted case of two populations with strong attribute dependency, and the attack is shown to outperform standard LRT and inner-product baselines on five commonly used BNs whose dependency structure is too complex for manual adaptation of marginal attacks.
Significance. If the results hold, the work is significant because it supplies a principled, extensible method for incorporating prior structural information into membership inference, addressing a gap where existing marginal-based attacks cannot be manually adapted to complex dependencies. The explicit proof of equivalence to the optimal LRT variant in the special case is a clear strength, as is the use of probabilistic programming (Roulette) for the concrete attack. This could help privacy analysts evaluate releases of structured data more realistically. The significance is limited by the idealized modeling assumption discussed below.
major comments (1)
- Abstract (and the framework/equivalence claims): the equivalence to the optimal LRT variant and the reported outperformance both rest on the attacker being supplied with a BN whose structure and parameters exactly match the data-generating distribution. The motivating examples (Census, IRS) require the BN to be learned or estimated from auxiliary data, yet no sensitivity analysis to structure errors or parameter noise is provided; if this assumption fails, both the optimality result and the experimental gains become void.
Simulated Author's Rebuttal
We thank the referee for the constructive review and for identifying a key modeling assumption in our work. We address the major comment below.
read point-by-point responses
-
Referee: [—] Abstract (and the framework/equivalence claims): the equivalence to the optimal LRT variant and the reported outperformance both rest on the attacker being supplied with a BN whose structure and parameters exactly match the data-generating distribution. The motivating examples (Census, IRS) require the BN to be learned or estimated from auxiliary data, yet no sensitivity analysis to structure errors or parameter noise is provided; if this assumption fails, both the optimality result and the experimental gains become void.
Authors: We agree that the equivalence proof and the reported experimental gains are derived under the assumption that the attacker is provided with a BN whose structure and parameters exactly match the data-generating distribution. This assumption is stated in the framework section and is necessary for the Bayesian decision-theoretic formulation and the optimality result in the two-population case. The motivating examples (Census, IRS) are used to illustrate scenarios in which an attacker could obtain a BN that captures the relevant dependency structure from similarly structured auxiliary data sources, rather than claiming that the BN is learned as part of the attack itself. We acknowledge that the manuscript does not include sensitivity analysis to errors in BN structure or parameters, which is a genuine limitation when applying the results to settings where the BN must be estimated. In the revised manuscript we will (i) qualify the abstract and introduction to make the exact-match assumption explicit, (ii) add a dedicated limitations paragraph discussing the effect of approximate BNs, and (iii) include a modest sensitivity experiment that perturbs parameters on one of the five BNs to illustrate robustness or degradation. revision: yes
Circularity Check
No significant circularity; derivation is self-contained under explicit modeling assumptions.
full rationale
The paper reframes membership inference using a supplied Bayesian network to model population dependencies, then defines a Bayesian decision attack and proves its equivalence to an optimal LRT variant specifically for the case of two populations whose dependency structure is exactly captured by the given BN. This equivalence is a conditional mathematical result within the assumed model rather than a self-definitional reduction or a fitted parameter renamed as a prediction. No load-bearing step relies on self-citation chains, ansatz smuggling, or uniqueness theorems imported from the authors' prior work. Experiments compare the instantiated probabilistic program against LRT and inner-product baselines on five BNs, providing an independent empirical check outside the equivalence proof. The strong modeling assumption (perfect BN) is stated explicitly and does not create circularity in the derivation chain.
Axiom & Free-Parameter Ledger
axioms (1)
- domain assumption The population distribution can be accurately represented by a Bayesian network known to the attacker
Reference graph
Works this paper leans on
-
[1]
Genomic privacy and limits of individual detection in a pool,
S. Sankararaman, G. Obozinski, M. I. Jordan, and E. Halperin, “Genomic privacy and limits of individual detection in a pool,”Nature Genetics, vol. 41, no. 9, pp. 965–967, 2009, publisher: Nature Publishing Group. [Online]. Available: https://www.nature.com/articles/ng.436
2009
-
[2]
N. Homer, S. Szelinger, M. Redman, D. Duggan, W. Tembe, J. Muehling, J. V. Pearson, D. A. Stephan, S. F. Nelson, and D. W. Craig, “Resolving Individuals Contributing Trace Amounts of DNA to Highly Complex Mixtures Using High-Density SNP Genotyping Microarrays,”PLOS Genetics, vol. 4, no. 8, p. e1000167, 2008, publisher: Public Library of Science. [Online]....
