pith. sign in

arxiv: 2606.01719 · v1 · pith:VRTNDOXAnew · submitted 2026-06-01 · 💻 cs.LG · cs.AI· cs.CR

Fair Finetuning Mitigates Distribution Inference Attacks

Rakshit Naidu This is my paper

Pith reviewed 2026-06-28 16:03 UTC · model grok-4.3

classification 💻 cs.LG cs.AIcs.CR
keywords distribution inference attacksfair fine-tuningequalized oddsadversarial advantagesensitive attributesmachine learning privacydemographic leakage
0
0 comments X

The pith

Fine-tuning under equalized odds on complementary distributions bounds adversarial advantage in distribution inference attacks

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

The paper establishes that fair fine-tuning mitigates distribution inference attacks by proving a tight bound on adversarial advantage in terms of equalized odds disparity. It shows that by fine-tuning on samples from the complementary distribution under an equalized odds constraint, the model's leakage of sensitive demographic proportions can be reduced. This matters because it connects fairness techniques directly to privacy protection against black-box attacks that infer training data properties. Evaluations on tabular, image, and text datasets confirm the reduction in adversarial accuracy.

Core claim

Fair Fine-tuning (FFt) achieves Adv(A, M_f) ≤ Δ_EO · W with the bound proven tight, where W quantifies distinguishability of the two training distributions by their sensitive-attribute composition, and a necessary condition for reducing adversarial advantage is established.

What carries the argument

The bound Adv(A, M_f) ≤ Δ_EO · W that directly connects a model's equalized odds disparity to its advantage in the distribution inference attack game

If this is right

  • The adversarial accuracy gap falls below the 0.1 detection threshold across six datasets spanning tabular, image, and text data
  • Rehearsal-based FFt reduces the gap from roughly 15 percent to under 4 percent on ACS Income
  • The bound supplies the first formal connection between measured equalized odds disparity and adversarial advantage in the DIA setting

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

  • Fairness constraints might serve as privacy tools against other distributional leakage risks
  • Methods to approximate the complementary distribution could broaden applicability when direct samples are unavailable
  • Similar bounds may hold for fairness notions other than equalized odds

Load-bearing premise

Samples from the complementary distribution with inverted sensitive-attribute proportions can be accessed or approximated during fine-tuning

What would settle it

A case where the adversarial advantage after applying FFt exceeds Δ_EO · W would disprove the bound

Figures

Figures reproduced from arXiv: 2606.01719 by Rakshit Naidu.

Figure 1
Figure 1. Figure 1: The Fair Fine-tuning (FFt) defense. The baseline protocol (Steps 1–3, 6–7) is from (Suri and Evans 2021). We intro￾duce FFt, as a defense against distribution inference attacks, by adding Steps 4–5: sample from the complementary distribution G¬b and then fine-tune the model with an EO penalty before release. attack on FL based on shared model parameters which can deduce the data distribution of the global … view at source ↗
Figure 2
Figure 2. Figure 2: Adversarial accuracy gap for ACS Income CA-2018 across 10 runs. Rehearsal-based FFt brings the gap below [PITH_FULL_IMAGE:figures/full_fig_p008_2.png] view at source ↗
Figure 3
Figure 3. Figure 3: Adversarial accuracy gap for COMPAS and German Credit across 10 runs. COMPAS gaps are below [PITH_FULL_IMAGE:figures/full_fig_p008_3.png] view at source ↗
Figure 4
Figure 4. Figure 4: Ablation on ACS sex (10 seeds each). Blue = adversarial gap; orange = [PITH_FULL_IMAGE:figures/full_fig_p009_4.png] view at source ↗
Figure 5
Figure 5. Figure 5: Adversarial accuracy gap for LSAC (mean over 10 runs, blue=Baseline, orange=FFt). FFt reduces the sex gap below [PITH_FULL_IMAGE:figures/full_fig_p014_5.png] view at source ↗
Figure 6
Figure 6. Figure 6: The traditional distribution inference attack setting, as described in (Suri and Evans 2021). Step 2 involves sampling [PITH_FULL_IMAGE:figures/full_fig_p015_6.png] view at source ↗
Figure 7
Figure 7. Figure 7: Adversarial accuracy gap for UTKFaces (race: White → Non-White, mean over 10 runs). 0 2 4 6 8 Run (seed) 0.00 0.02 0.04 0.06 0.08 0.10 Adversarial Accuracy Gap Bias in Bios (sex: M F) Baseline vs FFt+EO ( =1.0) = 0.1 Baseline FFt+EO [PITH_FULL_IMAGE:figures/full_fig_p016_7.png] view at source ↗
Figure 8
Figure 8. Figure 8: Adversarial accuracy gap for Bias in Bios ( [PITH_FULL_IMAGE:figures/full_fig_p016_8.png] view at source ↗
read the original abstract

