{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,4,22]],"date-time":"2026-04-22T20:09:03Z","timestamp":1776888543160,"version":"3.51.2"},"reference-count":134,"publisher":"Institute of Electrical and Electronics Engineers (IEEE)","issue":"2","license":[{"start":{"date-parts":[[2025,2,1]],"date-time":"2025-02-01T00:00:00Z","timestamp":1738368000000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/ieeexplore.ieee.org\/Xplorehelp\/downloads\/license-information\/IEEE.html"},{"start":{"date-parts":[[2025,2,1]],"date-time":"2025-02-01T00:00:00Z","timestamp":1738368000000},"content-version":"stm-asf","delay-in-days":0,"URL":"https:\/\/doi.org\/10.15223\/policy-029"},{"start":{"date-parts":[[2025,2,1]],"date-time":"2025-02-01T00:00:00Z","timestamp":1738368000000},"content-version":"stm-asf","delay-in-days":0,"URL":"https:\/\/doi.org\/10.15223\/policy-037"}],"funder":[{"DOI":"10.13039\/501100001809","name":"National Natural Science Foundation of China","doi-asserted-by":"publisher","award":["62206238"],"award-info":[{"award-number":["62206238"]}],"id":[{"id":"10.13039\/501100001809","id-type":"DOI","asserted-by":"publisher"}]},{"DOI":"10.13039\/501100001809","name":"National Natural Science Foundation of China","doi-asserted-by":"publisher","award":["62176122"],"award-info":[{"award-number":["62176122"]}],"id":[{"id":"10.13039\/501100001809","id-type":"DOI","asserted-by":"publisher"}]},{"DOI":"10.13039\/501100004608","name":"Natural Science Foundation of Jiangsu Province","doi-asserted-by":"publisher","award":["BK20220562"],"award-info":[{"award-number":["BK20220562"]}],"id":[{"id":"10.13039\/501100004608","id-type":"DOI","asserted-by":"publisher"}]},{"name":"Natural Science Research Project of Universities in Jiangsu Province","award":["22KJB520010"],"award-info":[{"award-number":["22KJB520010"]}]},{"DOI":"10.13039\/501100002858","name":"China Postdoctoral Science Foundation","doi-asserted-by":"publisher","award":["2023M732985"],"award-info":[{"award-number":["2023M732985"]}],"id":[{"id":"10.13039\/501100002858","id-type":"DOI","asserted-by":"publisher"}]}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["IEEE Trans. Artif. Intell."],"published-print":{"date-parts":[[2025,2]]},"DOI":"10.1109\/tai.2024.3363670","type":"journal-article","created":{"date-parts":[[2024,2,8]],"date-time":"2024-02-08T14:06:46Z","timestamp":1707401206000},"page":"333-353","source":"Crossref","is-referenced-by-count":45,"title":["Privacy Inference Attack and Defense in Centralized and Federated Learning: A Comprehensive Survey"],"prefix":"10.1109","volume":"6","author":[{"ORCID":"https:\/\/orcid.org\/0009-0009-7358-3239","authenticated-orcid":false,"given":"Bosen","family":"Rao","sequence":"first","affiliation":[{"name":"School of Information Engineering, Yangzhou University, Yangzhou, China"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-2143-5666","authenticated-orcid":false,"given":"Jiale","family":"Zhang","sequence":"additional","affiliation":[{"name":"School of Information Engineering, Yangzhou University, Yangzhou, China"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-4753-8161","authenticated-orcid":false,"given":"Di","family":"Wu","sequence":"additional","affiliation":[{"name":"School of Mathematics, Physics and Computing, University of Southern Queensland, Toowoomba, QLD, Australia"}]},{"ORCID":"https:\/\/orcid.org\/0009-0007-4082-0803","authenticated-orcid":false,"given":"Chengcheng","family":"Zhu","sequence":"additional","affiliation":[{"name":"School