-
[3]
Robust traceability from trace amounts,
C. Dwork, A. Smith, T. Steinke, J. Ullman, and S. Vadhan, “Robust traceability from trace amounts,” in2015 IEEE 56th Annual Symposium on Foundations of Computer Science, 2015, pp. 650–669
2015
-
[4]
Exposed A Survey of Attacks on Private Data,
C. Dwork, A. Smith, T. Steinke, and J. Ullman, “Exposed A Survey of Attacks on Private Data,” Annual Review of Statistics and Its Application, vol. 4, no. 1, pp. 61–84, Mar. 2017. [Online]. Available: https://www.annualreviews.org/doi/10.1146/annurev-statistics-060116-054123
-
[5]
Hack at columbia hits 870k people,
S. Weissman, “Hack at columbia hits 870k people,”Inside Higher Education, 12 Aug 2025, available at: https://www.insidehighered.com/news/tech-innovation/administrative-tech/2025/ 08/12/hack-columbia-university-hits-870k-people (Accessed: January 13th, 2025)
2025
-
[6]
K. P. Murphy,Probabilistic machine learning: an introduction. MIT press, 2022
2022
-
[7]
Darwiche,Modeling and reasoning with Bayesian networks
A. Darwiche,Modeling and reasoning with Bayesian networks. Cambridge university press, 2009
2009
-
[8]
Roulette: A language for expressive, exact, and efficient discrete probabilistic programming (with appendices),
C. MOY, J. CZENSZAK, J. M. LI, B. MARSHALL, and S. HOLTZEN, “Roulette: A language for expressive, exact, and efficient discrete probabilistic programming (with appendices),”Proceedings of the ACM on Programming Languages, vol. 9, no. PLDI, 2025
2025
-
[9]
Sequential conditional transport on probabilis- tic graphs for interpretable counterfactual fairness,
A. F. Machado, A. Charpentier, and E. Gallic, “Sequential conditional transport on probabilis- tic graphs for interpretable counterfactual fairness,” inProceedings of the AAAI Conference on Artificial Intelligence, vol. 39, no. 18, 2025, pp. 19 358–19 366. 16
2025
-
[11]
A survey of bayesian network structure learning,
N. K. Kitson, A. C. Constantinou, Z. Guo, Y. Liu, and K. Chobtham, “A survey of bayesian network structure learning,”Artificial Intelligence Review, vol. 56, no. 8, pp. 8721–8814, 2023
2023
-
[12]
Scaling exact inference for discrete probabilistic programs,
S. Holtzen, G. Van den Broeck, and T. Millstein, “Scaling exact inference for discrete probabilistic programs,”Proceedings of the ACM on Programming Languages, vol. 4, no. OOPSLA, pp. 1–31, 2020
2020
-
[13]
K. B. Korb and A. E. Nicholson,Bayesian artificial intelligence. CRC press, 2010
2010
-
[14]
Local computations with probabilities on graphical structures and their application to expert systems,
S. L. Lauritzen and D. J. Spiegelhalter, “Local computations with probabilities on graphical structures and their application to expert systems,”Journal of the Royal Statistical Society: Series B (Methodological), vol. 50, no. 2, pp. 157–194, 1988
1988
-
[15]
Scutari and J.-B
M. Scutari and J.-B. Denis,Bayesian networks: with examples in R. Chapman and Hall/CRC, 2021
2021
-
[16]
Causal protein-signaling networks derived from multiparameter single-cell data,
K. Sachs, O. Perez, D. Pe’er, D. A. Lauffenburger, and G. P. Nolan, “Causal protein-signaling networks derived from multiparameter single-cell data,”Science, vol. 308, no. 5721, pp. 523–529, 2005
2005
-
[17]
Learning bayesian networks with the bnlearn R package,
M. Scutari, “Learning bayesian networks with the bnlearn R package,”Journal of Statistical Software, vol. 35, no. 3, pp. 1–22, 2010
2010
-
[18]
pgmpy: A python toolkit for bayesian networks,
A. Ankan and J. Textor, “pgmpy: A python toolkit for bayesian networks,”Journal of Machine Learning Research, vol. 25, no. 265, pp. 1–8, 2024. [Online]. Available: http://jmlr.org/papers/v25/23-0487.html
2024
-
[19]
The algorithmic foundations of differential privacy,
