{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,3,14]],"date-time":"2026-03-14T18:00:54Z","timestamp":1773511254452,"version":"3.50.1"},"publisher-location":"New York, NY, USA","reference-count":103,"publisher":"ACM","license":[{"start":{"date-parts":[[2024,12,2]],"date-time":"2024-12-02T00:00:00Z","timestamp":1733097600000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/www.acm.org\/publications\/policies\/copyright_policy#Background"}],"funder":[{"name":"National Institute of Health","award":["U54HG012510"],"award-info":[{"award-number":["U54HG012510"]}]}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":[],"published-print":{"date-parts":[[2024,12,2]]},"DOI":"10.1145\/3658644.3690304","type":"proceedings-article","created":{"date-parts":[[2024,12,9]],"date-time":"2024-12-09T12:19:20Z","timestamp":1733746760000},"page":"3466-3480","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":6,"title":["Analyzing Inference Privacy Risks Through Gradients In Machine Learning"],"prefix":"10.1145","author":[{"ORCID":"https:\/\/orcid.org\/0000-0001-5559-4094","authenticated-orcid":false,"given":"Zhuohang","family":"Li","sequence":"first","affiliation":[{"name":"Vanderbilt University, Nashville, TN, USA"}]},{"ORCID":"https:\/\/orcid.org\/0009-0001-9893-5669","authenticated-orcid":false,"given":"Andrew","family":"Lowy","sequence":"additional","affiliation":[{"name":"University of Wisconsin-Madison, Madison, WI, USA"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-1712-2966","authenticated-orcid":false,"given":"Jing","family":"Liu","sequence":"additional","affiliation":[{"name":"Mitsubishi Electric Research Laboratories, Cambridge, MA, USA"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-2578-5372","authenticated-orcid":false,"given":"Toshiaki","family":"Koike-Akino","sequence":"additional","affiliation":[{"name":"Mitsubishi Electric Research Laboratories, Cambridge, MA, USA"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-4957-8140","authenticated-orcid":false,"given":"Kieran","family":"Parsons","sequence":"additional","affiliation":[{"name":"Mitsubishi Electric Research Laboratories, Cambridge, MA, USA"}]},{"ORCID":"https:\/\/orcid.org\/0000-0003-3040-5175","authenticated-orcid":false,"given":"Bradley","family":"Malin","sequence":"additional","affiliation":[{"name":"Vanderbilt University, Nashville, TN, USA"}]},{"ORCID":"https:\/\/orcid.org\/0000-0001-5220-1830","authenticated-orcid":false,"given":"Ye","family":"Wang","sequence":"additional","affiliation":[{"name":"Mitsubishi Electric Research Laboratories, Cambridge, MA, USA"}]}],"member":"320","published-online":{"date-parts":[[2024,12,9]]},"reference":[{"key":"e_1_3_2_1_1_1","doi-asserted-by":"publisher","DOI":"10.1145\/2976749.2978318"},{"key":"e_1_3_2_1_2_1","doi-asserted-by":"publisher","DOI":"10.1109\/ICDCS.2016.74"},{"key":"e_1_3_2_1_3_1","volume-title":"Deep Variational Information Bottleneck. In International Conference on Learning Representations.","author":"Alemi Alexander A","year":"2016","unstructured":"Alexander A Alemi, Ian Fischer, Joshua V Dillon, and Kevin Murphy. 2016. Deep Variational Information Bottleneck. In International Conference on Learning Representations."},{"key":"e_1_3_2_1_4_1","volume-title":"One-shot Empirical Privacy Estimation for Federated Learning. In The Twelfth International Conference on Learning Representations.","author":"Andrew Galen","year":"2023","unstructured":"Galen Andrew, Peter Kairouz, Sewoong Oh, Alina Oprea, Hugh Brendan McMahan, and Vinith Menon Suriyakumar. 2023. One-shot Empirical Privacy Estimation for Federated Learning. In The Twelfth International Conference on Learning Representations."