DeepLeak：针对成员信息泄露的模型解释隐私增强强化方法 (DeepLeak: Privacy Enhancing Hardening of Model Explanations Against Membership Leakage)

from arxiv, 17 pages, 6 figures, 8 tables. This work has been accepted for publication at the IEEE Conference on Secure and Trustworthy Machine Learning (IEEE SaTML 2026)

Machine learning (ML) explainability is central to algorithmic transparency in high-stakes settings such as predictive diagnostics and loan approval. However, these same domains require rigorous privacy guaranties, creating tension between interpretability and privacy. Although prior work has shown that explanation methods can leak membership information, practitioners still lack systematic guidance on selecting or deploying explanation techniques that balance transparency with privacy. We present DeepLeak, a system to audit and mitigate privacy risks in post-hoc explanation methods. DeepLeak advances the state-of-the-art in three ways: (1) comprehensive leakage profiling: we develop a stronger explanation-aware membership inference attack (MIA) to quantify how much representative explanation methods leak membership information under default configurations; (2) lightweight hardening strategies: we introduce practical, model-agnostic mitigations, including sensitivity-calibrated noise, attribution clipping, and masking, that substantially reduce membership leakage while preserving explanation utility; and (3) root-cause analysis: through controlled experiments, we pinpoint algorithmic properties (e.g., attribution sparsity and sensitivity) that drive leakage. Evaluating 15 explanation techniques across four families on image benchmarks, DeepLeak shows that default settings can leak up to 74.9% more membership information than previously reported. Our mitigations cut leakage by up to 95% (minimum 46.5%) with only <=3.3% utility loss on average. DeepLeak offers a systematic, reproducible path to safer explainability in privacy-sensitive ML.

翻译：机器学习（ML）可解释性对于预测性诊断和贷款审批等高风险场景中的算法透明度至关重要。然而，这些领域同样需要严格的隐私保障，从而在可解释性与隐私之间形成张力。尽管先前研究已表明解释方法可能泄露成员信息，但从业者仍缺乏系统性的指导来选择和部署能够平衡透明度与隐私的解释技术。我们提出了DeepLeak系统，用于审计和缓解事后解释方法中的隐私风险。DeepLeak在以下三个方面推动了前沿进展：（1）全面的泄露分析：我们开发了一种更强的解释感知成员推理攻击（MIA），以量化代表性解释方法在默认配置下泄露成员信息的程度；（2）轻量级强化策略：我们引入了实用的、与模型无关的缓解措施，包括灵敏度校准噪声、归因裁剪和掩码技术，这些措施在保持解释效用的同时显著减少了成员信息泄露；（3）根源分析：通过受控实验，我们确定了导致泄露的关键算法特性（例如归因稀疏性和灵敏度）。通过在图像基准数据集上评估来自四个类别的15种解释技术，DeepLeak表明默认配置可能泄露的成员信息比先前报道的最高多出74.9%。我们的缓解措施将泄露降低了最高95%（最低46.5%），同时平均仅带来≤3.3%的效用损失。DeepLeak为隐私敏感的机器学习领域提供了一条系统性、可复现的安全可解释性实现路径。