This study addresses the dynamic privacy leakage induced by membership inference attacks (MIAs) in deep learning, aiming to uncover when and how training data are encoded into inferable membership information. We propose a sample-level vulnerability tracking framework grounded in the false positive rate–true positive rate (FPR–TPR) plane, enabling fine-grained characterization of privacy risk evolution for individual samples throughout training. We empirically establish a strong correlation between intrinsic sample learnability and membership privacy risk, revealing that high-risk samples exhibit early crystallization of vulnerability—often within the first few epochs. Furthermore, we quantify how dataset complexity, model architecture, and optimizer choice jointly govern both the speed and extent of privacy leakage, thereby elucidating the underlying dynamic mechanisms of privacy risk formation. Our findings provide both theoretical foundations and actionable guidelines for designing proactive, privacy-aware training strategies.

Membership inference attacks (MIAs) pose a critical threat to the privacy of training data in deep learning. Despite significant progress in attack methodologies, our understanding of when and how models encode membership information during training remains limited. This paper presents a dynamic analytical framework for dissecting and quantifying privacy leakage dynamics at the individual sample level. By tracking per-sample vulnerabilities on an FPR-TPR plane throughout training, our framework systematically measures how factors such as dataset complexity, model architecture, and optimizer choice influence the rate and severity at which samples become vulnerable. Crucially, we discover a robust correlation between a sample's intrinsic learning difficulty, and find that the privacy risk of samples highly vulnerable in the final trained model is largely determined early during training. Our results thus provide a deeper understanding of how privacy risks dynamically emerge during training, laying the groundwork for proactive, privacy-aware model training strategies.