Recent research has shown that structured machine learning models such as tree ensembles are vulnerable to privacy attacks targeting their training data. To mitigate these risks, differential privacy (DP) has become a widely adopted countermeasure, as it offers rigorous privacy protection. In this paper, we introduce a reconstruction attack targeting state-of-the-art $ε$-DP random forests. By leveraging a constraint programming model that incorporates knowledge of the forest's structure and DP mechanism characteristics, our approach formally reconstructs the most likely dataset that could have produced a given forest. Through extensive computational experiments, we examine the interplay between model utility, privacy guarantees and reconstruction accuracy across various configurations. Our results reveal that random forests trained with meaningful DP guarantees can still leak portions of their training data. Specifically, while DP reduces the success of reconstruction attacks, the only forests fully robust to our attack exhibit predictive performance no better than a constant classifier. Building on these insights, we also provide practical recommendations for the construction of DP random forests that are more resilient to reconstruction attacks while maintaining a non-trivial predictive performance.

翻译：近期研究表明，树集成等结构化机器学习模型容易遭受针对其训练数据的隐私攻击。为缓解此类风险，差分隐私已成为广泛采用的防护措施，因其能提供严格的隐私保护。本文针对最先进的$ε$-差分隐私随机森林提出一种重构攻击方法。通过构建融合森林结构知识与差分隐私机制特性的约束规划模型，我们的方法能够形式化地重构出最可能生成给定森林的数据集。通过大量计算实验，我们系统考察了不同配置下模型效用、隐私保证与重构精度之间的相互作用。研究结果表明，即使具有实际意义的差分隐私保证，随机森林仍可能泄露部分训练数据。具体而言，虽然差分隐私能降低重构攻击的成功率，但完全抵抗我们攻击的森林其预测性能仅与常数分类器相当。基于这些发现，我们进一步提出构建差分隐私随机森林的实用建议，使其在保持非平凡预测性能的同时，对重构攻击具有更强的鲁棒性。