Machine learning models trained on sensitive data can inadvertently leak population-level information about their training distributions -- a threat known as distribution inference attack (DIA). An adversary with black-box access can infer sensitive demographic properties, such as subgroup proportions, without observing any training data directly. While defenses such as differential privacy and property unlearning have been proposed, the link between fairness constraints and distributional leakage remains unexplored. We propose Fair Fine-tuning (FFt): a trained model is fine-tuned on samples from the complementary distribution under an Equalized Odds (EO) constraint. We provide a complete theoretical characterization, proving the tight bound $\text{Adv}(\mathcal{A},M_f) \le \Delta_{\text{EO}} \cdot W$, where $W$ quantifies how distinguishable the two training distributions are by their sensitive-attribute composition. We also establish a necessary condition for FFt to reduce adversarial advantage and prove tightness of the bound. We evaluate across six datasets spanning tabular (ACS Income, COMPAS, German Credit), image (UTKFaces), and NLP (Bias in Bios) modalities. Rehearsal-based FFt consistently reduces the adversarial accuracy gap below the detection threshold $\tau!=!0.1$ across all settings; on ACS Income, the gap falls from $\sim!15%$ to under $4%$. Our work provides the first formal bound connecting a model's measured EO disparity directly to its adversarial advantage in the DIA game, opening a new avenue for unified fairness-and-privacy defenses.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Referee Report

2 major / 2 minor

Summary. The paper proposes Fair Fine-tuning (FFt), which fine-tunes a pre-trained model on samples from a complementary distribution (with inverted sensitive-attribute proportions) subject to an Equalized Odds constraint, as a defense against distribution inference attacks (DIA). It claims a complete theoretical characterization including the tight bound Adv(A, M_f) ≤ Δ_EO · W (where W measures distinguishability of the two distributions by sensitive-attribute composition), a necessary condition for FFt to reduce adversarial advantage, and a proof of tightness. Empirical evaluation on six datasets (ACS Income, COMPAS, German Credit, UTKFaces, Bias in Bios) reports that rehearsal-based FFt reduces the adversarial accuracy gap below the τ=0.1 detection threshold.

Significance. If the bound and necessary condition are rigorously derived and the sampling assumption is non-circular, the work would establish the first formal link between a model's measured EO disparity and its vulnerability to DIA, enabling unified fairness-privacy defenses. The multi-modal evaluation across tabular, image, and NLP tasks is a concrete strength.

major comments (2)
  1. [Abstract and §3] Abstract and §3: the claim of a 'complete theoretical characterization' together with a 'tight bound' Adv(A,M_f) ≤ Δ_EO · W and a proof of tightness is not supported by any derivation steps, intermediate lemmas, or the precise formal definition of W inside the equations; W is introduced only descriptively as a distinguishability measure.
  2. [§3] §3 (FFt construction): the procedure is defined as fine-tuning on samples drawn from the complementary distribution D' under an EO constraint, yet no construction, approximation, or sampling method for D' is supplied that avoids already knowing the sensitive-attribute proportions the defense is intended to protect; this assumption is load-bearing for both the method and the claimed necessary condition for advantage reduction.
minor comments (2)
  1. [Experiments] Experiments section: results are reported without error bars or ablation studies on the complementary-sampling assumption.
  2. Notation: the symbol W is used without an explicit equation defining it in terms of the distributions or the adversary's advantage.

