Skip to main content

4 docs tagged with "inference attacks"

View all tags

Model inversion & attribute inference: with queries and confidence, an attacker can rebuild what a training sample 'looks like' — or infer your sensitive attributes

In one sentence model inversion — using repeated queries + the confidence I emit to rebuild what a class's training sample "looks like" (Fredrikson et al. at CCS 2015 reconstructed recognizable faces from a face-recognition model); and attribute inference — given a person's partial known info + me, inferring their undisclosed sensitive attribute (Fredrikson et al.'s 2014 warfarin-dosing case). Conclusion first: confidence / probability outputs are the fuel, and attribute inference also borrows population-statistics correlations — don't assume "didn't send raw data out" is safe; look at output granularity, whether DP is stacked, and whether a class maps to a single individual.

Multimodal geolocation inference: from a seemingly ordinary photo, I can guess where you took it

In one sentence precise street-level accuracy is still limited today — in peer-reviewed numbers, even a purpose-built fine-tuned + chain-of-thought framework only hits about 28.7% within the 1km threshold (ETHAN, PoPETs 2025). So the threat isn't "I can pinpoint every photo"; it's that this capability is already deployed at scale and improving fast. Conclusion first: treating "I stripped the EXIF, so it's safe" as a talisman is false security — the location cues live in the image content itself, so defense has to land on notice-and-restraint before upload, not just on stripping metadata.