Robust Privacy: Inference-Time Privacy through Certified Robustness

TL;DR

This paper introduces Robust Privacy (RP), a certified inference-time privacy framework that ensures model predictions are invariant within a radius, thereby protecting sensitive input attributes and mitigating model inversion attacks.

Contribution

The paper proposes a novel inference-time privacy notion called Robust Privacy (RP) inspired by certified robustness, and develops Attribute Privacy Enhancement (APE) to extend privacy to attribute-level protection.

Findings

RP expands the inference interval for sensitive attributes.

RP significantly reduces attack success rates in model inversion attacks.

RP achieves privacy protection with minimal impact on model performance.

Abstract

Machine learning systems can produce personalized outputs that allow an adversary to infer sensitive input attributes at inference time. We introduce Robust Privacy (RP), an inference-time privacy notion inspired by certified robustness: if a model's prediction is provably invariant within a radius-$R$ neighborhood around an input $x$ (e.g., under the $\ell_2$ norm), then $x$ enjoys $R$-Robust Privacy, i.e., observing the prediction cannot distinguish $x$ from any input within distance $R$ of $x$. We further develop Attribute Privacy Enhancement (APE) to translate input-level invariance into an attribute-level privacy effect. In a controlled recommendation task where the decision depends primarily on a sensitive attribute, we show that RP expands the set of sensitive-attribute values compatible with a positive recommendation, expanding the inference interval accordingly. Finally, we empirically demonstrate that RP also mitigates model inversion attacks (MIAs) by masking fine-grained input-output dependence. Even at small noise levels ($\sigma=0.1$), RP reduces the attack success rate (ASR) from 73% to 4% with partial model performance degradation. RP can also partially mitigate MIAs (e.g., ASR drops to 44%) with no model performance degradation.