of Information Engineering, Yangzhou University, Yangzhou, China"}]},{"ORCID":"https:\/\/orcid.org\/0000-0001-5165-5080","authenticated-orcid":false,"given":"Xiaobing","family":"Sun","sequence":"additional","affiliation":[{"name":"School of Information Engineering, Yangzhou University, Yangzhou, China"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-2863-5441","authenticated-orcid":false,"given":"Bing","family":"Chen","sequence":"additional","affiliation":[{"name":"College of Computer Science and Technology, Nanjing University of Aeronautics and Astronautics, Nanjing, China"}]}],"member":"263","reference":[{"key":"ref1","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR.2016.90"},{"key":"ref2","doi-asserted-by":"publisher","DOI":"10.48550\/arXiv.1810.04805"},{"key":"ref3","doi-asserted-by":"publisher","DOI":"10.1016\/j.ins.2022.01.013"},{"key":"ref4","doi-asserted-by":"publisher","DOI":"10.1109\/LGRS.2014.2309695"},{"key":"ref5","article-title":"On attacking statistical spam filters","volume-title":"Proc. 1st Conf. Email Anti-Spam (CEAS)","author":"Wittel","year":"2004"},{"key":"ref6","doi-asserted-by":"publisher","DOI":"10.1145\/3298981"},{"key":"ref7","first-page":"1273","article-title":"Communication-efficient learning of deep networks from decentralized data","volume-title":"Proc. 20th Int. Conf. Artif. Intell. Statist. (AISTATS)","volume":"54","author":"McMahan","year":"2017"},{"key":"ref8","doi-asserted-by":"publisher","DOI":"10.1109\/JBHI.2022.3181823"},{"key":"ref9","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-030-23551-2_2"},{"key":"ref10","article-title":"Federated learning for mobile keyboard prediction","author":"Hard","year":"2018"},{"key":"ref11","doi-asserted-by":"publisher","DOI":"10.1109\/TNNLS.2022.3216981"},{"key":"ref12","doi-asserted-by":"publisher","DOI":"10.1016\/j.future.2020.10.007"},{"key":"ref13","article-title":"Protection against reconstruction and its applications in private federated learning","author":"Bhowmick","year":"2018"},{"key":"ref14","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2019.00029"},{"key":"ref15","first-page":"7575","article-title":"cpSGD: Communication-efficient and differentially-private distributed SGD","volume-title":"Proc. Adv. Neural Inf. Process. Syst. (NeurIPS)","volume":"31","author":"Agarwal","year":"2018"},{"key":"ref16","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2017.41"},{"key":"ref17","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2018.23183"},{"key":"ref18","first-page":"5558","article-title":"White-box vs black-box: Bayes optimal strategies for membership inference","volume-title":"Proc. 36th Int. Conf. Mach. Learn.","author":"Sablayrolles","year":"2019"},{"key":"ref19","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2019.23119"},{"key":"ref20","doi-asserted-by":"publisher","DOI":"10.1145\/3319535.3354211"},{"key":"ref21","doi-asserted-by":"publisher","DOI":"10.2478\/popets-2019-0008"},{"key":"ref22","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2019.00065"},{"key":"ref23","doi-asserted-by":"publisher","DOI":"10.1109\/WCSP.2019.8927871"},{"key":"ref24","doi-asserted-by":"publisher","DOI":"10.1145\/3372297.3417270"},{"key":"ref25","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-030-58592-1_31"},{"key":"ref26","doi-asserted-by":"publisher","DOI":"10.1145\/3372297.3417238"},{"key":"ref27","doi-asserted-by":"publisher","DOI":"10.1037\/e516712004-001"},{"key":"ref28","doi-asserted-by":"publisher","DOI":"10.1145\/3460120.3484749"},{"key":"ref29","doi-asserted-by":"publisher","DOI":"10.1145\/3460120.3484770"},{"key":"ref30","doi-asserted-by":"publisher","DOI":"10.1145\/3460120.3484575"},{"key":"ref31","doi-asserted-by":"publisher","DOI":"10.1109\/TSC.2019.2897554"},{"key":"ref32","first-page":"2615","article-title":"Systematic