Enhancing Deep Learning Model Privacy Against Membership Inference Attacks Using Privacy-Preserving Oversampling

The overfitting of deep learning models trained using moderately imbalanced datasets is the main factor in increasing the success rate of membership inference attacks. While many oversampling methods have been designed to minimize the data imbalance, only a few defend the deep neural network models against membership inference attacks. We introduce the privacy preserving synthetic minority oversampling technique (PP-SMOTE), that applies privacy preservation mechanisms during data preprocessing rather than the model training phase. The PP-SMOTE oversampling method adds Laplace noise to generate the synthetic data points of minority classes by considering the L1 sensitivity of the dataset. The PP-SMOTE oversampling method demonstrates lower vulnerability to membership inference attacks than the DNN model trained on datasets oversampled by GAN and SVMSMOTE. The PP-SMOTE oversampling method helps retain more model accuracy and lower membership inference attack accuracy compared to the differential privacy mechanisms such as DP-SGD, and DP-GAN. Experimental results showcase that PP-SMOTE effectively mitigates membership inference attack accuracy to approximately below 0.60 while preserving high model accuracy in terms of AUC score approximately above 0.90. Additionally, the broader confidence score distribution achieved by the PP-SMOTE significantly enhances both model accuracy and mitigation of membership inference attacks (MIA). This is confirmed by the loss-epoch curve which shows stable convergence and minimal overfitting during training. Also, the higher variance in confidence scores complicates efforts of attackers to distinguish training data thereby reducing the risk of MIA.