Simulated Author's Rebuttal

2 responses · 0 unresolved

We thank the referee for the detailed and constructive report. We address each major comment below and indicate planned revisions to strengthen the manuscript.

read point-by-point responses

  1. Referee: [Abstract and §3] Abstract and §3: the claim of a 'complete theoretical characterization' together with a 'tight bound' Adv(A,M_f) ≤ Δ_EO · W and a proof of tightness is not supported by any derivation steps, intermediate lemmas, or the precise formal definition of W inside the equations; W is introduced only descriptively as a distinguishability measure.

    Authors: We agree that the main text would benefit from greater explicitness. The appendix contains the full proofs, including intermediate lemmas establishing the bound Adv(A, M_f) ≤ Δ_EO · W, the formal definition of W as the total variation distance between the sensitive-attribute marginals of the original and complementary distributions, and the argument for tightness. In the revision we will move the key derivation steps and the precise definition of W into Section 3. revision: yes

  2. Referee: [§3] §3 (FFt construction): the procedure is defined as fine-tuning on samples drawn from the complementary distribution D' under an EO constraint, yet no construction, approximation, or sampling method for D' is supplied that avoids already knowing the sensitive-attribute proportions the defense is intended to protect; this assumption is load-bearing for both the method and the claimed necessary condition for advantage reduction.

    Authors: The construction assumes access to auxiliary data whose sensitive-attribute proportions are known independently (e.g., public census or benchmark datasets with different demographic balances). D' is then formed by reweighting or subsampling these auxiliary samples to realize the inverted proportions; no information about the private training distribution is required. We will add an explicit sampling procedure and a short discussion of auxiliary-data sources to Section 3. revision: partial

Circularity Check

0 steps flagged

No circularity detected in derivation chain

full rationale

The paper presents a theoretical bound Adv(A,M_f) ≤ Δ_EO · W as a proved characterization, with W defined externally as a distinguishability measure between training distributions based on sensitive-attribute composition. No quoted equations or steps in the abstract or description reduce this bound, the necessary condition for FFt, or any prediction to the inputs by construction. No self-definitional definitions, fitted parameters renamed as predictions, or load-bearing self-citations are exhibited. The assumption of access to a complementary distribution D' is a stated precondition of the method rather than a circular reduction within the mathematical derivation itself. The result is treated as self-contained against the provided definitions.

Axiom & Free-Parameter Ledger

0 free parameters · 2 axioms · 0 invented entities

The central claim rests on standard probability and optimization assumptions plus the operational premise that complementary-distribution samples can be obtained; no new physical entities or ad-hoc constants are introduced in the abstract.

axioms (2)
  • domain assumption Equalized Odds is a well-defined, enforceable constraint during fine-tuning
    Invoked when the method is defined; standard in fairness literature but treated as given.
  • domain assumption The two training distributions differ only in sensitive-attribute composition in a quantifiable way captured by W
    Required for the bound to be non-vacuous; stated in the definition of W.

pith-pipeline@v0.9.1-grok · 5794 in / 1510 out tokens · 25747 ms · 2026-06-28T16:03:59.986132+00:00 · methodology

discussion (0)

Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.

