{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,5,4]],"date-time":"2026-05-04T10:58:41Z","timestamp":1777892321620,"version":"3.51.4"},"reference-count":70,"publisher":"IEEE","license":[{"start":{"date-parts":[[2022,5,1]],"date-time":"2022-05-01T00:00:00Z","timestamp":1651363200000},"content-version":"stm-asf","delay-in-days":0,"URL":"https:\/\/doi.org\/10.15223\/policy-009"},{"start":{"date-parts":[[2022,5,1]],"date-time":"2022-05-01T00:00:00Z","timestamp":1651363200000},"content-version":"stm-asf","delay-in-days":0,"URL":"https:\/\/doi.org\/10.15223\/policy-001"}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":[],"published-print":{"date-parts":[[2022,5]]},"DOI":"10.1109\/sp46214.2022.9833677","type":"proceedings-article","created":{"date-parts":[[2022,7,27]],"date-time":"2022-07-27T19:28:05Z","timestamp":1658950085000},"page":"1138-1156","source":"Crossref","is-referenced-by-count":66,"title":["Reconstructing Training Data with Informed Adversaries"],"prefix":"10.1109","author":[{"given":"Borja","family":"Balle","sequence":"first","affiliation":[{"name":"DeepMind"}]},{"given":"Giovanni","family":"Cherubin","sequence":"additional","affiliation":[{"name":"Microsoft Research"}]},{"given":"Jamie","family":"Hayes","sequence":"additional","affiliation":[{"name":"DeepMind"}]}],"member":"263","reference":[{"key":"ref57","article-title":"Hypothesis testing interpretations and renyi differential privacy","author":"balle","year":"2020","journal-title":"International Conference on Artificial Intelligence and Statistics (AISTATS)"},{"key":"ref13","article-title":"Formalizing and estimating distribution inference risks","author":"suri","year":"2021","journal-title":"arXiv 2109 06024"},{"key":"ref56","article-title":"The composition theorem for differential privacy","author":"kairouz","year":"2015","journal-title":"International Conference on Machine Learning (ICML)"},{"key":"ref12","doi-asserted-by":"publisher","DOI":"10.1145\/3243734.3243834"},{"key":"ref59","doi-asserted-by":"publisher","DOI":"10.1145\/1250790.1250804"},{"key":"ref15","doi-asserted-by":"publisher","DOI":"10.1145\/2976749.2978318"},{"key":"ref58","doi-asserted-by":"publisher","DOI":"10.1145\/773153.773173"},{"key":"ref14","doi-asserted-by":"publisher","DOI":"10.1109\/SP40001.2021.00069"},{"key":"ref53","doi-asserted-by":"publisher","DOI":"10.1145\/1655188.1655192"},{"key":"ref52","article-title":"Differential privacy with partial knowledge","author":"desfontaines","year":"2019","journal-title":"arXiv 1905 00650"},{"key":"ref55","doi-asserted-by":"publisher","DOI":"10.1198\/jasa.2009.tm08651"},{"key":"ref11","article-title":"Privacy in pharmacogenetics: An endto-end case study of personalized warfarin dosing","author":"fredrikson","year":"2014","journal-title":"USENIX Security Symposium"},{"key":"ref10","article-title":"Deep leakage from gradients","author":"zhu","year":"2019","journal-title":"Conference on Neural Information Processing Systems (NeurIPS)"},{"key":"ref54","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2011.18"},{"key":"ref17","doi-asserted-by":"publisher","DOI":"10.1109\/CSF.2018.00027"},{"key":"ref16","doi-asserted-by":"publisher","DOI":"10.1145\/2810103.2813677"},{"key":"ref19","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2019.23119"},{"key":"ref18","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR42600.2020.00033"},{"key":"ref51","article-title":"Coupledworlds privacy: Exploiting adversarial uncertainty in statistical data privacy","author":"bassily","year":"2013","journal-title":"IEEE Symposium on Foundations of Computer Science (FOCS)"},{"key":"ref50","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-642-25385-0_12"},{"key":"ref46","doi-asserted-by":"publisher","DOI":"10.1145\/2514689"},{"key":"ref45","author":"mcsherry","year":"2021","journal-title":"I