Towards Better Attribute Inference Vulnerability Measures

• URL: http://arxiv.org/abs/2507.01710v1
• Date: Wed, 02 Jul 2025 13:41:08 GMT
• Title: Towards Better Attribute Inference Vulnerability Measures
• Authors: Paul Francis, David Wagner,
• Abstract summary: This paper presents the design and implementation of an attribute inference measure that incorporates both precision and recall.<n>In experiments using a generic best row match attack on moderately-anonymized microdata, we show that our approach correctly labeled the attack to be at risk.
• Score: 1.3159777131162964
• License: http://arxiv.org/licenses/nonexclusive-distrib/1.0/
• Abstract: The purpose of anonymizing structured data is to protect the privacy of individuals in the data while retaining the statistical properties of the data. An important class of attack on anonymized data is attribute inference, where an attacker infers the value of an unknown attribute of a target individual given knowledge of one or more known attributes. A major limitation of recent attribute inference measures is that they do not take recall into account, only precision. It is often the case that attacks target only a fraction of individuals, for instance data outliers. Incorporating recall, however, substantially complicates the measure, because one must determine how to combine recall and precision in a composite measure for both the attack and baseline. This paper presents the design and implementation of an attribute inference measure that incorporates both precision and recall. Our design also improves on how the baseline attribute inference is computed. In experiments using a generic best row match attack on moderately-anonymized microdata, we show that in over 25\% of the attacks, our approach correctly labeled the attack to be at risk while the prior approach incorrectly labeled the attack to be safe.

Related papers

• Disparate Privacy Vulnerability: Targeted Attribute Inference Attacks and Defenses [1.740992908651449]
  A potential threat arises from an adversary querying trained models using the public, non-sensitive attributes of entities in the training data.<n>We develop a novel inference attack called the disparity inference attack, which targets the identification of high-risk groups within the dataset.<n>We are also the first to introduce a novel and effective disparity mitigation technique that simultaneously preserves model performance and prevents any risk of targeted attacks.
  arXiv  Detail & Related papers  (2025-04-05T02:58:37Z)
• Pseudo-Probability Unlearning: Towards Efficient and Privacy-Preserving Machine Unlearning [59.29849532966454]
  We propose PseudoProbability Unlearning (PPU), a novel method that enables models to forget data to adhere to privacy-preserving manner. Our method achieves over 20% improvements in forgetting error compared to the state-of-the-art.
  arXiv  Detail & Related papers  (2024-11-04T21:27:06Z)
• Robust Federated Learning Mitigates Client-side Training Data Distribution Inference Attacks [48.70867241987739]
  InferGuard is a novel Byzantine-robust aggregation rule aimed at defending against client-side training data distribution inference attacks. The results of our experiments indicate that our defense mechanism is highly effective in protecting against client-side training data distribution inference attacks.
  arXiv  Detail & Related papers  (2024-03-05T17:41:35Z)
• Learning to Unlearn: Instance-wise Unlearning for Pre-trained Classifiers [71.70205894168039]
  We consider instance-wise unlearning, of which the goal is to delete information on a set of instances from a pre-trained model. We propose two methods that reduce forgetting on the remaining data: 1) utilizing adversarial examples to overcome forgetting at the representation-level and 2) leveraging weight importance metrics to pinpoint network parameters guilty of propagating unwanted information.
  arXiv  Detail & Related papers  (2023-01-27T07:53:50Z)
• A Linear Reconstruction Approach for Attribute Inference Attacks against Synthetic Data [1.5293427903448022]
  We introduce a new attribute inference attack against synthetic data. We show that our attack can be highly accurate even on arbitrary records. We then evaluate the tradeoff between protecting privacy and preserving statistical utility.
  arXiv  Detail & Related papers  (2023-01-24T14:56:36Z)
• Purifier: Defending Data Inference Attacks via Transforming Confidence Scores [27.330482508047428]
  We propose a method, namely PURIFIER, to defend against membership inference attacks. Experiments show that PURIFIER helps defend membership inference attacks with high effectiveness and efficiency. PURIFIER is also effective in defending adversarial model inversion attacks and attribute inference attacks.
  arXiv  Detail & Related papers  (2022-12-01T16:09:50Z)
• On the Alignment of Group Fairness with Attribute Privacy [1.6574413179773757]
  Group fairness and privacy are fundamental aspects in designing trustworthy machine learning models. We are the first to demonstrate the alignment of group fairness with the specific privacy notion of attribute privacy in a blackbox setting.
  arXiv  Detail & Related papers  (2022-11-18T13:00:34Z)
• Are Attribute Inference Attacks Just Imputation? [12.56413718364189]
  In an attribute inference attack, an adversary has partial knowledge of some training records and access to a model trained on those records. We show that proposed defenses such as differentially private training and removing vulnerable records from training do not mitigate this privacy risk.
  arXiv  Detail & Related papers  (2022-09-02T23:13:36Z)
• On Trace of PGD-Like Adversarial Attacks [77.75152218980605]
  Adversarial attacks pose safety and security concerns for deep learning applications. We construct Adrial Response Characteristics (ARC) features to reflect the model's gradient consistency. Our method is intuitive, light-weighted, non-intrusive, and data-undemanding.
  arXiv  Detail & Related papers  (2022-05-19T14:26:50Z)
• Truth Serum: Poisoning Machine Learning Models to Reveal Their Secrets [53.866927712193416]
  We show that an adversary who can poison a training dataset can cause models trained on this dataset to leak private details belonging to other parties. Our attacks are effective across membership inference, attribute inference, and data extraction. Our results cast doubts on the relevance of cryptographic privacy guarantees in multiparty protocols for machine learning.
  arXiv  Detail & Related papers  (2022-03-31T18:06:28Z)
• Black-box Model Inversion Attribute Inference Attacks on Classification Models [32.757792981935815]
  We focus on one kind of model inversion attacks, where the adversary knows non-sensitive attributes about instances in the training data. We devise two novel model inversion attribute inference attacks -- confidence modeling-based attack and confidence score-based attack. We evaluate our attacks on two types of machine learning models, decision tree and deep neural network, trained with two real datasets.
  arXiv  Detail & Related papers  (2020-12-07T01:14:19Z)
• Label-Only Membership Inference Attacks [67.46072950620247]
  We introduce label-only membership inference attacks. Our attacks evaluate the robustness of a model's predicted labels under perturbations. We find that training models with differential privacy and (strong) L2 regularization are the only known defense strategies.
  arXiv  Detail & Related papers  (2020-07-28T15:44:31Z)

This list is automatically generated from the titles and abstracts of the papers in this site.

This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.