Reference graph

Works this paper leans on

71 extracted references · 13 canonical work pages

  1. [1]

    Distribution Inference Risks: Identifying and Mitigating Sources of Leakage , year=

    Hartmann, Valentin and Meynent, Léo and Peyrard, Maxime and Dimitriadis, Dimitrios and Tople, Shruti and West, Robert , booktitle=. Distribution Inference Risks: Identifying and Mitigating Sources of Leakage , year=

  2. [2]

    ArXiv , year=

    Formalizing and Estimating Distribution Inference Risks , author=. ArXiv , year=

  3. [3]

    Privacy risk in machine learning: Analyzing the connection to overfitting

    Yeom, Samuel and Giacomelli, Irene and Fredrikson, Matt and Jha, Somesh , booktitle =. 2018 , volume =. doi:10.1109/CSF.2018.00027 , url =

    work page doi:10.1109/csf.2018.00027 2018

  4. [4]

    Property Inference from Poisoning , year=

    Mahloujifar, Saeed and Ghosh, Esha and Chase, Melissa , booktitle=. Property Inference from Poisoning , year=

  5. [5]

    2023 , volume =

    Suri, Anshuman and Lu, Yifu and Chen, Yanjin and Evans, David , booktitle =. 2023 , volume =. doi:10.1109/SaTML54575.2023.00019 , url =

    work page doi:10.1109/satml54575.2023.00019 2023

  6. [6]

    , title =

    Tople, Shruti and Sharma, Amit and Nori, Aditya V. , title =. Proceedings of the 37th International Conference on Machine Learning , articleno =. 2020 , publisher =

    2020

  7. [7]

    Proceedings of the 2018 International Conference on Management of Data , pages =

    Cormode, Graham and Jha, Somesh and Kulkarni, Tejas and Li, Ninghui and Srivastava, Divesh and Wang, Tianhao , title =. Proceedings of the 2018 International Conference on Management of Data , pages =. 2018 , isbn =. doi:10.1145/3183713.3197390 , abstract =

    work page doi:10.1145/3183713.3197390 2018

  8. [8]

    1996 , howpublished =

    Becker, Barry and Kohavi, Ronny , title =. 1996 , howpublished =

    1996

  9. [9]

    , title =

    Wightman, Linda F. , title =. 1998 , type =

    1998

  10. [10]

    Retiring

    Ding, Frances and Hardt, Moritz and Miller, John and Schmidt, Ludwig , booktitle =. Retiring

  11. [11]

    Proceedings of the Third Conference on Theory of Cryptography , pages =

    Dwork, Cynthia and McSherry, Frank and Nissim, Kobbi and Smith, Adam , title =. Proceedings of the Third Conference on Theory of Cryptography , pages =. 2006 , isbn =. doi:10.1007/11681878_14 , abstract =

    work page doi:10.1007/11681878_14 2006

  12. [12]

    Brendan and Mironov, Ilya and Talwar, Kunal and Zhang, Li , title =

    Abadi, Martin and Chu, Andy and Goodfellow, Ian and McMahan, H. Brendan and Mironov, Ilya and Talwar, Kunal and Zhang, Li , title =. Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security , pages =. 2016 , isbn =. doi:10.1145/2976749.2978318 , abstract =

    work page doi:10.1145/2976749.2978318 2016

  13. [13]

    , title =

    Chaudhuri, Kamalika and Monteleoni, Claire and Sarwate, Anand D. , title =. J. Mach. Learn. Res. , month = jul, pages =. 2011 , issue_date =

    2011

  14. [14]

    Proceedings of the 36th International Conference on Neural Information Processing Systems , articleno =

    Tran, Cuong and Fioretto, Ferdinando and Kim, Jung-Eun and Naidu, Rakshit , title =. Proceedings of the 36th International Conference on Neural Information Processing Systems , articleno =. 2022 , isbn =

    2022

  15. [15]

    and Zhang, Xuyun , title =

    Hu, Hongsheng and Salcic, Zoran and Sun, Lichao and Dobbie, Gillian and Yu, Philip S. and Zhang, Xuyun , title =. ACM Comput. Surv. , month = sep, articleno =. 2022 , issue_date =. doi:10.1145/3523273 , abstract =

    work page doi:10.1145/3523273 2022

  16. [16]

