{"id":"https://openalex.org/W3211753216","doi":"https://doi.org/10.1109/sp46214.2022.9833677","title":"Reconstructing Training Data with Informed Adversaries","display_name":"Reconstructing Training Data with Informed Adversaries","publication_year":2022,"publication_date":"2022-05-01","ids":{"openalex":"https://openalex.org/W3211753216","doi":"https://doi.org/10.1109/sp46214.2022.9833677","mag":"3211753216"},"language":"en","primary_location":{"id":"doi:10.1109/sp46214.2022.9833677","is_oa":false,"landing_page_url":"https://doi.org/10.1109/sp46214.2022.9833677","pdf_url":null,"source":{"id":"https://openalex.org/S4363606603","display_name":"2022 IEEE Symposium on Security and Privacy (SP)","issn_l":null,"issn":null,"is_oa":false,"is_in_doaj":false,"is_core":false,"host_organization":null,"host_organization_name":null,"host_organization_lineage":[],"host_organization_lineage_names":[],"type":"conference"},"license":null,"license_id":null,"version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"2022 IEEE Symposium on Security and Privacy (SP)","raw_type":"proceedings-article"},"type":"article","indexed_in":["crossref"],"open_access":{"is_oa":false,"oa_status":"closed","oa_url":null,"any_repository_has_fulltext":false},"authorships":[{"author_position":"first","author":{"id":"https://openalex.org/A5085679401","display_name":"Borja Balle","orcid":"https://orcid.org/0009-0003-8726-2803"},"institutions":[{"id":"https://openalex.org/I4210090411","display_name":"DeepMind (United Kingdom)","ror":"https://ror.org/00971b260","country_code":"GB","type":"company","lineage":["https://openalex.org/I4210090411","https://openalex.org/I4210128969"]}],"countries":["GB"],"is_corresponding":true,"raw_author_name":"Borja Balle","raw_affiliation_strings":["DeepMind"],"affiliations":[{"raw_affiliation_string":"DeepMind","institution_ids":["https://openalex.org/I4210090411"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5037747591","display_name":"Giovanni Cherubin","orcid":"https://orcid.org/0000-0001-7943-540X"},"institutions":[{"id":"https://openalex.org/I4210164937","display_name":"Microsoft Research (United Kingdom)","ror":"https://ror.org/05k87vq12","country_code":"GB","type":"company","lineage":["https://openalex.org/I1290206253","https://openalex.org/I4210164937"]}],"countries":["GB"],"is_corresponding":false,"raw_author_name":"Giovanni Cherubin","raw_affiliation_strings":["Microsoft Research"],"affiliations":[{"raw_affiliation_string":"Microsoft Research","institution_ids":["https://openalex.org/I4210164937"]}]},{"author_position":"last","author":{"id":"https://openalex.org/A5020715720","display_name":"Jamie Hayes","orcid":null},"institutions":[{"id":"https://openalex.org/I4210090411","display_name":"DeepMind (United Kingdom)","ror":"https://ror.org/00971b260","country_code":"GB","type":"company","lineage":["https://openalex.org/I4210090411","https://openalex.org/I4210128969"]}],"countries":["GB"],"is_corresponding":false,"raw_author_name":"Jamie Hayes","raw_affiliation_strings":["DeepMind"],"affiliations":[{"raw_affiliation_string":"DeepMind","institution_ids":["https://openalex.org/I4210090411"]}]}],"institutions":[],"countries_distinct_count":1,"institutions_distinct_count":3,"corresponding_author_ids":["https://openalex.org/A5085679401"],"corresponding_institution_ids":["https://openalex.org/I4210090411"],"apc_list":null,"apc_paid":null,"fwci":7.2642,"has_fulltext":false,"cited_by_count":75,"citation_normalized_percentile":{"value":0.97877613,"is_in_top_1_percent":false,"is_in_top_10_percent":true},"cited_by_percentile_year":{"min":89,"max":100},"biblio":{"volume":null,"issue":null,"first_page":"1138","last_page":"1156"},"is_retracted":false,"is_paratext":false,"is_xpac":false,"primary_topic":{"id":"https://openalex.org/T11689","display_name":"Adversarial Robustness in Machine Learning","score":0.9998999834060669,"subfield":{"id":"https://openalex.org/subfields/1702","display_name":"Artificial Intelligence"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},"topics":[{"id":"https://openalex.org/T11689","display_name":"Adversarial Robustness in Machine Learning","score":0.9998999834060669,"subfield":{"id":"https://openalex.org/subfields/1702","display_name":"Artificial Intelligence"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T10764","display_name":"Privacy-Preserving