},{"key":"e_1_3_2_1_5_1","doi-asserted-by":"publisher","DOI":"10.1504\/IJSN.2015.071829"},{"key":"e_1_3_2_1_6_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP46214.2022.9833677"},{"key":"e_1_3_2_1_7_1","doi-asserted-by":"publisher","DOI":"10.24432\/C5XW20"},{"key":"e_1_3_2_1_8_1","volume-title":"International Conference on Machine Learning. PMLR, 560--569","author":"Bernstein Jeremy","year":"2018","unstructured":"Jeremy Bernstein, Yu-Xiang Wang, Kamyar Azizzadenesheli, and Animashree Anandkumar. 2018. signSGD: Compressed optimisation for non-convex problems. In International Conference on Machine Learning. PMLR, 560--569."},{"key":"e_1_3_2_1_9_1","unstructured":"Tom Brown Benjamin Mann Nick Ryder Melanie Subbiah Jared D Kaplan Prafulla Dhariwal Arvind Neelakantan Pranav Shyam Girish Sastry Amanda Askell et al. 2020. Language models are few-shot learners. Advances in neural information processing systems Vol. 33 (2020) 1877--1901."},{"key":"e_1_3_2_1_10_1","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-662-53641-4_24"},{"key":"e_1_3_2_1_11_1","volume-title":"Crema-d: Crowd-sourced emotional multimodal actors dataset","author":"Cao Houwei","year":"2014","unstructured":"Houwei Cao, David G Cooper, Michael K Keutmann, Ruben C Gur, Ani Nenkova, and Ragini Verma. 2014. Crema-d: Crowd-sourced emotional multimodal actors dataset. IEEE transactions on affective computing, Vol. 5, 4 (2014), 377--390."},{"key":"e_1_3_2_1_12_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP46214.2022.9833649"},{"key":"e_1_3_2_1_13_1","volume-title":"32nd USENIX Security Symposium (USENIX Security 23)","author":"Carlini Nicolas","year":"2023","unstructured":"Nicolas Carlini, Jamie Hayes, Milad Nasr, Matthew Jagielski, Vikash Sehwag, Florian Tramer, Borja Balle, Daphne Ippolito, and Eric Wallace. 2023. Extracting training data from diffusion models. In 32nd USENIX Security Symposium (USENIX Security 23). 5253--5270."},{"key":"e_1_3_2_1_14_1","doi-asserted-by":"publisher","DOI":"10.1145\/3128572.3140444"},{"key":"e_1_3_2_1_15_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP46215.2023.10179334"},{"key":"e_1_3_2_1_16_1","doi-asserted-by":"publisher","DOI":"10.1145\/2976749.2978308"},{"key":"e_1_3_2_1_17_1","doi-asserted-by":"publisher","DOI":"10.1109\/ICASSP43922.2022.9746443"},{"key":"e_1_3_2_1_18_1","doi-asserted-by":"publisher","DOI":"10.1145\/3578356.3592587"},{"key":"e_1_3_2_1_19_1","volume-title":"FL-NeurIPS'22-Federated Learning: Recent Advances and New Challenges workshop in Conjunction with NeurIPS","author":"Driouich Ilias","year":"2022","unstructured":"Ilias Driouich, Chuan Xu, Giovanni Neglia, Frederic Giroire, and Eoin Thomas. 2022. A Novel Model-Based Attribute Inference Attack in Federated Learning. In FL-NeurIPS'22-Federated Learning: Recent Advances and New Challenges workshop in Conjunction with NeurIPS 2022."},{"key":"e_1_3_2_1_20_1","volume-title":"Privacy against statistical inference. In 2012 50th annual Allerton conference on communication, control, and computing (Allerton)","author":"du Pin Calmon Fl\u00e1vio","unstructured":"Fl\u00e1vio du Pin Calmon and Nadia Fawaz. 2012. Privacy against statistical inference. In 2012 50th annual Allerton conference on communication, control, and computing (Allerton). IEEE, 1401--1408."},{"key":"e_1_3_2_1_21_1","volume-title":"Distance-based and continuum Fano inequalities with applications to statistical estimation. arXiv preprint arXiv:1311.2669","author":"Duchi John C","year":"2013","unstructured":"John C Duchi and Martin J Wainwright. 2013. Distance-based and continuum Fano inequalities with applications to statistical estimation. arXiv preprint arXiv:1311.2669 (2013)."},{"key":"e_1_3_2_1_22_1","doi-asserted-by":"publisher","DOI":"10.1007\/11681878_14"},{"key":"e_1_3_2_1_23_1","doi-asserted-by":"publisher","DOI":"10.56553\/popets-2023-0030"},{"key":"e_1_3_2_1_24_1","doi-asserted-by":"publisher","DOI":"10.1145\/1873951.1874246"},{"key":"e_1_3_2_1_25_1","volume-title":"Attribute inference attack of speech emotion recognition in federated learning settings. arXiv preprint arXiv:2112.13416","author":"Feng Tiantian","year":"2021","unstructured":"Tiantian Feng, Hanieh Hashemi, Rajat Hebbar, Murali Annavaram, and Shrikanth S Narayanan. 