evaluation of privacy risks of machine learning models","volume-title":"Proc. 30th USENIX Secur. Symp. (USENIX)","author":"Song","year":"2021"},{"key":"ref33","doi-asserted-by":"publisher","DOI":"10.1145\/3548606.3560675"},{"key":"ref34","doi-asserted-by":"publisher","DOI":"10.1145\/3548606.3560684"},{"key":"ref35","article-title":"On the importance of difficulty calibration in membership inference attacks","volume-title":"Proc. 10th Int. Conf. Learn. Representations (ICLR)","author":"Watson","year":"2022"},{"key":"ref36","doi-asserted-by":"publisher","DOI":"10.1016\/j.jisa.2022.103201"},{"key":"ref37","doi-asserted-by":"publisher","DOI":"10.1109\/SP46214.2022.9833649"},{"key":"ref38","first-page":"19","article-title":"Membership inference attacks and defenses in neural network pruning","volume-title":"Proc. USENIX Secur. Symp.","author":"Yuan","year":"2022"},{"key":"ref39","doi-asserted-by":"publisher","DOI":"10.1145\/3548606.3559359"},{"key":"ref40","doi-asserted-by":"publisher","DOI":"10.1109\/TDSC.2022.3154029"},{"key":"ref41","doi-asserted-by":"publisher","DOI":"10.1109\/TDSC.2022.3222880"},{"key":"ref42","doi-asserted-by":"publisher","DOI":"10.1109\/TIFS.2023.3318950"},{"key":"ref43","first-page":"267","article-title":"The secret sharer: Evaluating and testing unintended memorization in neural networks","volume-title":"Proc. USENIX Secur. Symp.","author":"Carlini","year":"2018"},{"key":"ref44","doi-asserted-by":"publisher","DOI":"10.1145\/3133956.3134077"},{"key":"ref45","doi-asserted-by":"publisher","DOI":"10.1145\/2976749.2978355"},{"key":"ref46","article-title":"Node-level membership inference attacks against graph neural networks","author":"He","year":"2021","journal-title":"Feb"},{"key":"ref47","article-title":"Label-only membership inference attacks","author":"Choquette-Choo","year":"2021"},{"key":"ref48","doi-asserted-by":"publisher","DOI":"10.1109\/ICCV48922.2021.01455"},{"key":"ref49","first-page":"2133","article-title":"CodexLeaks: Privacy leaks from code generation language models in GitHub copilot","volume-title":"Proc. 32nd USENIX Secur. Symp.","author":"Niu","year":"2023"},{"key":"ref50","doi-asserted-by":"publisher","DOI":"10.1109\/TMC.2022.3148690"},{"key":"ref51","first-page":"267","article-title":"The secret sharer: Evaluating and testing unintended memorization in neural networks","volume-title":"Proc. 28th USENIX Secur. Symp.","author":"Carlini","year":"2019"},{"key":"ref52","doi-asserted-by":"publisher","DOI":"10.1145\/3133956.3134077"},{"key":"ref53","doi-asserted-by":"publisher","DOI":"10.1109\/CSF.2018.00027"},{"key":"ref54","doi-asserted-by":"publisher","DOI":"10.1145\/3243734.3243834"},{"key":"ref55","doi-asserted-by":"publisher","DOI":"10.1145\/3319535.3354261"},{"key":"ref56","first-page":"1291","article-title":"Updates-leak: Data set inference and reconstruction attacks in online learning","volume-title":"Proc. 29th USENIX