Existing evaluations of attribute inference attacks (AIAs) against anonymized data rely solely on precision, neglecting recall—leading to underestimation of privacy risks, particularly for outlier individuals. Method: We propose the first composite evaluation framework that jointly models attack effectiveness and baseline bias by reconstructing the baseline inference model and introducing an optimal-row-matching attack mechanism. Contribution/Results: This framework is the first to systematically integrate both precision and recall into AIA risk quantification, significantly enhancing identification of high-risk scenarios. Experiments on moderately anonymized microdata demonstrate that our method corrects the “false-safe” misjudgments of prior approaches in over 25% of cases, substantially improving assessment accuracy and revealing previously overlooked vulnerabilities.

The purpose of anonymizing structured data is to protect the privacy of individuals in the data while retaining the statistical properties of the data. An important class of attack on anonymized data is attribute inference, where an attacker infers the value of an unknown attribute of a target individual given knowledge of one or more known attributes. A major limitation of recent attribute inference measures is that they do not take recall into account, only precision. It is often the case that attacks target only a fraction of individuals, for instance data outliers. Incorporating recall, however, substantially complicates the measure, because one must determine how to combine recall and precision in a composite measure for both the attack and baseline. This paper presents the design and implementation of an attribute inference measure that incorporates both precision and recall. Our design also improves on how the baseline attribute inference is computed. In experiments using a generic best row match attack on moderately-anonymized microdata, we show that in over 25% of the attacks, our approach correctly labeled the attack to be at risk while the prior approach incorrectly labeled the attack to be safe.