2021. Attribute inference attack of speech emotion recognition in federated learning settings. arXiv preprint arXiv:2112.13416 (2021)."},{"key":"e_1_3_2_1_26_1","doi-asserted-by":"publisher","DOI":"10.1007\/3-540-44795-4_13"},{"key":"e_1_3_2_1_27_1","doi-asserted-by":"publisher","DOI":"10.1145\/2810103.2813677"},{"key":"e_1_3_2_1_28_1","volume-title":"23rd USENIX security symposium (USENIX Security 14). 17--32.","author":"Fredrikson Matthew","unstructured":"Matthew Fredrikson, Eric Lantz, Somesh Jha, Simon Lin, David Page, and Thomas Ristenpart. 2014. Privacy in pharmacogenetics: An End-to-End case study of personalized warfarin dosing. In 23rd USENIX security symposium (USENIX Security 14). 17--32."},{"key":"e_1_3_2_1_29_1","doi-asserted-by":"publisher","DOI":"10.1145\/3243734.3243834"},{"key":"e_1_3_2_1_30_1","first-page":"16937","article-title":"Inverting gradients-how easy is it to break privacy in federated learning","volume":"33","author":"Geiping Jonas","year":"2020","unstructured":"Jonas Geiping, Hartmut Bauermeister, Hannah Dr\u00f6ge, and Michael Moeller. 2020. Inverting gradients-how easy is it to break privacy in federated learning? Advances in Neural Information Processing Systems, Vol. 33 (2020), 16937--16947.","journal-title":"Advances in Neural Information Processing Systems"},{"key":"e_1_3_2_1_31_1","volume-title":"Algorithms with More Granular Differential Privacy Guarantees. arXiv preprint arXiv:2209.04053","author":"Ghazi Badih","year":"2022","unstructured":"Badih Ghazi, Ravi Kumar, Pasin Manurangsi, and Thomas Steinke. 2022. Algorithms with More Granular Differential Privacy Guarantees. arXiv preprint arXiv:2209.04053 (2022)."},{"key":"e_1_3_2_1_32_1","doi-asserted-by":"publisher","DOI":"10.1109\/ICASSP39728.2021.9413397"},{"key":"e_1_3_2_1_33_1","volume-title":"International Conference on Machine Learning. PMLR, 11998--12011","author":"Guo Chuan","year":"2023","unstructured":"Chuan Guo, Alexandre Sablayrolles, and Maziar Sanjabi. 2023. Analyzing privacy leakage in machine learning via multiple hypothesis testing: A lesson from fano. In International Conference on Machine Learning. PMLR, 11998--12011."},{"key":"e_1_3_2_1_34_1","volume-title":"Recovering private text in federated learning of language models. Advances in neural information processing systems","author":"Gupta Samyak","year":"2022","unstructured":"Samyak Gupta, Yangsibo Huang, Zexuan Zhong, Tianyu Gao, Kai Li, and Danqi Chen. 2022. Recovering private text in federated learning of language models. Advances in neural information processing systems, Vol. 35 (2022), 8130--8143."},{"key":"e_1_3_2_1_35_1","doi-asserted-by":"publisher","DOI":"10.1016\/j.csl.2020.101119"},{"key":"e_1_3_2_1_36_1","first-page":"22911","article-title":"Reconstructing training data from trained neural networks","volume":"35","author":"Haim Niv","year":"2022","unstructured":"Niv Haim, Gal Vardi, Gilad Yehudai, Ohad Shamir, and Michal Irani. 2022. Reconstructing training data from trained neural networks. Advances in Neural Information Processing Systems, Vol. 35 (2022), 22911--22924.","journal-title":"Advances in Neural Information Processing Systems"},{"key":"e_1_3_2_1_37_1","volume-title":"Federated learning for mobile keyboard prediction. arXiv preprint arXiv:1811.03604","author":"Hard Andrew","year":"2018","unstructured":"Andrew Hard, Kanishka Rao, Rajiv Mathews, Swaroop Ramaswamy, Franccoise Beaufays, Sean Augenstein, Hubert Eichner, Chlo\u00e9 Kiddon, and Daniel Ramage. 2018. Federated learning for mobile keyboard prediction. arXiv preprint arXiv:1811.03604 (2018)."