🤖 AI Summary
This work addresses the privacy risks in tabular foundation models, which rely on in-context examples containing sensitive data during inference, potentially leaking membership information through their attention mechanisms. The study is the first to identify and quantify membership signals embedded in attention patterns and introduces Attention-based Membership Inference Attack (AMIA), a novel attack that operates without requiring shadow models. To mitigate this threat, the authors propose a defense mechanism that applies k-anonymity–inspired de-uniquification to context keys at inference time, selectively protecting only high-risk queries. Experimental results demonstrate that AMIA outperforms conventional confidence-based attacks by an average of 7.7% in attack performance. The proposed defense reduces membership leakage by 50% under AMIA (and by 25% against confidence-based attacks) while incurring only a modest 3.9% drop in model utility.
📝 Abstract
Tabular foundation models are commonly assumed to present limited privacy concerns as they are often pre-trained on large collections of synthetic data. However, these models leverage in-context learning, where sensitive records may be provided directly at inference time as labelled context examples. In this paper, we demonstrate that predictions generated via the attention mechanism leak sufficient information to enable effective Membership Inference Attacks (MIAs). To highlight this vulnerability, we propose AMIA (Attention-based Membership Inference Attack), a shadow-model-free attack that exploits the concentration of transformer attention patterns. Our results show that attention mechanisms reveal strong membership signals, which exceed classical confidence-based attacks, achieving an average gain of 7.7\%, specially in low false-positive regimes. To mitigate this risk, we introduce an inference-time defence inspired by $k$-anonymity principles. This approach reduces the uniqueness of context-key representations without introducing random noise or retraining the model. By targeting only high-risk queries identified through AMIA scores, the defence substantially reduces membership leakage of this attack by an average of 50\% and 25\% against confidence-based attacks, while preserving predictive utility with only 3.9\% performance degradation. Beyond showing that context examples are vulnerable, we further demonstrate that fine-tuning introduces an additional source of privacy risk. In particular, samples whose prediction confidence increases after fine-tuning become more susceptible to MIAs, indicating that fine-tuning can amplify memorisation and expose sensitive training information through confidence shifts.