C. Dwork and A. Roth, “The algorithmic foundations of differential privacy,”Foundations and trends®in theoretical computer science, vol. 9, no. 3-4, pp. 211–487, 2014
2014
-
[20]
Calibrating noise to sensitivity in private data analysis,
C. Dwork, F. McSherry, K. Nissim, and A. Smith, “Calibrating noise to sensitivity in private data analysis,” inTheory of cryptography conference. Springer, 2006, pp. 265–284
2006
-
[21]
Synthesizing tight privacy and accuracy bounds via weighted model counting,
L. Oakley, S. Holtzen, and A. Oprea, “Synthesizing tight privacy and accuracy bounds via weighted model counting,” in2024 IEEE 37th Computer Security Foundations Symposium (CSF). IEEE, 2024, pp. 449–463
2024
-
[22]
Privug: using probabilistic program- ming for quantifying leakage in privacy risk analysis,
R. Pardo, W. Rafnsson, C. W. Probst, and A. Wasowski, “Privug: using probabilistic program- ming for quantifying leakage in privacy risk analysis,” inEuropean Symposium on Research in Computer Security. Springer, 2021, pp. 417–438
2021
-
[23]
Probabilistic programs with stochastic condi- tioning,
D. Tolpin, Y. Zhou, T. Rainforth, and H. Yang, “Probabilistic programs with stochastic condi- tioning,” inInternational Conference on Machine Learning. PMLR, 2021, pp. 10 312–10 323
2021
-
[24]
Duet: an expressive higher-order language and linear type system for statically enforcing differential privacy,
J. P. Near, D. Darais, C. Abuah, T. Stevens, P. Gaddamadugu, L. Wang, N. Somani, M. Zhang, N. Sharma, A. Shanet al., “Duet: an expressive higher-order language and linear type system for statically enforcing differential privacy,”Proceedings of the ACM on Programming Languages, vol. 3, no. OOPSLA, pp. 1–30, 2019
2019
-
[25]
Programming language techniques for differential privacy,
G. Barthe, M. Gaboardi, J. Hsu, and B. Pierce, “Programming language techniques for differential privacy,”ACM SIGLOG News, vol. 3, no. 1, pp. 34–53, 2016. 17
2016
-
[26]
Linear dependent types for differential privacy,
M. Gaboardi, A. Haeberlen, J. Hsu, A. Narayan, and B. C. Pierce, “Linear dependent types for differential privacy,” inProceedings of the 40th annual ACM SIGPLAN-SIGACT symposium on Principles of programming languages, 2013, pp. 357–370
2013
-
[27]
Distance makes the types grow stronger: a calculus for differen- tial privacy,
J. Reed and B. C. Pierce, “Distance makes the types grow stronger: a calculus for differen- tial privacy,” inProceedings of the 15th ACM SIGPLAN international conference on Functional programming, 2010, pp. 157–168
2010
-
[28]
Quantifying the privacy risks of learning high-dimensional graphical models,
S. K. Murakonda, R. Shokri, and G. Theodorakopoulos, “Quantifying the privacy risks of learning high-dimensional graphical models,” inInternational Conference on Artificial Intelligence and Statistics. PMLR, 2021, pp. 2287–2295
2021
-
[29]
Approximate bayesian computation,
M. Sunn˚ aker, A. G. Busetto, E. Numminen, J. Corander, M. Foll, and C. Dessimoz, “Approximate bayesian computation,”PLoS computational biology, vol. 9, no. 1, p. e1002803, 2013
2013
-
[30]
Multi-language probabilistic programming,
S. Stites, J. M. Li, and S. Holtzen, “Multi-language probabilistic programming,”Proceedings of the ACM on Programming Languages, vol. 9, no. OOPSLA1, pp. 1239–1266, 2025
2025
-
[31]
Stan Reference Manual,
S. D. Team, “Stan Reference Manual,” https://mc-stan.org, 2026
2026
-
[32]
Pyro: Deep universal probabilistic programming,
E. Bingham, J. P. Chen, M. Jankowiak, F. Obermeyer, N. Pradhan, T. Karaletsos, R. Singh, P. A. Szerlip, P. Horsfall, and N. D. Goodman, “Pyro: Deep universal probabilistic programming,”J. Mach. Learn. Res., vol. 20, pp. 28:1–28:6, 2019. [Online]. Available: http://jmlr.org/papers/v20/18-403.html
2019
-
[33]
Auditing differentially private machine learning: How private is private SGD?
