Adaptive Attribute Inference Attack: Exploiting Privacy Risks Under Adversarial Perturbations
摘要
Machine learning models deployed in sensitive applications face two commonly studied but rarely unified risks: adversarial vulnerability and attribute privacy leakage. A widely held intuition suggests that adversarial perturbations and adversarial training, by degrading utility or distorting confidence scores, may incidentally suppress attribute inference attacks. In this paper, we show that this assumption is misleading. We introduce an Adaptive Attribute Inference Attack (AAIA) framework tailored to adversarial environments, which quantifies privacy risk under distribution shifts induced by adversarial perturbations. AAIA has two stages: Adaptive Shadow Model Attack (ASMA), which learns the adversarial output distribution to estimate the worst-case privacy risk ceiling via non-linear score mappings, and Adaptive Thresholding Attack (ATA), which diagnoses leakage severity by optimizing the inference threshold based on calibration data. Using AAIA, we uncover a counter-intuitive phenomenon termed Inverted Leakage, where adversarial perturbations induce a deterministic probability inversion and the prediction outputs systematically flip relative to the true attribute labels. Experimental results demonstrate that adversarial robustness changes the form of attribute leakage rather than eliminating it, underscoring the need for defenses that explicitly decouple sensitive attributes from robust representations.