Secur. Symp.","author":"Salem","year":"2020"},{"key":"ref57","doi-asserted-by":"publisher","DOI":"10.1145\/3548606.3560663"},{"key":"ref58","doi-asserted-by":"publisher","DOI":"10.1145\/3548606.3560662"},{"key":"ref59","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2022.23019"},{"key":"ref60","doi-asserted-by":"publisher","DOI":"10.1109\/SP46214.2022.9833623"},{"key":"ref61","first-page":"4579","article-title":"Are your sensitive attributes private? Novel model inversion attribute inference attacks on classification models","volume-title":"Proc. 31st USENIX Secur. Symp.","author":"Mehnaz","year":"2022"},{"key":"ref62","doi-asserted-by":"publisher","DOI":"10.1145\/3133956.3134012"},{"key":"ref63","doi-asserted-by":"publisher","DOI":"10.1109\/INFOCOM.2019.8737416"},{"key":"ref64","doi-asserted-by":"publisher","DOI":"10.1145\/3359789.3359824"},{"key":"ref65","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-030-63076-8_2"},{"key":"ref66","article-title":"iDLG: Improved deep leakage from gradients","author":"Zhao","year":"2020"},{"key":"ref67","first-page":"16937","article-title":"Inverting gradients \u2013 How easy is it to break privacy in federated learning?","volume-title":"Proc. Adv. Neural Inf. Process. Syst.","volume":"33","author":"Geiping","year":"2020"},{"key":"ref68","doi-asserted-by":"publisher","DOI":"10.1109\/ICDE51399.2021.00023"},{"key":"ref69","first-page":"1397","article-title":"Label inference attacks against vertical federated learning","volume-title":"Proc. 31st USENIX Secur. Symp.","author":"Fu","year":"2022"},{"key":"ref70","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2018.00038"},{"key":"ref71","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR.2019.00509"},{"key":"ref72","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2020.24178"},{"key":"ref73","doi-asserted-by":"publisher","DOI":"10.1609\/aaai.v34i01.5432"},{"key":"ref74","first-page":"1309","article-title":"Exploring connections between active learning and model extraction","volume-title":"Proc. 29th USENIX Secur. Symp.","author":"Chandrasekaran","year":"2020"},{"key":"ref75","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-030-62144-5_4"},{"key":"ref76","first-page":"1345","article-title":"High accuracy and high fidelity extraction of neural networks","volume-title":"Proc. 29th USENIX Secur. Symp.","author":"Jagielski","year":"2020"},{"key":"ref77","doi-asserted-by":"publisher","DOI":"10.1145\/3460231.3474275"},{"key":"ref78","first-page":"12 278","article-title":"Grey-box extraction of natural language models","volume-title":"Proc. 38th Int. Conf. Mach. Learn. (ICML)","volume":"139","author":"B\u00e9guelin","year":"2021"},{"key":"ref79","first-page":"5757","article-title":"On the difficulty of defending self-supervised learning against model extraction","volume-title":"Proc. Int. Conf. Mach. Learn. (ICML)","volume":"162","author":"Dziedzic","year":"2022"},{"key":"ref80","doi-asserted-by":"publisher","DOI":"10.1109\/SP46214.2022.9833743"},{"key":"ref81","doi-asserted-by":"publisher","DOI":"10.1109\/TFUZZ.2022.3172991"},{"key":"ref82","doi-asserted-by":"publisher","DOI":"10.1198\/tech.2002.s714"},{"key":"ref83","doi-asserted-by":"publisher","DOI":"10.1109\/IJCNN.2018.8489592"},{"key":"ref84","doi-asserted-by":"publisher","DOI":"10.1109\/ICDM51629.2021.00129"},{"key":"ref85","first-page":"19","article-title":"Pool inference attacks on local differential privacy: Quantifying the privacy guarantees of apple\u2019s count mean sketch in practice","volume-title":"Proc. USENIX Secur. Symp.","author":"Gadotti"},{"key":"ref86","doi-asserted-by":"publisher","DOI":"10.1145\/2976749.2978318"},{"key":"ref87","doi-asserted-by":"publisher","DOI":"10.24963\/ijcai.2019\/660"},{"key":"ref88","first-page":"12673","article-title":"GS-WGAN: A gradient-sanitized approach for learning differentially private generators","volume-title":"Proc. Adv. Neural Inf. Process. Syst.","volume":"33","author":"Chen","year":"2020"},{"key":"ref89","first-page":"12 480","article-title":"Don\u2019t generate me: Training differentially private generative models with Sinkhorn divergence","volume-title":"Proc. Adv.Neural Inf. Process. Syst.","volume":"34","author":"Cao","year":"2021"},{"key":"ref90","doi-asserted-by":"publisher","DOI":"10.1109\/TDSC.2021.3069258"},{"key":"ref91","doi-asserted-by":"publisher","DOI":"10.1109\/TIFS.2022.3163591"},{"key":"ref92","doi-asserted-by":"publisher","DOI":"10.1145\/2810103.2813687"},{"key":"ref93","first-page":"3226","article-title":"Differentially private Bayesian learning on distributed data","volume-title":"Proc. Adv.Neural Inf. Process. Syst.","volume":"30","author":"Heikkil\u00e4","year":"2017"},{"key":"ref94","article-title":"Differentially private federated learning: A client level perspective","author":"Geyer","year":"2018","journal-title":"Mar"},{"key":"ref95","first-page":"6346","article-title":"Distributed learning without distress: Privacy-preserving empirical risk minimization","volume-title":"Proc. Adv.Neural Inf. Process. Syst.","volume":"31","author":"Jayaraman","year":"2018"},{"key":"ref96","doi-asserted-by":"publisher","DOI":"10.1109\/TIFS.2019.2939713"},{"key":"ref97","doi-asserted-by":"publisher","DOI":"10.1109\/TIFS.2020.2988575"},{"key":"ref98","doi-asserted-by":"publisher","DOI":"10.1007\/s00778-021-00700-6"},{"key":"ref99","doi-asserted-by":"publisher","DOI":"10.1109\/SP40001.2021.00069"},{"key":"ref100","doi-asserted-by":"publisher","DOI":"10.1145\/3133956.3134056"},{"key":"ref101","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2017.12"},{"key":"ref102","doi-asserted-by":"publisher","DOI":"10.1145\/3133956.3133982"},{"key":"ref103","first-page":"35","article-title":"ABY3: A mixed protocol framework for machine learning","volume-title":"Proc. ACM SIGSAC Conf. Comput. Commun. Secur.","author":"Mohassel","year":"2018"},{"key":"ref104","doi-asserted-by":"publisher","DOI":"10.1145\/3319535.3339819"},{"key":"ref105","doi-asserted-by":"publisher","DOI":"10.1145\/3372297.3417274"},{"key":"ref106","doi-asserted-by":"publisher","DOI":"10.1109\/SP40000.2020.00016"},{"key":"ref107","first-page":"809","article-title":"Cheetah: Lean and fast secure two-party deep neural network inference","volume-title":"Proc. 31st USENIX Secur. Symp.","author":"Huang","year":"2022"},{"key":"ref108","doi-asserted-by":"publisher","DOI":"10.1109\/TIFS.2022.3231784"},{"key":"ref109","doi-asserted-by":"publisher","DOI":"10.1109\/TIFS.2023.3262149"},{"key":"ref110","doi-asserted-by":"publisher","DOI":"10.1145\/3243734.3243837"},{"key":"ref111","doi-asserted-by":"publisher","DOI":"10.1145\/3319535.3363207"},{"key":"ref112","first-page":"493","article-title":"BatchCrypt: Efficient homomorphic encryption for cross-silo federated learning","volume-title":"Proc. USENIX