Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

On the Vulnerability of Text Sanitization

Meng Tong, Kejiang Chen, Xiaojian Yuan, Jiayang Liu, Weiming Zhang, Nenghai Yu, Jie Zhang

TL;DR

The paper tackles privacy leakage in DP-based text sanitization and the inadequacy of existing empirical reconstruction attacks for evaluating protection. It introduces theoretically optimal reconstruction attacks—context-free and contextual—along with ASR bounds to benchmark sanitization, and two practical Bayesian attacks that approximate these bounds using shadow data. Experiments across SST-2, AGNEWS, QNLI, and Yelp show these attacks outperform baselines, with the Contextual Bayesian Attack achieving up to a 46.4% ASR improvement at ϵ=4.0 on SST-2. These results provide a rigorous framework for evaluating privacy in text sanitization and highlight that DP-based sanitization can be more vulnerable than previously thought, while noting limitations such as the incomplete tight contextual bound and runtime considerations.

Abstract

Text sanitization, which employs differential privacy to replace sensitive tokens with new ones, represents a significant technique for privacy protection. Typically, its performance in preserving privacy is evaluated by measuring the attack success rate (ASR) of reconstruction attacks, where attackers attempt to recover the original tokens from the sanitized ones. However, current reconstruction attacks on text sanitization are developed empirically, making it challenging to accurately assess the effectiveness of sanitization. In this paper, we aim to provide a more accurate evaluation of sanitization effectiveness. Inspired by the works of Palamidessi et al., we implement theoretically optimal reconstruction attacks targeting text sanitization. We derive their bounds on ASR as benchmarks for evaluating sanitization performance. For real-world applications, we propose two practical reconstruction attacks based on these theoretical findings. Our experimental results underscore the necessity of reassessing these overlooked risks. Notably, one of our attacks achieves a 46.4% improvement in ASR over the state-of-the-art baseline, with a privacy budget of epsilon=4.0 on the SST-2 dataset. Our code is available at: https://github.com/mengtong0110/On-the-Vulnerability-of-Text-Sanitization.

On the Vulnerability of Text Sanitization

TL;DR

The paper tackles privacy leakage in DP-based text sanitization and the inadequacy of existing empirical reconstruction attacks for evaluating protection. It introduces theoretically optimal reconstruction attacks—context-free and contextual—along with ASR bounds to benchmark sanitization, and two practical Bayesian attacks that approximate these bounds using shadow data. Experiments across SST-2, AGNEWS, QNLI, and Yelp show these attacks outperform baselines, with the Contextual Bayesian Attack achieving up to a 46.4% ASR improvement at ϵ=4.0 on SST-2. These results provide a rigorous framework for evaluating privacy in text sanitization and highlight that DP-based sanitization can be more vulnerable than previously thought, while noting limitations such as the incomplete tight contextual bound and runtime considerations.

Abstract

Text sanitization, which employs differential privacy to replace sensitive tokens with new ones, represents a significant technique for privacy protection. Typically, its performance in preserving privacy is evaluated by measuring the attack success rate (ASR) of reconstruction attacks, where attackers attempt to recover the original tokens from the sanitized ones. However, current reconstruction attacks on text sanitization are developed empirically, making it challenging to accurately assess the effectiveness of sanitization. In this paper, we aim to provide a more accurate evaluation of sanitization effectiveness. Inspired by the works of Palamidessi et al., we implement theoretically optimal reconstruction attacks targeting text sanitization. We derive their bounds on ASR as benchmarks for evaluating sanitization performance. For real-world applications, we propose two practical reconstruction attacks based on these theoretical findings. Our experimental results underscore the necessity of reassessing these overlooked risks. Notably, one of our attacks achieves a 46.4% improvement in ASR over the state-of-the-art baseline, with a privacy budget of epsilon=4.0 on the SST-2 dataset. Our code is available at: https://github.com/mengtong0110/On-the-Vulnerability-of-Text-Sanitization.

Paper Structure

This paper contains 28 sections, 18 equations, 8 figures, 4 tables.

Table of Contents

  1. Introduction
  2. Preliminaries and Related Work
  3. Theoretically Optimal Reconstruction Attacks
  4. Threat Model for Theoretical Attacks
  5. Warm-up: Context-free Optimal Reconstruction Attack
  6. Advanced: Contextual Optimal Reconstruction Attack
  7. Practical Implementations of Theorems
  8. Threat Model for Practical Attacks
  9. Context-free Bayesian Attack (based on Theorem 1)
  10. Contextual Bayesian Attack (based on Theorem 2)
  11. Experiments
  12. Experimental Setup
  13. Performance of Reconstruction Attacks
  14. Reconstructing PII Tokens
  15. Time Cost and Parameter Influence
  16. ...and 13 more sections

Figures (8)

  • Figure 1: The illustration of reconstruction attacks.
  • Figure 2: ASR of Context-free Bayesian Attack using various constants instead of $\alpha^{-1}$ on SST-2 dataset.
  • Figure 3: Classification accuracy of detector $h$ in Contextual Bayesian Attack with CUSTEXT+.
  • Figure 4: ASR of reconstructing sensitive tokens against CUSTEXT+ and SANTEXT+ with $K=10$.
  • Figure 5: ASR of reconstructing PII tokens.
  • ...and 3 more figures

Theorems & Definitions (4)

  • Definition 1: Context-free ASR Bound
  • Definition 2: Contextual K-ASR Bound
  • proof : Proof of Theorem 1
  • proof : Proof of Theorem 2