This work addresses critical limitations in existing evaluation methods for efficient membership inference attacks (MIAs), which suffer from unreliable true positive rate estimation, uncalibrated cross-sample false positive rates (FPRs), and finite-population bias—particularly under low-FPR regimes. The study is the first to uncover the calibration failure mechanism induced by cross-sample concatenation of MIA scores and proposes a post-processing calibration technique to harmonize FPRs across different samples. Furthermore, it corrects a positive finite-population bias present in the implementation of LiRA (Likelihood Ratio Attack). The proposed approach substantially enhances the reliability of MIA evaluations at low FPRs, offering a more accurate empirical auditing tool for differential privacy mechanisms.

Membership inference attacks (MIAs) are popular methods for empirically assessing the leakage of sensitive information in the training data through models or statistics learned from the data. The MIA vulnerability is often evaluated through false positive rate (FPR) and true positive rate (TPR) of a binary classifier that tries to predict whether a particular sample was in the training data. However, in order to reliably estimate the TPR especially for low FPR values, a lot of observations are needed, which in case of MIA translates to many target models, leading to large computational cost. To avoid excessive compute requirements, the MIA scores are often averaged over multiple individuals and multiple targeted models. We demonstrate two key weaknesses in this efficient MIA evaluation pipeline. First, we show that evaluating the TPR based on MIA scores concatenated across multiple individuals, commonly used to study vulnerabilities in the very low FPR regime, is not calibrated across the per-sample FPRs. This makes it unreliable as a tool for auditing differential privacy. To solve this, we propose a post-processing method to effectively calibrate the FPR across different samples. Second, we identify a finite population bias in the commonly used efficient likelihood-ratio attack (LiRA) implementation proposed by Carlini et al. 2022, leading to a positive bias in the per-sample vulnerability.