    Proceedings of the 2022 ACM Conference on Fairness, Accountability, and Transparency , pages =

    Zhang, Wanrong and Ohrimenko, Olga and Cummings, Rachel , title =. Proceedings of the 2022 ACM Conference on Fairness, Accountability, and Transparency , pages =. 2022 , isbn =. doi:10.1145/3531146.3533139 , abstract =

    work page doi:10.1145/3531146.3533139 2022

  17. [17]

    naacl-main.168/

    Shokri, Reza and Stronati, Marco and Song, Congzheng and Shmatikov, Vitaly , booktitle =. 2017 , volume =. doi:10.1109/SP.2017.41 , url =

    work page doi:10.1109/sp.2017.41 2017

  18. [18]

    International Conference on Learning Representations , year=

    mixup: Beyond Empirical Risk Minimization , author=. International Conference on Learning Representations , year=

  19. [19]

    distribution copies

    Salem, Ahmed and Cherubin, Giovanni and Evans, David and Kopf, Boris and Paverd, Andrew and Suri, Anshuman and Tople, Shruti and Zanella-Beguelin, Santiago , booktitle =. 2023 , volume =. doi:10.1109/SP46215.2023.10179281 , url =

    work page doi:10.1109/sp46215.2023.10179281 2023

  20. [20]

    Proceedings of the 30th International Conference on Neural Information Processing Systems , pages =

    Hardt, Moritz and Price, Eric and Srebro, Nathan , title =. Proceedings of the 30th International Conference on Neural Information Processing Systems , pages =. 2016 , isbn =

    2016

  21. [21]

    Proceedings of the 20th International Conference on Security and Cryptography - SECRYPT , year=

    Joshua Stock and Jens Wettlaufer and Daniel Demmler and Hannes Federrath , title=. Proceedings of the 20th International Conference on Security and Cryptography - SECRYPT , year=. doi:10.5220/0012049200003555 , isbn=

    work page doi:10.5220/0012049200003555

  22. [22]

    Companion Proceedings of the ACM Web Conference 2024 , pages =

    Xu, Yichang and Yin, Ming and Fang, Minghong and Gong, Neil Zhenqiang , title =. Companion Proceedings of the ACM Web Conference 2024 , pages =. 2024 , isbn =. doi:10.1145/3589335.3651555 , abstract =

    work page doi:10.1145/3589335.3651555 2024

  23. [23]

    Data distribution inference attack in federated learning via reinforcement learning support , journal =

    Dongxiao Yu and Hengming Zhang and Yan Huang and Zhenzhen Xie , keywords =. Data distribution inference attack in federated learning via reinforcement learning support , journal =. 2025 , issn =. doi:https://doi.org/10.1016/j.hcc.2024.100235 , url =

    work page doi:10.1016/j.hcc.2024.100235 2025

  24. [24]

    33rd USENIX Security Symposium (USENIX Security 24) , year =

    Sayedeh Leila Noorbakhsh and Binghui Zhang and Yuan Hong and Binghui Wang , title =. 33rd USENIX Security Symposium (USENIX Security 24) , year =

  25. [25]

    ArXiv , year=

    Privacy Inference Attacks and Defenses in Cloud-based Deep Neural Network: A Survey , author=. ArXiv , year=

  26. [26]

    ProPublica , year =

    Machine Bias , author =. ProPublica , year =

  27. [27]

    Proceedings of the 31st ACM SIGMOD-SIGACT-SIGAI Symposium on Principles of Database Systems (PODS) , year =

    Kifer, Daniel and Machanavajjhala, Ashwin , title =. Proceedings of the 31st ACM SIGMOD-SIGACT-SIGAI Symposium on Principles of Database Systems (PODS) , year =

  28. [28]

    IEEE European Symposium on Security and Privacy (EuroS&P) , year =

    Chang, Hongyan and Shokri, Reza , title =. IEEE European Symposium on Security and Privacy (EuroS&P) , year =

  29. [29]

