attack 2026

Turning Black Box into White Box: Dataset Distillation Leaks

Huajie Chen 1, Tianqing Zhu 1, Yuchen Zhong 1, Yang Zhang 2, Shang Wang 3, Feng He 3, Lefeng Zhang 1, Jialiang Shen 4, Minghao Wang 1, Wanlei Zhou 1

1 City University of Macau

2 CISPA Helmholtz Center for Information Security

3 University of Technology Sydney

4 University of Sydney

0 citations
α

Published on arXiv

2603.01053

Model Inversion Attack

OWASP ML Top 10 — ML03

Membership Inference Attack

OWASP ML Top 10 — ML04

Key Finding

IRA accurately predicts both the distillation algorithm and model architecture from synthetic datasets, and successfully performs membership inference and recovers sensitive real training samples.

Information Revelation Attack (IRA)

Novel technique introduced

Dataset distillation compresses a large real dataset into a small synthetic one, enabling models trained on the synthetic data to achieve performance comparable to those trained on the real data. Although synthetic datasets are assumed to be privacy-preserving, we show that existing distillation methods can cause severe privacy leakage because synthetic datasets implicitly encode the weight trajectories of the distilled model, they become over-informative and exploitable by adversaries. To expose this risk, we introduce the Information Revelation Attack (IRA) against state-of-the-art distillation techniques. Experiments show that IRA accurately predicts both the distillation algorithm and model architecture, and can successfully infer membership and recover sensitive samples from the real dataset.

Key Contributions

  • Architecture inference stage that predicts distillation algorithm and model architecture from loss trajectories, effectively converting a black-box setting into white-box for the adversary
  • Membership inference attack leveraging the locally cloned white-box model's hidden-layer and final-layer outputs
  • Enhanced dual-network diffusion framework with trajectory loss for reconstructing real training samples from synthetic distilled datasets

🛡️ Threat Analysis

Model Inversion Attack

The final stage of IRA uses a dual-network diffusion framework to reconstruct sensitive real training samples from synthetic distilled datasets — a direct model inversion / training data reconstruction attack with an explicit adversarial threat model.

Membership Inference Attack

The second stage of IRA explicitly performs membership inference — determining whether a given sample was in the real training dataset — using hidden-layer and final-layer outputs of a locally cloned model.

Details

Domains
vision
Model Types
cnndiffusion
Threat Tags
black_boxinference_timetargeted
Datasets
CIFAR-10
Applications
dataset distillationprivacy-preserving mlimage classification
Read PDF arXiv

Similar Papers

attack

Model Inversion Attack Against Deep Hashing

2025 0 cit.
Model Inversion Attack
71%
attack

Latent Diffusion Inversion Requires Understanding the Latent Space

2025 0 cit.
Membership Inference AttackModel Inversion Attack
71%
attack

Realistic Face Reconstruction from Facial Embeddings via Diffusion Models

2026 0 cit.
Model Inversion Attack
67%
attack

Reconstructing Protected Biometric Templates from Binary Authentication Results

2026 0 cit.
Model Inversion Attack
67%
attack

What Your Features Reveal: Data-Efficient Black-Box Feature Inversion Attack for Split DNNs

2025 1 cit.
Model Inversion Attack
60%
attack

LeakyCLIP: Extracting Training Data from CLIP

2025 0 cit.
Model Inversion AttackMembership Inference Attack
60%
attack

Membership Inference Attacks with False Discovery Rate Control

2025 0 cit.
Membership Inference Attack
60%
attack

Dual-View Inference Attack: Machine Unlearning Amplifies Privacy Exposure

2025 2 cit.
Membership Inference Attack
60%