3

We propose a general definition for property inference attacks that supports arbitrary properties, along with a notion of effective dataset size to quantify property inference leakage. Experiments reveal how similar distributions can have starkly different attack success rates, and simple attacks can yield non-trivial accuracy.

We propose a notion of neuron sensitivity in terms of adversarial robustness, along with an attack that works as well as PGD. The notion can be extended as a regularization term, providing adversarial robustness without adversarial training.