    2019 , institution =

    Dua, Dheeru and Graff, Casey , title =. 2019 , institution =

    2019

  30. [30]

    Proceedings of the Conference on Fairness, Accountability, and Transparency (FAccT) , year =

    De-Arteaga, Maria and Romanov, Alexey and Wallach, Hanna and Chayes, Jennifer and Borgs, Christian and Chouldechova, Alexandra and Geyik, Sahin and Kenthapadi, Krishnaram and Kalai, Adam Tauman , title =. Proceedings of the Conference on Fairness, Accountability, and Transparency (FAccT) , year =

  31. [31]

    Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition (CVPR) , year =

    Zhang, Zhifei and Song, Yang and Qi, Hairong , title =. Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition (CVPR) , year =

  32. [33]

    Communication, Simulation, and Intelligent Agents: Implications of Personal Intelligent Machines for Medical Education

    Clancey, William J. Communication, Simulation, and Intelligent Agents: Implications of Personal Intelligent Machines for Medical Education. Proceedings of the Eighth International Joint Conference on Artificial Intelligence (IJCAI-83)

  33. [34]

    Classification Problem Solving

    Clancey, William J. Classification Problem Solving. Proceedings of the Fourth National Conference on Artificial Intelligence

  34. [35]

    , title =

    Robinson, Arthur L. , title =. 1980 , doi =. https://science.sciencemag.org/content/208/4447/1019.full.pdf , journal =

    1980

  35. [36]

    New Ways to Make Microcircuits Smaller---Duplicate Entry

    Robinson, Arthur L. New Ways to Make Microcircuits Smaller---Duplicate Entry. Science

  36. [37]

    Clancey and Glenn Rennels , abstract =

    Diane Warner Hasling and William J. Clancey and Glenn Rennels , abstract =. Strategic explanations for a diagnostic consultation system , journal =. 1984 , issn =. doi:https://doi.org/10.1016/S0020-7373(84)80003-6 , url =

    work page doi:10.1016/s0020-7373(84)80003-6 1984

  37. [38]

    and Rennels, Glenn R

    Hasling, Diane Warner and Clancey, William J. and Rennels, Glenn R. and Test, Thomas. Strategic Explanations in Consultation---Duplicate. The International Journal of Man-Machine Studies

  38. [39]

    Poligon: A System for Parallel Problem Solving

    Rice, James. Poligon: A System for Parallel Problem Solving

  39. [40]

    Transfer of Rule-Based Expertise through a Tutorial Dialogue

    Clancey, William J. Transfer of Rule-Based Expertise through a Tutorial Dialogue

  40. [41]

    The Engineering of Qualitative Models

    Clancey, William J. The Engineering of Qualitative Models

  41. [42]

    2017 , eprint=

    Attention Is All You Need , author=. 2017 , eprint=

    2017

  42. [43]

    Pluto: The 'Other' Red Planet

    NASA. Pluto: The 'Other' Red Planet

  43. [44]

    B.; Mironov, I.; Talwar, K.; and Zhang, L

    Abadi, M.; Chu, A.; Goodfellow, I.; McMahan, H. B.; Mironov, I.; Talwar, K.; and Zhang, L. 2016. Deep Learning with Differential Privacy. In Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, CCS '16, 308–318. New York, NY, USA: Association for Computing Machinery. ISBN 9781450341394

    2016

  44. [45]

    Angwin, J.; Larson, J.; Mattu, S.; and Kirchner, L. 2016. Machine Bias. ProPublica

    2016

  45. [46]

    Chang, H.; and Shokri, R. 2021. On the Privacy Risks of Algorithmic Fairness. In IEEE European Symposium on Security and Privacy (EuroS&P), 292--303

    2021

  46. [47]

    Chaudhuri, K.; Monteleoni, C.; and Sarwate, A. D. 2011. Differentially Private Empirical Risk Minimization. J. Mach. Learn. Res., 12(null): 1069–1109

