Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Inference Privacy: Properties and Mechanisms

Fengwei Tian, Ravi Tandon

TL;DR

The paper introduces Inference Privacy (IP), a framework for protecting user inputs during the inference phase by defining privacy within a radius $\\alpha$ under a metric $d$ and providing $(\\epsilon,\\delta)$-style guarantees. It shows that IP generalizes Local Differential Privacy (LDP) and develops two broad mechanism families: input perturbation and output perturbation, with concrete realizations such as Lap-Output and Gauss-Output (which use Lipschitz constants) and Gauss-Input. The work establishes key IP properties—post-processing invariance, basic and parallel composition, and a chaining property—and demonstrates their implications for privacy accounting. Empirical evaluations on CIFAR-10/100 with ResNet-18 and SDP-based Lipschitz layers illustrate the utility-privacy trade-offs and reveal when output perturbation provides advantages over input perturbation, informing practical deployment of inference-time privacy protections.

Abstract

Ensuring privacy during inference stage is crucial to prevent malicious third parties from reconstructing users' private inputs from outputs of public models. Despite a large body of literature on privacy preserving learning (which ensures privacy of training data), there is no existing systematic framework to ensure the privacy of users' data during inference. Motivated by this problem, we introduce the notion of Inference Privacy (IP), which can allow a user to interact with a model (for instance, a classifier, or an AI-assisted chat-bot) while providing a rigorous privacy guarantee for the users' data at inference. We establish fundamental properties of the IP privacy notion and also contrast it with the notion of Local Differential Privacy (LDP). We then present two types of mechanisms for achieving IP: namely, input perturbations and output perturbations which are customizable by the users and can allow them to navigate the trade-off between utility and privacy. We also demonstrate the usefulness of our framework via experiments and highlight the resulting trade-offs between utility and privacy during inference.

Inference Privacy: Properties and Mechanisms

TL;DR

The paper introduces Inference Privacy (IP), a framework for protecting user inputs during the inference phase by defining privacy within a radius under a metric and providing -style guarantees. It shows that IP generalizes Local Differential Privacy (LDP) and develops two broad mechanism families: input perturbation and output perturbation, with concrete realizations such as Lap-Output and Gauss-Output (which use Lipschitz constants) and Gauss-Input. The work establishes key IP properties—post-processing invariance, basic and parallel composition, and a chaining property—and demonstrates their implications for privacy accounting. Empirical evaluations on CIFAR-10/100 with ResNet-18 and SDP-based Lipschitz layers illustrate the utility-privacy trade-offs and reveal when output perturbation provides advantages over input perturbation, informing practical deployment of inference-time privacy protections.

Abstract

Ensuring privacy during inference stage is crucial to prevent malicious third parties from reconstructing users' private inputs from outputs of public models. Despite a large body of literature on privacy preserving learning (which ensures privacy of training data), there is no existing systematic framework to ensure the privacy of users' data during inference. Motivated by this problem, we introduce the notion of Inference Privacy (IP), which can allow a user to interact with a model (for instance, a classifier, or an AI-assisted chat-bot) while providing a rigorous privacy guarantee for the users' data at inference. We establish fundamental properties of the IP privacy notion and also contrast it with the notion of Local Differential Privacy (LDP). We then present two types of mechanisms for achieving IP: namely, input perturbations and output perturbations which are customizable by the users and can allow them to navigate the trade-off between utility and privacy. We also demonstrate the usefulness of our framework via experiments and highlight the resulting trade-offs between utility and privacy during inference.

Paper Structure

This paper contains 14 sections, 7 theorems, 74 equations, 7 figures.

Table of Contents

  1. Introduction
  2. Inference Privacy
  3. Properties of Inference Privacy
  4. Mechanisms for Inference Privacy
  5. Evaluation
  6. Discussion and Future Work
  7. Appendix
  8. Proof of Proposition 1
  9. Proof of Proposition 2
  10. Proof of Proposition 3
  11. Proof of Proposition 4
  12. Proof of Theorem 1
  13. Proof of Theorem 2
  14. Proof of Theorem 3

Key Result

Proposition 1

Let $M: \mathbb{R}^n \rightarrow \mathbb{R}^k$ be a randomized algorithm that satisfies $\{(\epsilon, \delta), \alpha\}$ IP. Let $F:\mathbb{R}^k \rightarrow \mathbb{R}^{k'}$ be an arbitrary randomized mapping. Then, $F \circ M :\mathbb{R}^n \rightarrow \mathbb{R}^{k'}$ satisfies $\{(\epsilon, \delta

Figures (7)

  • Figure 1: Illustration of Inference Privacy (IP): A mechanism satisfies IP if for any two inputs $x_a$ and $x_b$, such that $||x_a -x_b||_p \leq \alpha$, their corresponding outputs $M(x_a)$ and $M(x_b)$ have similar probability distributions. The radius $\alpha$ measures the extent of similarity, and the privacy leakage is measured by parameters $(\epsilon, \delta)$. (See definition \ref{['Approximate']}.)
  • Figure 2: The workflow of output perturbation methods: User generates a noise $N$ based on the model used for inference, and perturbs the model output before releasing it.
  • Figure 3: Experimental results on CIFAR-10 classification: natural classification accuracy for input and output perturbation methods as a function of radius $\alpha$ for a fixed $\epsilon = 1$ and a fixed $\delta = 10^{-5}$. Values reported are average of 15 tests.
  • Figure 4: Experimental results on CIFAR-10 classification: natural classification accuracy for input and output perturbation methods as a function of radius $\epsilon$ for a fixed $\alpha = 0.1$ and a fixed $\delta = 10^{-5}$. Values reported are average of 15 tests.
  • Figure 5: Experimental results on CIFAR-10 classification: natural classification accuracy for SLL models with Gauss-Output mechanism as a function of the privacy budget $\epsilon$ for different values of radius $\alpha$ and a fixed $\delta = 10^{-5}$. Values reported are average of 15 tests.
  • ...and 2 more figures

Theorems & Definitions (25)

  • Definition 1: Pure $\{\epsilon, \alpha\}$ Inference Privacy
  • Definition 2: Approximate $\{(\epsilon, \delta),\alpha\}$ Inference Privacy
  • Remark 1: Comparison with Local Differential Privacy
  • Remark 2: Selection of Metric
  • Remark 3: Comparison with Metric Differential Privacy
  • Proposition 1: Post-Processing Property of IP Mechanisms
  • Remark 4: Limitation of Post-Processing Property
  • Proposition 2: Basic Composition of Independent IP Mechanisms
  • Remark 5: Limitation of Basic Composition
  • Proposition 3: Parallel Composition of Independent IP Mechanisms
  • ...and 15 more