PRIVET: Privacy Metric Based on Extreme Value Theory

TL;DR

This work introduces PRIVET, an EVT-based privacy metric that uses the tails of nearest-neighbor distance distributions to detect memorization and privacy leakage in synthetic data. By fitting either Weibull or Gumbel tail models to NN distances and computing sample-level scores $\Delta\pi_r$ via $P_{N,M}(u,r)$, PRIVET provides interpretable per-sample leak flags and global leakage indices such as $NPL$. The authors validate PRIVET on genetic SNP data and image data, showing robust detection of leakage across high-dimensional and low-sample regimes and under various transformations, with favorable comparisons to existing dataset- and sample-level metrics. The method is modular, scalable, and domain-agnostic, enabling practical privacy auditing of synthetic data in biomedical and computer-vision contexts. Overall, PRIVET advances privacy evaluation by delivering both fine-grained (sample-level) and coarse-grained (dataset-level) assessments grounded in extreme value theory.

Abstract

Deep generative models are often trained on sensitive data, such as genetic sequences, health data, or more broadly, any copyrighted, licensed or protected content. This raises critical concerns around privacy-preserving synthetic data, and more specifically around privacy leakage, an issue closely tied to overfitting. Existing methods almost exclusively rely on global criteria to estimate the risk of privacy failure associated to a model, offering only quantitative non interpretable insights. The absence of rigorous evaluation methods for data privacy at the sample-level may hinder the practical deployment of synthetic data in real-world applications. Using extreme value statistics on nearest-neighbor distances, we propose PRIVET, a generic sample-based, modality-agnostic algorithm that assigns an individual privacy leak score to each synthetic sample. We empirically demonstrate that PRIVET reliably detects instances of memorization and privacy leakage across diverse data modalities, including settings with very high dimensionality, limited sample sizes such as genetic data and even under underfitting regimes. We compare our method to existing approaches under controlled settings and show its advantage in providing both dataset level and sample level assessments through qualitative and quantitative outputs. Additionally, our analysis reveals limitations in existing computer vision embeddings to yield perceptually meaningful distances when identifying near-duplicate samples.

Figures (15)

• Figure 1: Empirical cumulative distribution functions (eCDFs) of nearest-neighbor distances allow for distinction of generative scenarios.$d_{TrTr}^*$, $d_{STr}^*$, and $d_{STe}^*$ denote the distributions of nearest-neighbor distances from train to train, synthetic to train, and synthetic to test, respectively. We plot the eCDF for each of these distributions and fit the tail of $d_{TrTr}^*$ with an extreme value distribution either Weibull or Gumbel (dark green dashed line). The x- and y-axes represent the distances and the eCDF, respectively, and are both shown on a $\log_{10}$ scale. When eCDF of $d_{STr}^*$ and $d_{STe}^*$ are below eCDF of $d_{TrTr}^*$, ie synthetic to train and synthetic to test nearest-neighbor distances are higher than train to train nearest-neighbor distances, we are in the underfitting case. When all eCDFs are aligned, synthetic are indistinguishable from training and test samples. When eCDF of $d_{STr}^*$ is inflated with respect to $d_{TrTr}^*$ and $d_{STe}^*$, ie distances in $d_{STr}^*$ are lower, then we are in the overfitting case. Privacy leaks are detected by measuring the deviation between the $d_{STr}^*$ and $d_{STe}^*$ which may occur both in the overfitting and underfitting regime.
• Figure 2: Global and local privacy scores for 65,535 SNPs and 1,668 samples.Global: From top left to bottom right—number of privacy leaks (NPL) from PRIVET, generalization gaps of $\mathcal{AATS}$, FLD, and PQMass, In-Authenticity score, and $C_T$, plotted over $f_{\rm fake}$ vs. $f_{\rm copy}$. Color indicates metric values; for FLD, the overfit level defines the contour above which overfitting is detected. Local: Precision (top) and recall (bottom) are reported for local privacy metrics.
• Figure 3: Copycat experiment. Several computer vision transformations (posterize, center crop 28, JPG 75, Elastic transform) are applied on CIFAR10 synthetic and training samples to generate a pseudo-synthetic dataset. x-axis represents the fraction of synthetic samples replaced with training ones; y-axis reports the value of the corresponding metric. For PRIVET and In-Authenticity, we report the percentage of identified privacy leaks. For Gen. gap (FLD) and $C_T$, overfitting is detected when the metric falls below the horizontal dashed line, whereas for Gen. gap (PQMass), overfitting is indicated when the metric exceeds the threshold. The top row presents results using DINOv2 (ViT-B/14 distilled without registers) embeddings of CIFAR10, while the bottom row shows results using wavelet packet coefficient space (symlet5, level=3). PQMass results are omitted for several transformations due to divergence, and are not shown for wavelet embeddings due to the high dimensionality, which caused excessive CPU time or memory limitations on GPU.
• Figure 4: Membership attack. The reference data is created by merging train and validation set. The goal is to identify the training samples among the overall database. If the generative model memorizes only a subset of the training data, the true recall reflects the actual proportion of training samples that have been memorized. Pseudo-synthetic data. Precision-Recall curve of the membership attack for pseudo-synthetic genetic data. Train, validation and synthetic set have 1668 samples each. 30% of synthetics are leaked, with 10%, 20% and 30% of SNPs copied from train. Vertical black dashed bar corresponds to true recall equal to 30%. Red dashed curve corresponds to an ideal classifier, making random predictions once all memorized samples have been identified. RBM generated data. Precision-Recall curve for synthetic data generated at different RBM training stages exhibit distinct regimes: RBM1 and RBM3 show underfitting, RBM7 aligns with the train–train distribution, and RBM12 indicates overfitting. For RBM12, we generated either 10K synthetic or 100K to improve the lower bound of the observed recall.
• Figure 5: Meta-analysis across datasets and modalities.A. Goodness-of-Fit diagnostics. B. Consistency of fit between equivalent partitions.