suspect the ”Discovery” had a different feel for the various involved people I personally spent a lot of time trying to remove explicit to adversaries and assumptions about them"},{"key":"ref48","doi-asserted-by":"publisher","DOI":"10.29012\/jpc.v6i1.634"},{"key":"ref47","article-title":"Inferential privacy guarantees for differentially private mechanisms","author":"ghosh","year":"2017","journal-title":"Innovations in Theoretical Computer Science Conference (ITCS)"},{"key":"ref42","article-title":"Scalable private learning with PATE","author":"papernot","year":"2018","journal-title":"International Conference on Learning Representations (ICLR)"},{"key":"ref41","article-title":"Protection against reconstruction and its applications in private federated learning","author":"bhowmick","year":"2018","journal-title":"arXiv 1812 00984"},{"key":"ref44","doi-asserted-by":"publisher","DOI":"10.1145\/1065167.1065184"},{"key":"ref43","article-title":"Rényi differential privacy of the sampled gaussian mechanism","author":"mironov","year":"2019","journal-title":"arXiv 1908 10530"},{"key":"ref49","doi-asserted-by":"publisher","DOI":"10.1145\/1645953.1646160"},{"key":"ref8","article-title":"Extracting training data from large language models","author":"carlini","year":"2021","journal-title":"USENIX Security Symposium"},{"key":"ref7","article-title":"The secret sharer: Evaluating and testing unintended memorization in neural networks","author":"carlini","year":"2019","journal-title":"USENIX Security Symposium"},{"key":"ref9","article-title":"Communication-efficient learning of deep networks from decentralized data","author":"mcmahan","year":"2017","journal-title":"International Conference on Artificial Intelligence and Statistics (AISTATS)"},{"key":"ref4","doi-asserted-by":"publisher","DOI":"10.1145\/3406325.3451131"},{"key":"ref3","article-title":"What neural networks memorize and why: Discovering the long tail via influence estimation","author":"feldman","year":"2020","journal-title":"Conference on Neural Information Processing Systems (NeurIPS)"},{"key":"ref6","article-title":"Calibrating noise to sensitivity in private data analysis","author":"dwork","year":"2006","journal-title":"Proceedings of Theoretical Cryptography Conference (TCC)"},{"key":"ref5","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2017.41"},{"key":"ref40","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-662-53641-4_24"},{"key":"ref35","article-title":"Visualizing the loss landscape of neural nets","author":"li","year":"2018","journal-title":"Conference on Neural Information Processing Systems (NeurIPS)"},{"key":"ref34","article-title":"Exploring the limits of out-of-distribution detection","author":"fort","year":"2021","journal-title":"arXiv 2106 03004"},{"key":"ref37","article-title":"Auditing differentially private machine learning: How private is private sgd?","author":"jagielski","year":"2020","journal-title":"Advances in neural information processing systems"},{"key":"ref36","author":"hennigan","year":"2020","journal-title":"Haiku Sonnet for JAX"},{"key":"ref31","doi-asserted-by":"publisher","DOI":"10.1109\/ICCV.2017.304"},{"key":"ref30","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR.2017.632"},{"key":"ref33","article-title":"Wide residual networks","author":"zagoruyko","year":"2016","journal-title":"British Machine Vision Conference (BMVC)"},{"key":"ref32","doi-asserted-by":"publisher","DOI":"10.1109\/5.726791"},{"key":"ref2","doi-asserted-by":"publisher","DOI":"10.1145\/3357713.3384290"},{"key":"ref1","article-title":"Understanding deep learning requires rethinking generalization","author":"zhang","year":"2017","journal-title":"International Conference on Learning Representations (ICLR)"},{"key":"ref39","article-title":"Rényi differential