},{"key":"e_1_3_2_1_38_1","volume-title":"Advances in Neural Information Processing Systems","volume":"36","author":"Hayes Jamie","year":"2024","unstructured":"Jamie Hayes, Borja Balle, and Saeed Mahloujifar. 2024. Bounding training data reconstruction in dp-sgd. Advances in Neural Information Processing Systems, Vol. 36 (2024)."},{"key":"e_1_3_2_1_39_1","volume-title":"Mobilenets: Efficient convolutional neural networks for mobile vision applications. arXiv preprint arXiv:1704.04861","author":"Howard Andrew G","year":"2017","unstructured":"Andrew G Howard, Menglong Zhu, Bo Chen, Dmitry Kalenichenko, Weijun Wang, Tobias Weyand, Marco Andreetto, and Hartwig Adam. 2017. Mobilenets: Efficient convolutional neural networks for mobile vision applications. arXiv preprint arXiv:1704.04861 (2017)."},{"key":"e_1_3_2_1_40_1","volume-title":"14th USENIX Symposium on Networked Systems Design and Implementation (NSDI 17)","author":"Hsieh Kevin","year":"2017","unstructured":"Kevin Hsieh, Aaron Harlap, Nandita Vijaykumar, Dimitris Konomis, Gregory R Ganger, Phillip B Gibbons, and Onur Mutlu. 2017. Gaia:Geo-Distributed machine learning approaching LAN speeds. In 14th USENIX Symposium on Networked Systems Design and Implementation (NSDI 17). 629--647."},{"key":"e_1_3_2_1_41_1","first-page":"7232","article-title":"Evaluating gradient inversion attacks and defenses in federated learning","volume":"34","author":"Huang Yangsibo","year":"2021","unstructured":"Yangsibo Huang, Samyak Gupta, Zhao Song, Kai Li, and Sanjeev Arora. 2021. Evaluating gradient inversion attacks and defenses in federated learning. Advances in Neural Information Processing Systems, Vol. 34 (2021), 7232--7241.","journal-title":"Advances in Neural Information Processing Systems"},{"key":"e_1_3_2_1_42_1","first-page":"22205","article-title":"Auditing differentially private machine learning: How private is private sgd","volume":"33","author":"Jagielski Matthew","year":"2020","unstructured":"Matthew Jagielski, Jonathan Ullman, and Alina Oprea. 2020. Auditing differentially private machine learning: How private is private sgd? Advances in Neural Information Processing Systems, Vol. 33 (2020), 22205--22216.","journal-title":"Advances in Neural Information Processing Systems"},{"key":"e_1_3_2_1_43_1","doi-asserted-by":"publisher","DOI":"10.1145\/3548606.3560663"},{"key":"e_1_3_2_1_44_1","volume-title":"27th USENIX Security Symposium (USENIX Security 18)","author":"Jia Jinyuan","year":"2018","unstructured":"Jinyuan Jia and Neil Zhenqiang Gong. 2018. AttriGuard: A practical defense against attribute inference attacks via adversarial machine learning. In 27th USENIX Security Symposium (USENIX Security 18). 513--529."},{"key":"e_1_3_2_1_45_1","doi-asserted-by":"publisher","DOI":"10.1145\/3319535.3363201"},{"key":"e_1_3_2_1_46_1","unstructured":"Kaggle. 2012. Heritage Health Prize. https:\/\/www.kaggle.com\/c\/hhp\/data."},{"key":"e_1_3_2_1_47_1","volume-title":"International conference on machine learning. PMLR, 1376--1385","author":"Kairouz Peter","year":"2015","unstructured":"Peter Kairouz, Sewoong Oh, and Pramod Viswanath. 2015. The composition theorem for differential privacy. In International conference on machine learning. PMLR, 1376--1385."},{"key":"e_1_3_2_1_48_1","volume-title":"User Inference Attacks on Large Language Models. In International Workshop on Federated Learning in the Age of Foundation Models in Conjunction with NeurIPS","author":"Kandpal Nikhil","year":"2023","unstructured":"Nikhil Kandpal, Krishna Pillutla, Alina Oprea, Peter Kairouz, Christopher A Choquette-Choo, and Zheng Xu. 2023. User Inference Attacks on Large Language Models. In International Workshop on Federated Learning in the Age of Foundation Models in Conjunction with NeurIPS 2023."