    2011

  47. [48]

    Cormode, G.; Jha, S.; Kulkarni, T.; Li, N.; Srivastava, D.; and Wang, T. 2018. Privacy at Scale: Local Differential Privacy in Practice. In Proceedings of the 2018 International Conference on Management of Data, SIGMOD '18, 1655–1658. New York, NY, USA: Association for Computing Machinery. ISBN 9781450347037

    2018

  48. [49]

    De-Arteaga, M.; Romanov, A.; Wallach, H.; Chayes, J.; Borgs, C.; Chouldechova, A.; Geyik, S.; Kenthapadi, K.; and Kalai, A. T. 2019. Bias in Bios: A Case Study of Semantic Representation Bias in a High-Stakes Setting. In Proceedings of the Conference on Fairness, Accountability, and Transparency (FAccT), 120--128

    2019

  49. [50]

    Ding, F.; Hardt, M.; Miller, J.; and Schmidt, L. 2021. Retiring Adult : New Datasets for Fair Machine Learning. In Advances in Neural Information Processing Systems, volume 34, 6478--6490

    2021

  50. [51]

    Dua, D.; and Graff, C. 2019. UCI Machine Learning Repository

    2019

  51. [52]

    Dwork, C.; McSherry, F.; Nissim, K.; and Smith, A. 2006. Calibrating noise to sensitivity in private data analysis. In Proceedings of the Third Conference on Theory of Cryptography, TCC'06, 265–284. Berlin, Heidelberg: Springer-Verlag. ISBN 3540327312

    2006

  52. [53]

    Hardt, M.; Price, E.; and Srebro, N. 2016. Equality of opportunity in supervised learning. In Proceedings of the 30th International Conference on Neural Information Processing Systems, NIPS'16, 3323–3331. Red Hook, NY, USA: Curran Associates Inc. ISBN 9781510838819

    2016

  53. [54]

    Hartmann, V.; Meynent, L.; Peyrard, M.; Dimitriadis, D.; Tople, S.; and West, R. 2023. Distribution Inference Risks: Identifying and Mitigating Sources of Leakage. In 2023 IEEE Conference on Secure and Trustworthy Machine Learning (SaTML), 136--149

    2023

  54. [55]

    S.; and Zhang, X

    Hu, H.; Salcic, Z.; Sun, L.; Dobbie, G.; Yu, P. S.; and Zhang, X. 2022. Membership Inference Attacks on Machine Learning: A Survey. ACM Comput. Surv., 54(11s)

    2022

  55. [56]

    Kifer, D.; and Machanavajjhala, A. 2012. A Rigorous and Customizable Framework for Privacy. In Proceedings of the 31st ACM SIGMOD-SIGACT-SIGAI Symposium on Principles of Database Systems (PODS), 77--88

    2012

  56. [57]

    Mahloujifar, S.; Ghosh, E.; and Chase, M. 2022. Property Inference from Poisoning. In 2022 IEEE Symposium on Security and Privacy (SP), 1120--1137

    2022

  57. [58]

    L.; Zhang, B.; Hong, Y.; and Wang, B

    Noorbakhsh, S. L.; Zhang, B.; Hong, Y.; and Wang, B. 2024. Inf2Guard : An Information-Theoretic Framework for Learning Privacy-Preserving Representations against Inference Attacks. In 33rd USENIX Security Symposium (USENIX Security 24), 2405--2422. Philadelphia, PA: USENIX Association. ISBN 978-1-939133-44-1

    2024

  58. [59]

    Salem, A.; Cherubin, G.; Evans, D.; Kopf, B.; Paverd, A.; Suri, A.; Tople, S.; and Zanella-Beguelin, S. 2023. SoK: Let the Privacy Games Begin! A Unified Treatment of Data Inference Privacy in Machine Learning . In 2023 IEEE Symposium on Security and Privacy (SP), 327--345. Los Alamitos, CA, USA: IEEE Computer Society

