Privacy Enhancing Technologies (PETs) 2026 · arXiv:2505.13362

DynaNoise

Dynamic Probabilistic Noise Injection
for Membership Inference Defense

An adaptive inference-time defense that modulates injected noise based on per-query entropy — achieving near-chance attack success rates with only 1% overhead and zero retraining required.

Javad Forough & Hamed Haddadi · Imperial College London

↗ Read Paper ▶ Interactive Demo ◈ View Results

0%Attack success rate (near chance)

0%Inference overhead added

0Attack types evaluated

0Benchmark datasets

01 / Overview

The Privacy-Utility Dilemma

Machine learning models inadvertently memorize training data. Membership Inference Attacks exploit subtle output differences to determine whether a record was used in training — a critical threat in healthcare, finance, and private AI inference.

Traditional defenses like static differential privacy apply a fixed noise level to all queries. Too little noise: attacks succeed. Too much noise: accuracy collapses. DynaNoise breaks this deadlock by making noise query-adaptive — high-confidence (high-risk) predictions receive more noise; uncertain (low-risk) ones are preserved. A temperature-scaled softmax re-normalizes outputs, recovering predictive utility. We also introduce MIDPUT, a scalar metric jointly quantifying privacy gains and accuracy retention across all attack types.

DynaNoise — LIVE VISUALIZATION

        Particles = model queries  ·  Red = member  ·  Gray = non-member  ·  Cyan = DynaNoise protected
      

⚡

Post-hoc & Model-Agnostic

No retraining, no architectural changes. Deploy on any pretrained model instantly.

⊕

Entropy-Driven Noise

Shannon entropy quantifies prediction confidence. Higher confidence = higher risk = more noise injected.

◈

MIDPUT Benchmark

New scalar metric averaging privacy gains minus accuracy loss across all attack types.

02 / Method

The DynaNoise Pipeline

Three lightweight stages applied entirely at inference time, adding only O(ℓ) cost per query — a single noise draw and one softmax evaluation.

Sensitivity Analysis

Compute Shannon entropy of the model's softmax output. Low entropy (high confidence) signals high membership-leakage risk. Normalize to obtain a per-query sensitivity score R(q) ∈ [0,1].

H(p) = −Σᵢ pᵢ log pᵢ R(q) = 1 − H(p) / log k

Dynamic Noise Injection

Scale Gaussian noise variance by R(q). High-risk queries receive proportionally more perturbation; low-risk queries are barely touched, preserving utility.

σ²(q) = σ₀²(1 + λ·R(q)) η ~ 𝒩(0, σ²(q)·I)

Probabilistic Smoothing

Re-normalise perturbed logits via temperature-scaled softmax. T > 1 controls distribution sharpness, balancing smoothing with discriminative power.

f̂(q) = softmax( f̃(q) / T ) T > 1

ENTROPY → NOISE VARIANCE — DynaNoise vs. Static DP (animated)

03 / Interactive Demo

Adjust Parameters, See the Effect

Simulate DynaNoise's adaptive noise injection. Drag sliders to explore how entropy drives noise magnitude and smoothing shapes the output distribution.

dynanoise_demo.py — inference-time defense simulator

Input: model prediction

Confidence 90%

Shannon entropy H(p)—

Sensitivity score R(q)—

⚠ HIGH RISK — overconfident prediction

DynaNoise parameters

Base var σ₀²0.10

Scale λ3.0

Temperature T4.0

Noise variance σ²(q)—

Output: smoothed distribution

Output entropy (after noise)—

04 / Results

Benchmarks & Comparisons

Evaluated against five defenses on CIFAR-10, ImageNet-10, and SST-2 under six membership inference attack types including the state-of-the-art LiRA.

Defense	Model Acc ↑	Confidence ↓	Loss ↓	Shadow ↓	LiRA ↓
No defense	0.7875	0.6124	0.6180	0.6387	0.6097
AdvReg	0.7573	0.5516	0.5829	0.5708	0.5836
MemGuard	0.7875	0.5948	0.6109	0.6122	0.5893
RelaxLoss	0.7890	0.5555	0.5845	0.5665	0.5905
SELENA	0.7674	0.5394	0.5173	0.5346	0.5164
HAMP	0.7422	0.5000	0.5000	0.5000	0.5000
DynaNoiseBest MIDPUT	0.7807	0.5014	0.5219	0.5053	0.5342

Defense	Model Acc ↑	Confidence ↓	Loss ↓	Shadow ↓	LiRA ↓
No defense	0.7958	0.5824	0.6003	0.5817	0.5721
AdvReg	0.7315	0.5244	0.5371	0.5426	0.5381
MemGuard	0.7958	0.5800	0.6016	0.5817	0.5721
RelaxLoss	0.7646	0.5203	0.5460	0.5416	0.5436
SELENA	0.6804	0.4952	0.5010	0.5055	0.5034
HAMP	0.6588	0.5000	0.5000	0.5000	0.5045
DynaNoiseBest MIDPUT	0.7962	0.5316	0.5944	0.5549	0.5598

Defense	Model Acc ↑	Confidence ↓	Loss ↓	Shadow ↓	LiRA ↓
No defense	0.8635	0.5162	0.5335	0.5571	0.5364
AdvReg	0.7092	0.5126	0.5037	0.5034	0.5154
MemGuard	0.8635	0.5144	0.5335	0.5266	0.5364
RelaxLoss	0.8394	0.5115	0.5125	0.5000	0.5147
SELENA	0.8805	0.5270	0.5276	0.5511	0.5234
HAMP	0.8900	0.5000	0.5000	0.5000	0.5000
DynaNoise	0.8612	0.5000	0.5014	0.5000	0.5023

Defense	CIFAR-10	ImageNet-10	SST-2
AdvReg	0.0240	−0.0240	−0.1159
MemGuard	0.0095	0.0010	0.0164
RelaxLoss	0.0559	0.0101	0.0138
SELENA	0.0732	−0.0428	0.0306
HAMP	0.0665	−0.0511	0.0708
DynaNoiseBest on 2/3	0.1035	0.0252	0.0414

MIDPUT OVERALL — higher is better

CIFAR-10 ImageNet-10 SST-2

INFERENCE OVERHEAD — DynaNoise adds only 1% vs MemGuard's 198.8×

None

AdvReg

MemGuard

RelaxLoss

SELENA

HAMP

DynaNoise

06 / Cite

BibTeX

@article{forough2026dynanoise,
  title     = {Dynamic Probabilistic Noise Injection
               for Membership Inference Defense},
  author    = {Forough, Javad and Haddadi, Hamed},
  journal   = {arXiv preprint arXiv:2505.13362},
  year      = {2026},
  institution = {Imperial College London},
}

DynaNoise

The Privacy-Utility Dilemma

The DynaNoise Pipeline

Adjust Parameters, See the Effect

Benchmarks & Comparisons

Frequently Asked Questions

Research Team

BibTeX