English

Assessing Per-Sample Membership Inference Vulnerability without Retraining

Machine Learning 2026-05-27 v2 Artificial Intelligence Machine Learning

Abstract

Recent work in the privacy literature shows that sample-targeted membership inference attacks (MIAs) significantly outperform untargeted approaches by a wide margin. Motivated by this observation, we address the following question: can the privacy vulnerability of individual training points be assessed without training shadow models? We show that per-sample exposure to MIA is governed not only by a point's loss, but also by a data-dependent geometric measure. In the linear setting, we derive a closed-form decomposition of individual black-box MIA vulnerability into a population leverage score and a residual loss term, making explicit how sample-dependent geometry translates into privacy exposure. Since the final layer of most modern architectures is linear, we extend this framework to deep networks and propose a surrogate score operating on last-layer representations that requires only a single trained model and no shadow models. Empirical evaluations across diverse datasets and architectures show that our score outperforms loss and gradient-norm baselines at identifying the highest-risk points under state-of-the-art attacks, providing a computationally efficient and theoretically grounded tool for per-sample privacy risk assessment.

Keywords

Cite

@article{arxiv.2602.15919,
  title  = {Assessing Per-Sample Membership Inference Vulnerability without Retraining},
  author = {Valentin Dorseuil and Jamal Atif and Olivier Cappé},
  journal= {arXiv preprint arXiv:2602.15919},
  year   = {2026}
}
R2 v1 2026-07-01T10:40:27.841Z