Technologies in Data","score":0.9997000098228455,"subfield":{"id":"https://openalex.org/subfields/1702","display_name":"Artificial Intelligence"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T11612","display_name":"Stochastic Gradient Optimization Techniques","score":0.9789000153541565,"subfield":{"id":"https://openalex.org/subfields/1702","display_name":"Artificial Intelligence"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}}],"keywords":[{"id":"https://openalex.org/keywords/computer-science","display_name":"Computer science","score":0.7846002578735352},{"id":"https://openalex.org/keywords/differential-privacy","display_name":"Differential privacy","score":0.6233914494514465},{"id":"https://openalex.org/keywords/fidelity","display_name":"Fidelity","score":0.5742993950843811},{"id":"https://openalex.org/keywords/adversary","display_name":"Adversary","score":0.5601367950439453},{"id":"https://openalex.org/keywords/artificial-neural-network","display_name":"Artificial neural network","score":0.5599521398544312},{"id":"https://openalex.org/keywords/machine-learning","display_name":"Machine learning","score":0.5140841603279114},{"id":"https://openalex.org/keywords/attack-model","display_name":"Attack model","score":0.5103587508201599},{"id":"https://openalex.org/keywords/mnist-database","display_name":"MNIST database","score":0.5085240602493286},{"id":"https://openalex.org/keywords/point","display_name":"Point (geometry)","score":0.4975269138813019},{"id":"https://openalex.org/keywords/discriminative-model","display_name":"Discriminative model","score":0.44110068678855896},{"id":"https://openalex.org/keywords/training","display_name":"Training (meteorology)","score":0.4386734068393707},{"id":"https://openalex.org/keywords/artificial-intelligence","display_name":"Artificial intelligence","score":0.43718045949935913},{"id":"https://openalex.org/keywords/data-modeling","display_name":"Data modeling","score":0.42579689621925354},{"id":"https://openalex.org/keywords/computer-security","display_name":"Computer security","score":0.3862718343734741},{"id":"https://openalex.org/keywords/data-mining","display_name":"Data mining","score":0.38110530376434326},{"id":"https://openalex.org/keywords/database","display_name":"Database","score":0.15893277525901794},{"id":"https://openalex.org/keywords/mathematics","display_name":"Mathematics","score":0.10608160495758057}],"concepts":[{"id":"https://openalex.org/C41008148","wikidata":"https://www.wikidata.org/wiki/Q21198","display_name":"Computer science","level":0,"score":0.7846002578735352},{"id":"https://openalex.org/C23130292","wikidata":"https://www.wikidata.org/wiki/Q5275358","display_name":"Differential privacy","level":2,"score":0.6233914494514465},{"id":"https://openalex.org/C2776459999","wikidata":"https://www.wikidata.org/wiki/Q2119376","display_name":"Fidelity","level":2,"score":0.5742993950843811},{"id":"https://openalex.org/C41065033","wikidata":"https://www.wikidata.org/wiki/Q2825412","display_name":"Adversary","level":2,"score":0.5601367950439453},{"id":"https://openalex.org/C50644808","wikidata":"https://www.wikidata.org/wiki/Q192776","display_name":"Artificial neural network","level":2,"score":0.5599521398544312},{"id":"https://openalex.org/C119857082","wikidata":"https://www.wikidata.org/wiki/Q2539","display_name":"Machine learning","level":1,"score":0.5140841603279114},{"id":"https://openalex.org/C65856478","wikidata":"https://www.wikidata.org/wiki/Q3991682","display_name":"Attack model","level":2,"score":0.5103587508201599},{"id":"https://openalex.org/C190502265","wikidata":"https://www.wikidata.org/wiki/Q17069496","display_name":"MNIST database","level":3,"score":0.5085240602493286},{"id":"https://openalex.org/C28719098","wikidata":"https://www.wikidata.org/wiki/Q44946","display_name":"Point (geometry)","level":2,"score":0.4975269138813019},{"id":"https://openalex.org/C97931131","wikidata":"https://www.wikidata.org/wiki/Q5282087","display_name":"Discriminative model","level":2,"score":0.44110068678855896},{"id":"https://openalex.org/C2777211547","wikidata":"https://www.wikidata.org/wiki/Q17141490","display_name":"Training (meteorology)","level":2,"score":0.4386734068393707},{"id":"https://openalex.org/C154945302","wikidata":"https://www.wikidata.org/wiki/Q11660","display_name":"Artificial