Probabilistic Dataset Reconstruction from Interpretable Models

TL;DR

This work addresses privacy leakage when releasing interpretable models by reframing training data exposure as a probabilistic reconstruction problem. It generalizes probabilistic datasets beyond independence and uniformity to handle rule lists and other interpretable forms, introducing the Dist_G metric to quantify the remaining uncertainty in reconstructed data. The authors show how to compute Dist_G efficiently under realistic assumptions for decision trees and rule lists, and empirically compare optimal versus greedy learning strategies, finding that optimal models tend to leak less information at a given accuracy. The framework provides a principled way to measure reconstructibility, with implications for defending against membership and information-leakage attacks and for guiding the design of privacy-aware interpretable models.

Abstract

Interpretability is often pointed out as a key requirement for trustworthy machine learning. However, learning and releasing models that are inherently interpretable leaks information regarding the underlying training data. As such disclosure may directly conflict with privacy, a precise quantification of the privacy impact of such breach is a fundamental problem. For instance, previous work have shown that the structure of a decision tree can be leveraged to build a probabilistic reconstruction of its training dataset, with the uncertainty of the reconstruction being a relevant metric for the information leak. In this paper, we propose of a novel framework generalizing these probabilistic reconstructions in the sense that it can handle other forms of interpretable models and more generic types of knowledge. In addition, we demonstrate that under realistic assumptions regarding the interpretable models' structure, the uncertainty of the reconstruction can be computed efficiently. Finally, we illustrate the applicability of our approach on both decision trees and rule lists, by comparing the theoretical information leak associated to either exact or heuristic learning algorithms. Our results suggest that optimal interpretable models are often more compact and leak less information regarding their training data than greedily-built ones, for a given accuracy level.

Figures (7)

• Figure 1: Example of Decision Tree $DT$ trained using scikit-learnscikit-learn, with $1.0$ accuracy on $\mathcal{V}^{Orig}$ (Table \ref{['tab:toy_dataset_orig']}).
• Figure 2: Results of our experiments comparing optimal and greedily-built decision trees (learnt respectively with DL8.5 and sklearn_DT), for different (relative) minimum leaf support values. Left: Adult Income dataset, Right: COMPAS dataset.
• Figure 3: Results of our experiments comparing optimal and greedily-built rule lists (learnt respectively with CORELS and GreedyRL), for different (relative) minimum rule support values. Left: Adult Income dataset, Right: COMPAS dataset.
• Figure 4: Illustration of the disparate information leak phenomenon, for both optimal and greedily-built decision trees and rule lists, learned with the largest considered size constraints, i.e., maximum depth $10$ and minimum (relative) support $0.01$. More precisely, we report the proportion of training examples for which the entropy reduction ratio is at most at a given value. Left: Adult Income dataset, Right: COMPAS dataset.
• Figure 5: Results of our experiments comparing optimal and greedily-built decision trees (learnt respectively with DL8.5 and sklearn_DT), for different (relative) minimum leaf support values. Left: Adult Income dataset, Right: COMPAS dataset.

Theorems & Definitions (5)

• Definition 1
• Definition 2
• Remark 1
• Definition 3
• Definition 4