Search papers, labs, and topics across Lattice.
This paper demonstrates that dataset distillation, despite its potential for privacy preservation, leaks sensitive information from the original training data. The authors show that synthetic datasets generated by distillation methods implicitly encode model weight trajectories, making them vulnerable to privacy attacks. They introduce the Information Revelation Attack (IRA) which successfully infers membership, recovers sensitive samples, and identifies the distillation algorithm and model architecture used.
Dataset distillation, intended to compress data while preserving model performance, actually leaks sensitive information about the original training data and model architecture.
Dataset distillation compresses a large real dataset into a small synthetic one, enabling models trained on the synthetic data to achieve performance comparable to those trained on the real data. Although synthetic datasets are assumed to be privacy-preserving, we show that existing distillation methods can cause severe privacy leakage because synthetic datasets implicitly encode the weight trajectories of the distilled model, they become over-informative and exploitable by adversaries. To expose this risk, we introduce the Information Revelation Attack (IRA) against state-of-the-art distillation techniques. Experiments show that IRA accurately predicts both the distillation algorithm and model architecture, and can successfully infer membership and recover sensitive samples from the real dataset.