intelligence","level":1,"score":0.43718045949935913},{"id":"https://openalex.org/C67186912","wikidata":"https://www.wikidata.org/wiki/Q367664","display_name":"Data modeling","level":2,"score":0.42579689621925354},{"id":"https://openalex.org/C38652104","wikidata":"https://www.wikidata.org/wiki/Q3510521","display_name":"Computer security","level":1,"score":0.3862718343734741},{"id":"https://openalex.org/C124101348","wikidata":"https://www.wikidata.org/wiki/Q172491","display_name":"Data mining","level":1,"score":0.38110530376434326},{"id":"https://openalex.org/C77088390","wikidata":"https://www.wikidata.org/wiki/Q8513","display_name":"Database","level":1,"score":0.15893277525901794},{"id":"https://openalex.org/C33923547","wikidata":"https://www.wikidata.org/wiki/Q395","display_name":"Mathematics","level":0,"score":0.10608160495758057},{"id":"https://openalex.org/C121332964","wikidata":"https://www.wikidata.org/wiki/Q413","display_name":"Physics","level":0,"score":0.0},{"id":"https://openalex.org/C153294291","wikidata":"https://www.wikidata.org/wiki/Q25261","display_name":"Meteorology","level":1,"score":0.0},{"id":"https://openalex.org/C76155785","wikidata":"https://www.wikidata.org/wiki/Q418","display_name":"Telecommunications","level":1,"score":0.0},{"id":"https://openalex.org/C2524010","wikidata":"https://www.wikidata.org/wiki/Q8087","display_name":"Geometry","level":1,"score":0.0}],"mesh":[],"locations_count":1,"locations":[{"id":"doi:10.1109/sp46214.2022.9833677","is_oa":false,"landing_page_url":"https://doi.org/10.1109/sp46214.2022.9833677","pdf_url":null,"source":{"id":"https://openalex.org/S4363606603","display_name":"2022 IEEE Symposium on Security and Privacy (SP)","issn_l":null,"issn":null,"is_oa":false,"is_in_doaj":false,"is_core":false,"host_organization":null,"host_organization_name":null,"host_organization_lineage":[],"host_organization_lineage_names":[],"type":"conference"},"license":null,"license_id":null,"version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"2022 IEEE Symposium on Security and Privacy (SP)","raw_type":"proceedings-article"}],"best_oa_location":null,"sustainable_development_goals":[{"display_name":"Peace, Justice and strong institutions","id":"https://metadata.un.org/sdg/16","score":0.41999998688697815}],"awards":[],"funders":[],"has_content":{"pdf":false,"grobid_xml":false},"content_urls":null,"referenced_works_count":87,"referenced_works":["https://openalex.org/W1497454515","https://openalex.org/W1557833142","https://openalex.org/W1873763122","https://openalex.org/W2010523825","https://openalex.org/W2025356718","https://openalex.org/W2033092546","https://openalex.org/W2045956890","https://openalex.org/W2051267297","https://openalex.org/W2074006684","https://openalex.org/W2079017812","https://openalex.org/W2088658556","https://openalex.org/W2097151854","https://openalex.org/W2097751911","https://openalex.org/W2110868467","https://openalex.org/W2112796928","https://openalex.org/W2120806354","https://openalex.org/W2120911939","https://openalex.org/W2151204934","https://openalex.org/W2473418344","https://openalex.org/W2520881573","https://openalex.org/W2535690855","https://openalex.org/W2593414223","https://openalex.org/W2621140322","https://openalex.org/W2777662428","https://openalex.org/W2785361959","https://openalex.org/W2795435272","https://openalex.org/W2897830718","https://openalex.org/W2902114605","https://openalex.org/W2930926105","https://openalex.org/W2946252494","https://openalex.org/W2946930197","https://openalex.org/W2962727778","https://openalex.org/W2962785568","https://openalex.org/W2963073614","https://openalex.org/W2963378725","https://openalex.org/W2963699739","https://openalex.org/W2964137095","https://openalex.org/W2964162474","https://openalex.org/W2970408908","https://openalex.org/W3000378852","https://openalex.org/W3027379683","https://openalex.org/W3035168593","https://openalex.org/W3035261884","https://openalex.org/W3035616549","https://openalex.org/W3048045781","https://openalex.org/W3048684575","https://openalex.org/W3103245149","https://openalex.org/W3113004165","https://openalex.org/W3137695714","https://openalex.org/W3154109599","https://openalex.org/W3162858683","https://openalex.org/W3173026327","https://openalex.org/W3190860428","https://openalex.org/W3200345107","https://openalex.org/W3211753216","https://openalex.org