},{"key":"e_1_3_2_1_49_1","volume-title":"Federated learning in adversarial settings. arXiv preprint arXiv:2010.07808","author":"Kerkouche Raouf","year":"2020","unstructured":"Raouf Kerkouche, Gergely \u00c1cs, and Claude Castelluccia. 2020. Federated learning in adversarial settings. arXiv preprint arXiv:2010.07808 (2020)."},{"key":"e_1_3_2_1_50_1","doi-asserted-by":"publisher","DOI":"10.1145\/3603216.3624964"},{"key":"e_1_3_2_1_51_1","volume-title":"International Conference on Machine Learning. PMLR, 5959--5968","author":"Lam Maximilian","year":"2021","unstructured":"Maximilian Lam, Gu-Yeon Wei, David Brooks, Vijay Janapa Reddi, and Michael Mitzenmacher. 2021. Gradient disaggregation: Breaking privacy in federated learning by reconstructing the user participant matrix. In International Conference on Machine Learning. PMLR, 5959--5968."},{"key":"e_1_3_2_1_52_1","volume-title":"29th USENIX security symposium (USENIX Security 20). 1605--1622.","author":"Leino Klas","unstructured":"Klas Leino and Matt Fredrikson. 2020. Stolen memories: Leveraging model memorization for calibrated White-Box membership inference. In 29th USENIX security symposium (USENIX Security 20). 1605--1622."},{"key":"e_1_3_2_1_53_1","volume-title":"ICLR 2022 Workshop on PAIR: Privacy, Accountability, Interpretability, Robustness, Reasoning on Structured Data.","author":"Li Guoyao","year":"2022","unstructured":"Guoyao Li, Shahbaz Rezaei, and Xin Liu. 2022. User-Level Membership Inference Attack against Metric Embedding Learning. In ICLR 2022 Workshop on PAIR: Privacy, Accountability, Interpretability, Robustness, Reasoning on Structured Data."},{"key":"e_1_3_2_1_54_1","doi-asserted-by":"publisher","DOI":"10.1145\/2640087.2644155"},{"key":"e_1_3_2_1_55_1","volume-title":"Analyzing Inference Privacy Risks Through Gradients In Machine Learning. arXiv preprint arXiv:2408.16913","author":"Li Zhuohang","year":"2024","unstructured":"Zhuohang Li, Andrew Lowy, Jing Liu, Toshiaki Koike-Akino, Kieran Parsons, Bradley Malin, and Ye Wang. 2024. Analyzing Inference Privacy Risks Through Gradients In Machine Learning. arXiv preprint arXiv:2408.16913 (2024)."},{"key":"e_1_3_2_1_56_1","doi-asserted-by":"publisher","DOI":"10.1109\/ICASSP49357.2023.10095443"},{"key":"e_1_3_2_1_57_1","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR52688.2022.00989"},{"key":"e_1_3_2_1_58_1","volume-title":"31st USENIX Security Symposium (USENIX Security 22)","author":"Liu Yugeng","year":"2022","unstructured":"Yugeng Liu, Rui Wen, Xinlei He, Ahmed Salem, Zhikun Zhang, Michael Backes, Emiliano De Cristofaro, Mario Fritz, and Yang Zhang. 2022. ML-Doctor: Holistic risk assessment of inference attacks against machine learning models. In 31st USENIX Security Symposium (USENIX Security 22). 4525--4542."},{"key":"e_1_3_2_1_59_1","doi-asserted-by":"publisher","DOI":"10.1109\/ICCV.2015.425"},{"key":"e_1_3_2_1_60_1","volume-title":"Why Does Differential Privacy with Large Epsilon Defend Against Practical Membership Inference Attacks? arXiv preprint arXiv:2402.09540","author":"Lowy Andrew","year":"2024","unstructured":"Andrew Lowy, Zhuohang Li, Jing Liu, Toshiaki Koike-Akino, Kieran Parsons, and Ye Wang. 2024. Why Does Differential Privacy with Large Epsilon Defend Against Practical Membership Inference Attacks? arXiv preprint arXiv:2402.09540 (2024)."},{"key":"e_1_3_2_1_61_1","volume-title":"The Eleventh International Conference on Learning Representations.","author":"Lowy Andrew","year":"2022","unstructured":"Andrew Lowy and Meisam Razaviyayn. 2022. Private Federated Learning Without a Trusted Server: Optimal Algorithms for Convex Losses. In The Eleventh International Conference on Learning Representations."},{"key":"e_1_3_2_1_62_1","volume-title":"A novel attribute reconstruction attack in federated learning. arXiv preprint arXiv:2108.06910","author":"Lyu Lingjuan","year":"2021","unstructured":"Lingjuan Lyu and Chen Chen. 2021. A novel attribute reconstruction attack in federated learning. arXiv preprint arXiv:2108.06910 (2021)."