
\subsection{Possible Defenses}\label{subsec:defenses}





\begin{figure}[htbp]
    \centering
    \subfigure[Attack accuracy vs.\ Model performance]   {\includegraphics[width=0.47\textwidth]{figures/defense/MAE_vs_attack.pdf}
    \label{fig:mae_dp}
    }
    \hfill
    \subfigure[Attack accuracy vs.\ Overfitting]{
        \includegraphics[width=0.47\textwidth]{figures/defense/overfitting_vs_attack.pdf}
        \label{fig:overfit_dp}
    }
    \caption{Differential privacy reduces membership inference attacks. Figure~\subfigref{fig:overfit_dp} shows that the effectiveness of membership inference attack is correlated with overfitting. Error bars are generated by bootstrapping the test set 5 times using 1000 samples. Results with $R^2$ as the measure of model performance are shown in \appendixref{sec:differential_privacy}.}%
    \label{fig:differential_privacy}
\end{figure}
Various approaches have been proposed to mitigate the membership inference attacks directly. These approaches are based on controlling overfitting~\cite{truex2018towards, salem2019ml} and training data memorization
~\cite{jha2020extension} or
adversarial training~\cite{nasr2018machine}. We evaluate differentially private machine learning as one of the defenses.

Differential privacy~\cite{dwork2014algorithmic} is often touted as a panacea for all privacy-related problems.
We evaluate the effect of training models with privacy guarantees on membership inference attacks and model performance, measured as mean absolute error \rebuttal{in the centralized setup}.  To train the models with differential privacy, we used \texttt{DP-SGD} algorithm of \citet{abadi2016deep} which works by adding Gaussian noise to the gradient updates from each sample%
\footnote{For a brief description of differential privacy and details of differential private training, see  \appendixref{sec:differential_privacy}.}%
. We varied the noise magnitude to achieve different points on the trade-off curves of \figureref{fig:differential_privacy}. Models trained with differential privacy  significantly reduce attack accuracy, but this is achieved at the cost of a significant drop in model performance (\figureref{fig:mae_dp}). We  visualize the relation between overfitting, measured by train and test performance difference, and attack vulnerability \rebuttal{of the models trained with differential privacy} in \figureref{fig:overfit_dp}. We see that overfitting is highly correlated with attack accuracy, indicating that these attacks may be prevented by avoiding overfitting up to some extent.


