Confidential property inference (CPI) attacks pose a critical threat in machine learning model sharing, particularly when adversaries are adaptive—capable of dynamically adjusting their attack strategies in response to defense mechanisms. Method: This paper proposes the first adversarial defense framework that explicitly models attacker response behavior. It introduces a responsive CPI attack model and integrates iterative adversarial training with approximate policy optimization to enhance security while preserving model utility. Contribution/Results: The key innovation lies in formally incorporating the attacker’s strategic adaptability into the defense design. Extensive empirical evaluation across multiple scenarios demonstrates that, compared to state-of-the-art defenses, our approach reduces CPI attack accuracy by 32%–57%, decreases computational overhead by over 40%, and incurs less than 1.2% degradation in model prediction performance.

Model-sharing offers significant business value by enabling firms with well-established Machine Learning (ML) models to monetize and share their models with others who lack the resources to develop ML models from scratch. However, concerns over data confidentiality remain a significant barrier to model-sharing adoption, as Confidential Property Inference (CPI) attacks can exploit shared ML models to uncover confidential properties of the model provider's private model training data. Existing defenses often assume that CPI attacks are non-adaptive to the specific ML model they are targeting. This assumption overlooks a key characteristic of real-world adversaries: their responsiveness, i.e., adversaries' ability to dynamically adjust their attack models based on the information of the target and its defenses. To overcome this limitation, we propose a novel defense method that explicitly accounts for the responsive nature of real-world adversaries via two methodological innovations: a novel Responsive CPI attack and an attack-defense arms race framework. The former emulates the responsive behaviors of adversaries in the real world, and the latter iteratively enhances both the target and attack models, ultimately producing a secure ML model that is robust against responsive CPI attacks. Furthermore, we propose and integrate a novel approximate strategy into our defense, which addresses a critical computational bottleneck of defense methods and improves defense efficiency. Through extensive empirical evaluations across various realistic model-sharing scenarios, we demonstrate that our method outperforms existing defenses by more effectively defending against CPI attacks, preserving ML model utility, and reducing computational overhead.