M. Jagielski, J. Ullman, and A. Oprea, “Auditing differentially private machine learning: How private is private SGD?” inProceedings of Advances in Neural Information Processing Systems, ser. NeurIPS, vol. 33, 2020, pp. 22 205–22 216. [Online]. Available: https://proceedings.neurips.cc/paper/2020/file/fc4ddc15f9f4b4b06ef7844d6bb53abf-Paper.pdf
2020
-
[34]
2021 IEEE symposium on security and privacy (SP) , pages=
M. Nasr, S. Song, A. Thakurta, N. Papernot, and N. Carlini, “Adversary instantiation: Lower bounds for differentially private machine learning,” in42nd IEEE Symposium on Security and Privacy, SP 2021, San Francisco, CA, USA, 24-27 May 2021. IEEE, 2021, pp. 866–882. [Online]. Available: https://doi.org/10.1109/SP40001.2021.00069
-
[35]
arXiv preprint arXiv:2302.03098 , year=
G. Andrew, P. Kairouz, S. Oh, A. Oprea, H. B. McMahan, and V. Suriyakumar, “One-shot empirical privacy estimation for federated learning,”CoRR, vol. abs/2302.03098, 2023
-
[36]
Tight auditing of differentially private machine learning,
M. Nasr, J. Hayes, T. Steinke, B. Balle, F. Tram` er, M. Jagielski, N. Carlini, and A. Terzis, “Tight auditing of differentially private machine learning,” inProceedings of the 32nd USENIX Conference on Security Symposium, ser. SEC ’23. USA: USENIX Association, 2023
2023
-
[37]
Unleashing the power of randomization in auditing differentially private ML,
K. Pillutla, G. Andrew, P. Kairouz, H. B. McMahan, A. Oprea, and S. Oh, “Unleashing the power of randomization in auditing differentially private ML,” inThirty- seventh Conference on Neural Information Processing Systems, 2023. [Online]. Available: https://openreview.net/forum?id=mlbes5TAAg
2023
-
[38]
Privacy auditing with one (1) training run,
M. J. Thomas Steinke, Milad Nasr, “Privacy auditing with one (1) training run,” in Thirty-seventh Conference on Neural Information Processing Systems, 2023. [Online]. Available: https://openreview.net/forum?id=mlbes5TAAg
2023
-
[39]
Enhanced membership inference attacks against machine learning models,
J. Ye, A. Maddi, S. K. Murakonda, V. Bindschaedler, and R. Shokri, “Enhanced membership inference attacks against machine learning models,” inProceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security, 2022, pp. 3093–3106. 18
2022
-
[40]
Low-cost high-power membership inference attacks,
S. Zarifzadeh, P. Liu, and R. Shokri, “Low-cost high-power membership inference attacks,” in Forty-first International Conference on Machine Learning (ICML), 2024
2024
-
[41]
How much of my dataset did you use? quanti- tative data usage inference in machine learning,
Y. Tong, J. Ye, S. Zarifzadeh, and R. Shokri, “How much of my dataset did you use? quanti- tative data usage inference in machine learning,” inThe Thirteenth International Conference on Learning Representations (ICLR), 2025
2025
-
[42]
Range membership inference attacks,
J. Tao and R. Shokri, “Range membership inference attacks,” inIEEE Conference on Secure and Trustworthy Machine Learning (SaTML), 2025
2025
-
[43]
Comprehensive privacy analysis of deep learning,
M. Nasr, R. Shokri, and A. Houmansadr, “Comprehensive privacy analysis of deep learning,” in Proceedings of the 2019 IEEE Symposium on Security and Privacy (SP), 2018, pp. 1–15
2019
-
[44]
Membership inference attacks against machine learning models,
R. Shokri, M. Stronati, C. Song, and V. Shmatikov, “Membership inference attacks against machine learning models,” in2017 IEEE symposium on security and privacy (SP). IEEE, 2017, pp. 3–18
2017
-
[45]
Ml privacy meter: Aiding regulatory compliance by quantifying the privacy risks of machine learning,
S. Kumar and R. Shokri, “Ml privacy meter: Aiding regulatory compliance by quantifying the privacy risks of machine learning,” inWorkshop on Hot Topics in Privacy Enhancing Technologies (HotPETs), 2020. A Generative AI Usage Statement The authors did not use LLMs in any way in the research or writing of this paper. B Lemmas for Main Theorems Here we prese...
2020
discussion (0)
Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.