/W4205653883","https://openalex.org/W4245777296","https://openalex.org/W4287553002","https://openalex.org/W4287822453","https://openalex.org/W4288359855","https://openalex.org/W4288625073","https://openalex.org/W4294658142","https://openalex.org/W4318619660","https://openalex.org/W6633508582","https://openalex.org/W6639056083","https://openalex.org/W6639246211","https://openalex.org/W6670621165","https://openalex.org/W6674829165","https://openalex.org/W6697540095","https://openalex.org/W6713132643","https://openalex.org/W6728757088","https://openalex.org/W6747381837","https://openalex.org/W6747732332","https://openalex.org/W6756680320","https://openalex.org/W6760759230","https://openalex.org/W6763269054","https://openalex.org/W6763393573","https://openalex.org/W6763485134","https://openalex.org/W6764838729","https://openalex.org/W6771834506","https://openalex.org/W6775563089","https://openalex.org/W6779987556","https://openalex.org/W6781689620","https://openalex.org/W6787335730","https://openalex.org/W6795145069","https://openalex.org/W6797080668","https://openalex.org/W6801628692"],"related_works":["https://openalex.org/W2950475743","https://openalex.org/W4386603768","https://openalex.org/W2886711096","https://openalex.org/W4380078352","https://openalex.org/W3046591097","https://openalex.org/W2590796488","https://openalex.org/W4389249638","https://openalex.org/W2734358244","https://openalex.org/W4388700941","https://openalex.org/W4383747975"],"abstract_inverted_index":{"Given":[0],"access":[1,187],"to":[2,46,148,167,188,199,203],"a":[3,24,88,223],"machine":[4,132],"learning":[5,133],"model,":[6],"can":[7,68,165,217],"an":[8,82,158],"adversary":[9,27],"reconstruct":[10,47],"the":[11,21,31,48,95,98,106,112,197],"model\u2019s":[12],"training":[13,32,87,189,208],"data?":[14],"This":[15],"work":[16,156],"studies":[17],"this":[18,53],"question":[19],"from":[20],"lens":[22],"of":[23,97,114,130,144,170,207],"powerful":[25],"informed":[26,153],"who":[28],"knows":[29],"all":[30],"data":[33,50,108,209],"points":[34,172],"except":[35],"one.":[36],"By":[37],"instantiating":[38],"concrete":[39],"attacks,":[40],"we":[41,80,139],"show":[42],"it":[43,191,212],"is":[44,229],"feasible":[45],"remaining":[49],"point":[51],"in":[52,71,173,179,222],"stringent":[54],"threat":[55],"model.":[56],"For":[57,73],"convex":[58],"models":[59,76,185,195],"(e.g.":[60,77,182],"logistic":[61],"regression),":[62],"reconstruction":[63,136,150,160,206],"attacks":[64,151,221],"are":[65],"simple":[66],"and":[67,102,123,125,211],"be":[69],"derived":[70],"closed-form.":[72],"more":[74],"general":[75,174],"neural":[78],"networks),":[79],"propose":[81],"attack":[83,101,116,161],"strategy":[84],"based":[85],"on":[86,117,121],"reconstructor":[89],"network":[90],"that":[91,162,193,214],"receives":[92],"as":[93,104],"input":[94],"weights":[96],"model":[99,163],"under":[100],"produces":[103],"output":[105],"target":[107],"point.":[109],"We":[110],"demonstrate":[111],"effectiveness":[113],"our":[115],"image":[118],"classifiers":[119],"trained":[120],"MNIST":[122],"CIFAR-10,":[124],"systematically":[126],"investigate":[127,141],"which":[128],"factors":[129],"standard":[131,194],"pipelines":[134],"affect":[135],"success.":[137],"Finally,":[138],"theoretically":[140],"what":[142],"amount":[143],"differential":[145,215],"privacy":[146,216],"suffices":[147],"mitigate":[149,219],"by":[152],"adversaries.":[154],"Our":[155],"provides":[157],"effective":[159],"developers":[164],"use":[166],"assess":[168],"memorization":[169],"individual":[171],"settings":[175],"beyond":[176],"those":[177],"considered":[178],"previous":[180],"works":[181],"generative":[183],"language":[184],"or":[186],"gradients);":[190],"shows":[192],"have":[196],"capacity":[198],"store":[200],"enough":[201],"information":[202],"enable":[204],"high-fidelity":[205],"points;":[210],"demonstrates":[213],"successfully":[218],"such":[220],"parameter":[224],"regime":[225],"where":[226],"utility":[227],"degradation":[228],"minimal.":[230]},"counts_by_year":[{"year":2026,"cited_by_count":3},{"year":2025,"cited_by_count":19},{"year":2024,"cited_by_count":32},{"year":2023,"cited_by_count":17},{"year":2022,"cited_by_count":2},{"year":2021,"cited_by_count":1},{"year":2020,"cited_by_count":1}],"updated_date":"2026-02-27T16:54:17.756197","created_date":"2025-10-10T00:00:00"}