ML Security PapersTowards Privacy-Aware Bayesian Networks: A Credal Approach
Niccolò Rocchi 1,2, Fabio Stella 1, Cassio de Campos 3
Published on arXiv
2509.18949
Membership Inference Attack
OWASP ML Top 10 — ML04
Key Finding
Credal networks provide provably at least as much privacy as standard Bayesian networks against tracing attacks while preserving meaningful inferential bounds, outperforming noise-based differential privacy approaches on the utility-privacy trade-off.
Credal Networks (CN) for privacy-aware BNs
Novel technique introduced
Bayesian networks (BN) are probabilistic graphical models that enable efficient knowledge representation and inference. These have proven effective across diverse domains, including healthcare, bioinformatics and economics. The structure and parameters of a BN can be obtained by domain experts or directly learned from available data. However, as privacy concerns escalate, it becomes increasingly critical for publicly released models to safeguard sensitive information in training data. Typically, released models do not prioritize privacy by design. In particular, tracing attacks from adversaries can combine the released BN with auxiliary data to determine whether specific individuals belong to the data from which the BN was learned. State-of-the-art protection tecniques involve introducing noise into the learned parameters. While this offers robust protection against tracing attacks, it significantly impacts the model's utility, in terms of both the significance and accuracy of the resulting inferences. Hence, high privacy may be attained at the cost of releasing a possibly ineffective model. This paper introduces credal networks (CN) as a novel solution for balancing the model's privacy and utility. After adapting the notion of tracing attacks, we demonstrate that a CN enables the masking of the learned BN, thereby reducing the probability of successful attacks. As CNs are obfuscated but not noisy versions of BNs, they can achieve meaningful inferences while safeguarding privacy. Moreover, we identify key learning information that must be concealed to prevent attackers from recovering the underlying BN. Finally, we conduct a set of numerical experiments to analyze how privacy gains can be modulated by tuning the CN hyperparameters. Our results confirm that CNs provide a principled, practical, and effective approach towards the development of privacy-aware probabilistic graphical models.
Key Contributions
- Introduces credal networks (CNs) as a principled alternative to noise injection for defending Bayesian networks against membership inference (tracing) attacks
- Formally extends the definition of tracing attacks to credal networks and proves that releasing a CN guarantees equal or higher privacy than the underlying BN in the large-sample limit
- Identifies key learning information that must be concealed to prevent attackers from recovering the underlying BN from a released CN, and demonstrates empirically that CN hyperparameters modulate the privacy-utility trade-off
🛡️ Threat Analysis
The paper's entire contribution is defending against 'tracing attacks' — where an adversary uses a released Bayesian network plus auxiliary data to determine whether specific individuals were in the training set. This is textbook membership inference. The proposed credal network (CN) framework is explicitly evaluated as a defense that reduces attacker success probability while preserving model utility.