Annu. Tech. Conf.","author":"Zhang","year":"2020"},{"key":"ref113","doi-asserted-by":"publisher","DOI":"10.1145\/3466752.3480070"},{"key":"ref114","doi-asserted-by":"publisher","DOI":"10.1145\/3548606.3560702"},{"key":"ref115","doi-asserted-by":"publisher","DOI":"10.1109\/TIFS.2023.3263631"},{"key":"ref116","first-page":"513","article-title":"AttriGuard: A practical defense against attribute inference attacks via adversarial machine learning","volume-title":"Proc. 27th USENIX Secur. Symp.","author":"Jia","year":"2018"},{"key":"ref117","doi-asserted-by":"publisher","DOI":"10.1145\/3243734.3243855"},{"key":"ref118","doi-asserted-by":"publisher","DOI":"10.1145\/3319535.3363201"},{"key":"ref119","doi-asserted-by":"publisher","DOI":"10.1109\/TIFS.2020.2968188"},{"key":"ref120","first-page":"7852","article-title":"FairVFL: A fair vertical federated learning framework with contrastive adversarial learning","volume-title":"Proc. Adv. Neural Inf. Process. Syst. (NeurIPS)","author":"Qi","year":"2022"},{"key":"ref121","doi-asserted-by":"publisher","DOI":"10.1109\/TIFS.2023.3236180"},{"key":"ref122","doi-asserted-by":"publisher","DOI":"10.1109\/TIFS.2023.3246766"},{"key":"ref123","doi-asserted-by":"publisher","DOI":"10.1109\/ICCV.2017.398"},{"key":"ref124","doi-asserted-by":"publisher","DOI":"10.1609\/aaai.v31i1.11233"},{"key":"ref125","article-title":"Overlearning reveals sensitive attributes","volume-title":"Proc. 8th Int. Conf. Learn. Representations (ICLR)","author":"Song"},{"key":"ref126","doi-asserted-by":"publisher","DOI":"10.1109\/ALLERTON.2019.8919758"},{"key":"ref127","first-page":"214","article-title":"Wasserstein generative adversarial networks","volume-title":"Proc. 34th Int. Conf. Mach. Learn. (ICML)","volume":"70","author":"Arjovsky","year":"2017"},{"key":"ref128","first-page":"1615","article-title":"Turning your weakness into a strength: Watermarking deep neural networks by backdooring","volume-title":"Proc. 27th USENIX Secur. Symp.","author":"Adi","year":"2018"},{"key":"ref129","doi-asserted-by":"publisher","DOI":"10.1145\/3474085.3475591"},{"key":"ref130","first-page":"1937","article-title":"Entangled watermarks as a defense against model extraction","volume-title":"Proc. 30th USENIX Secur. Symp.","author":"Jia","year":"2021"},{"key":"ref131","doi-asserted-by":"publisher","DOI":"10.1109\/SP46214.2022.9833747"},{"key":"ref132","first-page":"4525","article-title":"ML-doctor: Holistic risk assessment of inference attacks against machine learning models","volume-title":"Proc. 31st USENIX Secur. Symp., Boston, MA, USA","author":"Liu","year":"2022"},{"key":"ref133","doi-asserted-by":"publisher","DOI":"10.1145\/3548606.3560581"},{"key":"ref134","doi-asserted-by":"publisher","DOI":"10.1007\/s13735-018-0147-1"}],"container-title":["IEEE Transactions on Artificial Intelligence"],"original-title":[],"link":[{"URL":"http:\/\/xplorestaging.ieee.org\/ielx7\/9078688\/10908727\/10429780.pdf?arnumber=10429780","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,8,23]],"date-time":"2025-08-23T01:09:35Z","timestamp":1755911375000},"score":1,"resource":{"primary":{"URL":"https:\/\/ieeexplore.ieee.org\/document\/10429780\/"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2025,2]]},"references-count":134,"journal-issue":{"issue":"2"},"URL":"https:\/\/doi.org\/10.1109\/tai.2024.3363670","relation":{},"ISSN":["2691-4581"],"issn-type":[{"value":"2691-4581","type":"electronic"}],"subject":[],"published":{"date-parts":[[2025,2]]}}}