🤖 AI Summary
This work addresses the privacy risks posed by explanation interfaces, which can leak membership information and are inadequately mitigated by existing defenses against membership inference attacks based on confidence descent trajectories. To counter such explanation-driven attacks, the authors propose a trajectory-invariance regularization mechanism that, during training, leverages model gradients to generate perturbations mimicking confidence descent trajectories. The method enforces explanation consistency via KL divergence constraints and aligns the explanatory behaviors of members and non-members through a variance penalty. This approach significantly enhances robustness against trajectory-based membership inference attacks while preserving both model utility and explanation fidelity, thereby strengthening privacy guarantees.
📝 Abstract
Explainability is central to building trustworthy AI, yet explanation interfaces can inadvertently provide adversaries with an expanded privacy-related attack surfaces. Recent studies show that advanced membership-inference attacks succeed by exploiting confidence-drop trajectories, induced through attribution-guided perturbations, as discriminative features, rather than directly using confidence scores or explanation vectors. Existing defenses against membership inference fail to directly mitigate such explanation-driven attacks. In this work, we investigate whether, during training, a model's own gradients can be leveraged as defense signals against such attacks, thereby aligning explanation profiles between members and non-members. To this end, we propose a Trajectory-Invariant Explanation Regularization (TIER) defense that penalizes erratic fluctuations in confidence drops simulated through gradient-guided perturbations and simultaneously minimizes the distributional shifts via KL-divergence. Unlike conventional adversarial training, which emphasizes label robustness, our approach targets explanation robustness by enforcing self-consistency through KL-divergence and reducing the variance of confidence drops between members and non-members. Extensive experiments confirm that our method effectively mitigates these attacks, delivering privacy protection while maintaining model utility and explanation fidelity.