},{"key":"e_1_3_2_1_63_1","volume-title":"CANIFE: Crafting Canaries for Empirical Privacy Measurement in Federated Learning. In The Eleventh International Conference on Learning Representations.","author":"Maddock Samuel","year":"2022","unstructured":"Samuel Maddock, Alexandre Sablayrolles, and Pierre Stock. 2022. CANIFE: Crafting Canaries for Empirical Privacy Measurement in Federated Learning. In The Eleventh International Conference on Learning Representations."},{"key":"e_1_3_2_1_64_1","volume-title":"International Conference on Learning Representations.","author":"Madry Aleksander","year":"2018","unstructured":"Aleksander Madry, Aleksandar Makelov, Ludwig Schmidt, Dimitris Tsipras, and Adrian Vladu. 2018. Towards Deep Learning Models Resistant to Adversarial Attacks. In International Conference on Learning Representations."},{"key":"e_1_3_2_1_65_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP46214.2022.9833623"},{"key":"e_1_3_2_1_66_1","unstructured":"Brendan McMahan Eider Moore Daniel Ramage Seth Hampson and Blaise Aguera y Arcas. 2017. Communication-efficient learning of deep networks from decentralized data. In Artificial intelligence and statistics. PMLR 1273--1282."},{"key":"e_1_3_2_1_67_1","volume-title":"31st USENIX Security Symposium (USENIX Security 22)","author":"Mehnaz Shagufta","year":"2022","unstructured":"Shagufta Mehnaz, Sayanton V Dibbo, Roberta De Viti, Ehsanul Kabir, Bj\u00f6rn B Brandenburg, Stefan Mangard, Ninghui Li, Elisa Bertino, Michael Backes, Emiliano De Cristofaro, et al. 2022. Are your sensitive attributes private? Novel model inversion attribute inference attacks on classification models. In 31st USENIX Security Symposium (USENIX Security 22). 4579--4596."},{"key":"e_1_3_2_1_68_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2019.00029"},{"key":"e_1_3_2_1_69_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2019.00065"},{"key":"e_1_3_2_1_70_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP40001.2021.00069"},{"key":"e_1_3_2_1_71_1","first-page":"30058","article-title":"Voiceblock: Privacy through real-time adversarial attacks with audio-to-audio models","volume":"35","author":"O'Reilly Patrick","year":"2022","unstructured":"Patrick O'Reilly, Andreas Bugler, Keshav Bhandari, Max Morrison, and Bryan Pardo. 2022. Voiceblock: Privacy through real-time adversarial attacks with audio-to-audio models. Advances in Neural Information Processing Systems, Vol. 35 (2022), 30058--30070.","journal-title":"Advances in Neural Information Processing Systems"},{"key":"e_1_3_2_1_72_1","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR52688.2022.01042"},{"key":"e_1_3_2_1_73_1","volume-title":"International Conference on Machine Learning. PMLR, 5558--5567","author":"Sablayrolles Alexandre","year":"2019","unstructured":"Alexandre Sablayrolles, Matthijs Douze, Cordelia Schmid, Yann Ollivier, and Herv\u00e9 J\u00e9gou. 2019. White-box vs black-box: Bayes optimal strategies for membership inference. In International Conference on Machine Learning. PMLR, 5558--5567."},{"key":"e_1_3_2_1_74_1","volume-title":"29th USENIX security symposium (USENIX Security 20). 1291--1308.","author":"Salem Ahmed","unstructured":"Ahmed Salem, Apratim Bhattacharya, Michael Backes, Mario Fritz, and Yang Zhang. 2020. Updates-Leak: Data set inference and reconstruction attacks in online learning. In 29th USENIX security symposium (USENIX Security 20). 1291--1308."},{"key":"e_1_3_2_1_75_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP46215.2023.10179281"},{"key":"e_1_3_2_1_76_1","volume-title":"Ml-leaks: Model and data independent membership inference attacks and defenses on machine learning models. arXiv preprint arXiv:1806.01246","author":"Salem Ahmed","year":"2018","unstructured":"Ahmed Salem, Yang Zhang, Mathias Humbert, Pascal Berrang, Mario Fritz, and Michael Backes. 