ML Security PapersSecure Confidential Business Information When Sharing Machine Learning Models
Yunfan Yang 1, Jiarong Xu 1, Hongzhe Zhang 2, Xiao Fang 3
Published on arXiv
2509.16352
Model Inversion Attack
OWASP ML Top 10 — ML03
Key Finding
The proposed defense outperforms existing CPI defenses in resisting adaptive property inference attacks while better preserving model utility and reducing computational overhead across realistic model-sharing scenarios
Responsive CPI Arms Race Defense
Novel technique introduced
Model-sharing offers significant business value by enabling firms with well-established Machine Learning (ML) models to monetize and share their models with others who lack the resources to develop ML models from scratch. However, concerns over data confidentiality remain a significant barrier to model-sharing adoption, as Confidential Property Inference (CPI) attacks can exploit shared ML models to uncover confidential properties of the model provider's private model training data. Existing defenses often assume that CPI attacks are non-adaptive to the specific ML model they are targeting. This assumption overlooks a key characteristic of real-world adversaries: their responsiveness, i.e., adversaries' ability to dynamically adjust their attack models based on the information of the target and its defenses. To overcome this limitation, we propose a novel defense method that explicitly accounts for the responsive nature of real-world adversaries via two methodological innovations: a novel Responsive CPI attack and an attack-defense arms race framework. The former emulates the responsive behaviors of adversaries in the real world, and the latter iteratively enhances both the target and attack models, ultimately producing a secure ML model that is robust against responsive CPI attacks. Furthermore, we propose and integrate a novel approximate strategy into our defense, which addresses a critical computational bottleneck of defense methods and improves defense efficiency. Through extensive empirical evaluations across various realistic model-sharing scenarios, we demonstrate that our method outperforms existing defenses by more effectively defending against CPI attacks, preserving ML model utility, and reducing computational overhead.
Key Contributions
- Novel 'Responsive CPI attack' that emulates adaptive adversaries who dynamically adjust their attack strategy based on information about the target model and its deployed defenses
- Attack-defense arms race framework that iteratively co-evolves both the target model and the attack model, producing a shared ML model robust against responsive property inference attacks
- Approximate strategy that addresses the computational bottleneck in the arms race defense loop, significantly reducing overhead while preserving defense quality
🛡️ Threat Analysis
CPI attacks recover confidential private attributes of the model provider's training data from a shared ML model — the adversary infers sensitive training data properties by querying the model, which squarely falls under recovering private attributes from a trained model. The defense is explicitly evaluated against this reconstruction/inference threat.