Robust Privacy: Inference-Stage Privacy through Certified Robustness

Researchers introduce Robust Privacy (RP), an inference-stage privacy framework that leverages certified robustness principles to prevent adversaries from inferring sensitive attributes or reconstructing training data from model predictions. The approach significantly outperforms differential privacy methods, reducing model inversion attack success rates from 73% to 4% while maintaining 98.4% accuracy, though it remains vulnerable to function-level extraction through model distillation.

Robust Privacy addresses a critical but often-overlooked vulnerability in machine learning systems: the inference interface itself acts as a privacy leakage channel. Traditional privacy defenses focus on training-stage protections like differential privacy, but this research demonstrates that prediction outputs can expose sensitive information about inputs or training data through side channels. The RP framework adapts certified robustness concepts—traditionally used for adversarial robustness—to the privacy domain, creating a provable guarantee that predictions remain invariant within a neighborhood around an input.

The research reveals fundamental limitations in existing privacy approaches. Differential privacy (DP-SGD) requires severe accuracy sacrifices to achieve comparable privacy levels, dropping to 61.7% accuracy to match RP's 21% model inversion attack success rate while RP maintains 98.4% accuracy. This efficiency gap emerges because RP directly targets the leakage mechanism itself rather than adding noise throughout training. The framework introduces Robust Attribute Privacy (RAP), which formalizes the set of sensitive attributes compatible with released predictions, effectively quantifying privacy leakage at the attribute level.

For the AI and machine learning community, this work has substantial implications. It establishes that inference-stage defenses merit equal attention to training-stage protections, potentially shifting how practitioners approach privacy-utility tradeoffs. Organizations deploying classification systems handling sensitive attributes—healthcare, finance, identity verification—could benefit from implementing RP mechanisms. However, the acknowledged limitation regarding model distillation attacks suggests defenders cannot achieve comprehensive protection through inference-stage interventions alone, necessitating complementary safeguards. This research likely stimulates further investigation into the relationship between robustness and privacy, potentially opening new research directions in certified defenses.

• →Robust Privacy reduces model inversion attack success rates from 73% to 4% while maintaining 98.4% accuracy, substantially outperforming differential privacy approaches.
• →The framework directly targets inference-interface leakage rather than training-stage noise injection, enabling better privacy-utility tradeoffs.
• →Robust Attribute Privacy expands inference-compatible attributes from median 23.50 to 29.96, demonstrating measurable attribute-level privacy improvements.
• →Model distillation remains a vulnerability, as RP provides no protection against function-level extraction attacks.
• →Increasing smoothing sample size simultaneously strengthens privacy and improves utility, eliminating traditional accuracy-privacy tradeoff constraints.