2018. Ml-leaks: Model and data independent membership inference attacks and defenses on machine learning models. arXiv preprint arXiv:1806.01246 (2018)."},{"key":"e_1_3_2_1_77_1","doi-asserted-by":"publisher","DOI":"10.1109\/WACV51458.2022.00366"},{"key":"e_1_3_2_1_78_1","volume-title":"Privacy Preserving Federated Learning with Convolutional Variational Bottlenecks. arXiv preprint arXiv:2309.04515","author":"Scheliga Daniel","year":"2023","unstructured":"Daniel Scheliga, Patrick M\u00e4der, and Marco Seeland. 2023. Privacy Preserving Federated Learning with Convolutional Variational Bottlenecks. arXiv preprint arXiv:2309.04515 (2023)."},{"key":"e_1_3_2_1_79_1","volume-title":"Fawkes: Protecting privacy against unauthorized deep learning models. In 29th USENIX security symposium (USENIX Security 20). 1589--1604.","author":"Shan Shawn","year":"2020","unstructured":"Shawn Shan, Emily Wenger, Jiayun Zhang, Huiying Li, Haitao Zheng, and Ben Y Zhao. 2020. Fawkes: Protecting privacy against unauthorized deep learning models. In 29th USENIX security symposium (USENIX Security 20). 1589--1604."},{"key":"e_1_3_2_1_80_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2017.41"},{"key":"e_1_3_2_1_81_1","volume-title":"Prototypical networks for few-shot learning. Advances in neural information processing systems","author":"Snell Jake","year":"2017","unstructured":"Jake Snell, Kevin Swersky, and Richard Zemel. 2017. Prototypical networks for few-shot learning. Advances in neural information processing systems, Vol. 30 (2017)."},{"key":"e_1_3_2_1_82_1","volume-title":"Overlearning Reveals Sensitive Attributes. In International Conference on Learning Representations.","author":"Song Congzheng","year":"2019","unstructured":"Congzheng Song and Vitaly Shmatikov. 2019. Overlearning Reveals Sensitive Attributes. In International Conference on Learning Representations."},{"key":"e_1_3_2_1_83_1","volume-title":"30th USENIX Security Symposium (USENIX Security 21)","author":"Song Liwei","year":"2021","unstructured":"Liwei Song and Prateek Mittal. 2021. Systematic evaluation of privacy risks of machine learning models. In 30th USENIX Security Symposium (USENIX Security 21). 2615--2632."},{"key":"e_1_3_2_1_84_1","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR46437.2021.00919"},{"key":"e_1_3_2_1_85_1","doi-asserted-by":"publisher","DOI":"10.56553\/popets-2022-0121"},{"key":"e_1_3_2_1_86_1","volume-title":"Subject membership inference attacks in federated learning. arXiv preprint arXiv:2206.03317","author":"Suri Anshuman","year":"2022","unstructured":"Anshuman Suri, Pallika Kanani, Virendra J Marathe, and Daniel W Peterson. 2022. Subject membership inference attacks in federated learning. arXiv preprint arXiv:2206.03317 (2022)."},{"key":"e_1_3_2_1_87_1","volume-title":"On adaptive attacks to adversarial example defenses. Advances in neural information processing systems","author":"Tramer Florian","year":"2020","unstructured":"Florian Tramer, Nicholas Carlini, Wieland Brendel, and Aleksander Madry. 2020. On adaptive attacks to adversarial example defenses. Advances in neural information processing systems, Vol. 33 (2020), 1633--1645."},{"key":"e_1_3_2_1_88_1","volume-title":"25th USENIX security symposium (USENIX Security 16). 601--618.","author":"Tram\u00e8r Florian","unstructured":"Florian Tram\u00e8r, Fan Zhang, Ari Juels, Michael K Reiter, and Thomas Ristenpart. 2016. Stealing machine learning models via prediction APIs. In 25th USENIX security symposium (USENIX Security 16). 601--618."},{"key":"e_1_3_2_1_89_1","doi-asserted-by":"publisher","DOI":"10.1145\/3338501.3357370"},{"key":"e_1_3_2_1_90_1","doi-asserted-by":"publisher","DOI":"10.1109\/TSC.2019.2897554"},{"key":"e_1_3_2_1_91_1","volume-title":"TabLeak: Tabular Data Leakage in Federated Learning. In International Conference on Machine Learning. PMLR.","author":"Vero Mark","year":"2023","unstructured":"Mark Vero, Mislav Balunovic, Dimitar Iliev Dimitrov, and Martin Vechev. 