privacy","author":"mironov","year":"2017","journal-title":"IEEE Computer Security Foundations Symposium (CSF)"},{"key":"ref38","article-title":"Our data, ourselves: Privacy via distributed noise generation","author":"dwork","year":"2006","journal-title":"International Conference on the Theory and Application of Cryptographic Techniques (EUROCRYPT)"},{"key":"ref70","year":"2022","journal-title":"JAX activations"},{"key":"ref68","doi-asserted-by":"publisher","DOI":"10.1002\/rsa.10073"},{"key":"ref24","article-title":"User label leakage from gradients in federated learning","author":"wainakh","year":"2021","journal-title":"arXiv 2105 09369"},{"key":"ref67","doi-asserted-by":"publisher","DOI":"10.1007\/978-0-387-34675-5"},{"key":"ref23","article-title":"Inverting gradients - how easy is it to break privacy in federated learning?","author":"geiping","year":"2020","journal-title":"Conference on Neural Information Processing Systems (NeurIPS)"},{"key":"ref26","article-title":"Updates-leak: Data set inference and reconstruction attacks in online learning","author":"salem","year":"2020","journal-title":"USENIX Security Symposium"},{"key":"ref69","author":"johnson","year":"2020","journal-title":"add gpu determinism note"},{"key":"ref25","article-title":"Analyzing information leakage of updates to natural language models","author":"b\u00e9guelin","year":"2020","journal-title":"ACM Conference on Computer and Communications Security (CCS)"},{"key":"ref64","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-319-96131-6"},{"key":"ref20","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2019.00065"},{"key":"ref63","article-title":"On the foundations of quantitative information flow","author":"smith","year":"2009","journal-title":"International Conference on Foundations of Software Science and Computation Structure"},{"key":"ref66","doi-asserted-by":"publisher","DOI":"10.1109\/SP46214.2022.9833677"},{"key":"ref22","doi-asserted-by":"publisher","DOI":"10.1109\/INFOCOM.2019.8737416"},{"key":"ref65","doi-asserted-by":"crossref","DOI":"10.1007\/978-3-319-06880-0_16","article-title":"Generalized differential privacy: Regions of priors that admit robust optimal mechanisms","author":"elsalamouny","year":"2014","journal-title":"Horizons of the Mind A Tribute to Prakash Panangaden - Essays Dedicated to Prakash Panangaden on the Occasion of His 60th Birthday"},{"key":"ref21","author":"radford","year":"2019","journal-title":"Language Models are Unsupervised Multitask Learners"},{"key":"ref28","doi-asserted-by":"publisher","DOI":"10.1093\/biomet\/63.1.27"},{"key":"ref27","doi-asserted-by":"publisher","DOI":"10.1201\/9780203753736"},{"key":"ref29","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR.2018.00068"},{"key":"ref60","doi-asserted-by":"publisher","DOI":"10.1146\/annurev-statistics-060116-054123"},{"key":"ref62","author":"cohen","year":"2020","journal-title":"Reconstruction attacks in practice"},{"key":"ref61","doi-asserted-by":"publisher","DOI":"10.29012\/jpc.711"}],"event":{"name":"2022 IEEE Symposium on Security and Privacy (SP)","location":"San Francisco, CA, USA","start":{"date-parts":[[2022,5,22]]},"end":{"date-parts":[[2022,5,26]]}},"container-title":["2022 IEEE Symposium on Security and Privacy (SP)"],"original-title":[],"link":[{"URL":"http:\/\/xplorestaging.ieee.org\/ielx7\/9833550\/9833558\/09833677.pdf?arnumber=9833677","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2023,11,8]],"date-time":"2023-11-08T23:10:30Z","timestamp":1699485030000},"score":1,"resource":{"primary":{"URL":"https:\/\/ieeexplore.ieee.org\/document\/9833677\/"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2022,5]]},"references-count":70,"URL":"https:\/\/doi.org\/10.1109\/sp46214.2022.9833677","relation":{},"subject":[],"published":{"date-parts":[[2022,5]]}}}