    2023

  59. [60]

    Shokri, R.; Stronati, M.; Song, C.; and Shmatikov, V. 2017. Membership Inference Attacks Against Machine Learning Models . In 2017 IEEE Symposium on Security and Privacy (SP), 3--18. Los Alamitos, CA, USA: IEEE Computer Society

    2017

  60. [61]

    Stock, J.; Wettlaufer, J.; Demmler, D.; and Federrath, H. 2023. Lessons Learned: Defending Against Property Inference Attacks. In Proceedings of the 20th International Conference on Security and Cryptography - SECRYPT, 312--323. INSTICC, SciTePress. ISBN 978-989-758-666-8

    2023

  61. [62]

    Suri, A.; and Evans, D. 2021. Formalizing and Estimating Distribution Inference Risks. ArXiv, abs/2109.06024

    arXiv 2021

  62. [63]

    Suri, A.; Lu, Y.; Chen, Y.; and Evans, D. 2023. Dissecting Distribution Inference . In 2023 IEEE Conference on Secure and Trustworthy Machine Learning (SaTML), 150--164. Los Alamitos, CA, USA: IEEE Computer Society

    2023

  63. [64]

    Tran, C.; Fioretto, F.; Kim, J.-E.; and Naidu, R. 2022. Pruning has a disparate impact on model accuracy. In Proceedings of the 36th International Conference on Neural Information Processing Systems, NIPS '22. Red Hook, NY, USA: Curran Associates Inc. ISBN 9781713871088

    2022

  64. [65]

    Wightman, L. F. 1998. LSAC National Longitudinal Bar Passage Study. Research report, Law School Admission Council

    1998

  65. [66]

    Xu, Y.; Yin, M.; Fang, M.; and Gong, N. Z. 2024. Robust Federated Learning Mitigates Client-side Training Data Distribution Inference Attacks. In Companion Proceedings of the ACM Web Conference 2024, WWW '24, 798–801. New York, NY, USA: Association for Computing Machinery. ISBN 9798400701726

    2024

  66. [67]

    Yeom, S.; Giacomelli, I.; Fredrikson, M.; and Jha, S. 2018. Privacy Risk in Machine Learning: Analyzing the Connection to Overfitting . In 2018 IEEE 31st Computer Security Foundations Symposium (CSF), 268--282. Los Alamitos, CA, USA: IEEE Computer Society

    2018

  67. [68]

    Yousefpour, A.; Shilov, I.; Sablayrolles, A.; Testuggine, D.; Prasad, K.; Malek, M.; Nguyen, J.; Ghosh, S.; Bharadwaj, A.; Zhao, J.; Fernandes, G.; Foley, S.; and Annamalai, A. 2021. Opacus: User-Friendly Differential Privacy Library in PyTorch . arXiv preprint arXiv:2109.12298

    arXiv 2021

  68. [69]

    Yu, D.; Zhang, H.; Huang, Y.; and Xie, Z. 2025. Data distribution inference attack in federated learning via reinforcement learning support. High-Confidence Computing, 5(1): 100235

    2025

  69. [70]

    Zhang, W.; Ohrimenko, O.; and Cummings, R. 2022. Attribute Privacy: Framework and Mechanisms. In Proceedings of the 2022 ACM Conference on Fairness, Accountability, and Transparency, FAccT '22, 757–766. New York, NY, USA: Association for Computing Machinery. ISBN 9781450393522

    2022

  70. [71]

    Zhang, X.; Chen, C.; Xie, Y.; Chen, X.; Zhang, J.; and Xiang, Y. 2021. Privacy Inference Attacks and Defenses in Cloud-based Deep Neural Network: A Survey. ArXiv, abs/2105.06300

    arXiv 2021

  71. [72]

    Zhang, Z.; Song, Y.; and Qi, H. 2017. Age Progression/Regression by Conditional Adversarial Autoencoder. In Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition (CVPR)

    2017