2023. TabLeak: Tabular Data Leakage in Federated Learning. In International Conference on Machine Learning. PMLR."},{"key":"e_1_3_2_1_92_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2018.00038"},{"key":"e_1_3_2_1_93_1","first-page":"9706","article-title":"Variational model inversion attacks","volume":"34","author":"Wang Kuan-Chieh","year":"2021","unstructured":"Kuan-Chieh Wang, Yan Fu, Ke Li, Ashish Khisti, Richard Zemel, and Alireza Makhzani. 2021. Variational model inversion attacks. Advances in Neural Information Processing Systems, Vol. 34 (2021), 9706--9719.","journal-title":"Advances in Neural Information Processing Systems"},{"key":"e_1_3_2_1_94_1","unstructured":"Ruihan Wu Xiangyu Chen Chuan Guo and Kilian Q Weinberger. 2023. Learning To Invert: Simple Adaptive Attacks for Gradient Inversion in Federated Learning. In Uncertainty in Artificial Intelligence. PMLR 2293--2303."},{"key":"e_1_3_2_1_95_1","doi-asserted-by":"publisher","DOI":"10.1109\/CSF.2016.32"},{"key":"e_1_3_2_1_96_1","doi-asserted-by":"publisher","DOI":"10.1145\/3548606.3560675"},{"key":"e_1_3_2_1_97_1","volume-title":"Privacy risk in machine learning: Analyzing the connection to overfitting. In 2018 IEEE 31st computer security foundations symposium (CSF)","author":"Yeom Samuel","unstructured":"Samuel Yeom, Irene Giacomelli, Matt Fredrikson, and Somesh Jha. 2018. Privacy risk in machine learning: Analyzing the connection to overfitting. In 2018 IEEE 31st computer security foundations symposium (CSF). IEEE, 268--282."},{"key":"e_1_3_2_1_98_1","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR46437.2021.01607"},{"key":"e_1_3_2_1_99_1","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR42600.2020.00874"},{"key":"e_1_3_2_1_100_1","volume-title":"32nd USENIX Security Symposium (USENIX Security 23)","author":"Yue Kai","year":"2023","unstructured":"Kai Yue, Richeng Jin, Chau-Wai Wong, Dror Baron, and Huaiyu Dai. 2023. Gradient obfuscation gives a false sense of security in federated learning. In 32nd USENIX Security Symposium (USENIX Security 23). 6381--6398."},{"key":"e_1_3_2_1_101_1","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR42600.2020.00033"},{"key":"e_1_3_2_1_102_1","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR.2017.463"},{"key":"e_1_3_2_1_103_1","volume-title":"Deep leakage from gradients. Advances in neural information processing systems","author":"Zhu Ligeng","year":"2019","unstructured":"Ligeng Zhu, Zhijian Liu, and Song Han. 2019. Deep leakage from gradients. Advances in neural information processing systems, Vol. 32 (2019)."}],"event":{"name":"CCS '24: ACM SIGSAC Conference on Computer and Communications Security","location":"Salt Lake City UT USA","acronym":"CCS '24","sponsor":["SIGSAC ACM Special Interest Group on Security, Audit, and Control"]},"container-title":["Proceedings of the 2024 on ACM SIGSAC Conference on Computer and Communications Security"],"original-title":[],"link":[{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3658644.3690304","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3658644.3690304","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,8,22]],"date-time":"2025-08-22T06:13:16Z","timestamp":1755843196000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3658644.3690304"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2024,12,2]]},"references-count":103,"alternative-id":["10.1145\/3658644.3690304","10.1145\/3658644"],"URL":"https:\/\/doi.org\/10.1145\/3658644.3690304","relation":{},"subject":[],"published":{"date-parts":[[2024,12,2]]},"assertion":[{"value":"2024-12-09","order":3,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}