Extended Counterfactual Adversarial Examples forMitigating Privacy Risk in Adversarially Robust Models

Extended Counterfactual Adversarial Examples forMitigating Privacy Risk in Adversarially Robust Models | Research Square window.SnipcartSettings = { analytics: { enabled: false } }; (function() { var accessVector = localStorage.getItem('access_vector') || ''; window.dataLayer = window.dataLayer || []; if (accessVector) { window.dataLayer.push({ user: { profile: { profileInfo: { snid: accessVector } } } }); } })(); (function(w,d,s,l,i){w[l]=w[l]||[];w[l].push({'gtm.start':new Date().getTime(),event:'gtm.js'});var f=d.getElementsByTagName(s)[0],j=d.createElement(s),dl=l!='dataLayer'?'&l='+l:'';j.async=true;j.src='https://www.googletagmanager.com/gtm.js?id='+i+dl;f.parentNode.insertBefore(j,f);})(window,document,'script','dataLayer','GTM-K279D39R'); Browse Preprints In Review Journals COVID-19 Preprints AJE Video Bytes Research Tools Research Promotion AJE Professional Editing AJE Rubriq About Preprint Platform In Review Editorial Policies Our Team Advisory Board Help Center Sign In Submit a Preprint Cite Share Download PDF Research Article Extended Counterfactual Adversarial Examples forMitigating Privacy Risk in Adversarially Robust Models Aohan Sun, Yanrong Lu, Wencheng Yang, Ji Zhang This is a preprint; it has not been peer reviewed by a journal. https://doi.org/ 10.21203/rs.3.rs-8923995/v1 This work is licensed under a CC BY 4.0 License Status: Under Review Version 1 posted 4 You are reading this latest preprint version Abstract In this paper, we propose extended Counterfactual Adversarial ExampleGeneration (e-CAEG), which is an advanced version of our published conferencepaper in APWeb-WAIM 2025. Based on the conference paper, we summarizecontributions in this paper as follows. Firstly, e-CAEG leverages latent spacerepresentations to generate in-distribution adversarial examples for both targetedand untargeted scenarios. Secondly, e-CAEG acts as a regularizer that bridgesthe generalization gap by forcing the model to rely on robust semantic features.Finally, experiments on MNIST and Fashion-MNIST, supported by t-SNE distributionalvisualizations, demonstrate that our approach effectively lowers membershipinference accuracy to near-random levels while preserving model utility.Furthermore, we analyze the trade-offs between accuracy, robustness, and privacy,identifying an optimal balance achieved when approximately 95% of thetraining data consists of e-CAEG-generated examples. Full Text Additional Declarations No competing interests reported. Cite Share Download PDF Status: Under Review Version 1 posted Editorial decision: Revision requested 01 Mar, 2026 Editor assigned by journal 28 Feb, 2026 Submission checks completed at journal 27 Feb, 2026 First submitted to journal 20 Feb, 2026 You are reading this latest preprint version Research Square lets you share your work early, gain feedback from the community, and start making changes to your manuscript prior to peer review in a journal. As a division of Research Square Company, we’re committed to making research communication faster, fairer, and more useful. We do this by developing innovative software and high quality services for the global research community. Our growing team is made up of researchers and industry professionals working together to solve the most critical problems facing scientific publishing. Also discoverable on Platform About Our Team In Review Editorial Policies Advisory Board Help Center Resources Author Services Accessibility API Access RSS feed Manage Cookie Preferences © Research Square 2026 | ISSN 2693-5015 (online) Privacy Policy Terms of Service Do Not Sell My Personal Information {"props":{"pageProps":{"initialData":{"identity":"rs-8923995","acceptedTermsAndConditions":true,"allowDirectSubmit":false,"archivedVersions":[],"articleType":"Research Article","associatedPublications":[],"authors":[{"id":598980767,"identity":"b683445e-5f7e-42a5-9280-9d9cda910701","order_by":0,"name":"Aohan Sun","email":"","orcid":"","institution":"Civil Aviation University of China","correspondingAuthor":false,"prefix":"","firstName":"Aohan","middleName":"","lastName":"Sun","suffix":""},{"id":598980768,"identity":"2cdfb128-5b3f-42cb-a873-74c514816616","order_by":1,"name":"Yanrong Lu","email":"data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAZAAAAAyAQMAAABI0h/eAAAABlBMVEX///8AAABVwtN+AAAACXBIWXMAAA7EAAAOxAGVKw4bAAAAuklEQVRIiWNgGAWjYHACxgMMFVAmD7F6DjCcIVkLYxspWgxuH2A4zDvPTt7g+AHGB2/bGOTNCWo5lwDUsi3ZcMOZBGbDuW0MhjsbCGkBegOo5QDjhhsMbNK8bQwJBgeI0jLngD1QC/tvErQ0HEgE2cJMlBZJoJaDc44lJ888k9gsOeechOEGQlr4zjAwPnhTY2fbd/zwwQ9vymzkCdqicID/A5TJ2AAkJAioBwL5BsJqRsEoGAWjYKQDAO7/QD9PuUHqAAAAAElFTkSuQmCC","orcid":"","institution":"Civil Aviation University of China","correspondingAuthor":true,"prefix":"","firstName":"Yanrong","middleName":"","lastName":"Lu","suffix":""},{"id":598980769,"identity":"6ba1a70a-519b-4eb9-87af-d9c5c416525f","order_by":2,"name":"Wencheng Yang","email":"","orcid":"","institution":"University of Southern Queensland","correspondingAuthor":false,"prefix":"","firstName":"Wencheng","middleName":"","lastName":"Yang","suffix":""},{"id":598980770,"identity":"776a2b3d-a20c-4328-9cac-1ec2ba0ef1a6","order_by":3,"name":"Ji Zhang","email":"","orcid":"","institution":"University of Southern Queensland","correspondingAuthor":false,"prefix":"","firstName":"Ji","middleName":"","lastName":"Zhang","suffix":""}],"badges":[],"createdAt":"2026-02-20 08:53:37","currentVersionCode":1,"declarations":"","doi":"10.21203/rs.3.rs-8923995/v1","doiUrl":"https://doi.org/10.21203/rs.3.rs-8923995/v1","draftVersion":[],"editorialEvents":[],"editorialNote":"","failedWorkflow":false,"files":[{"id":105035249,"identity":"d35c7195-38e9-433c-afd7-373cde150d2b","added_by":"auto","created_at":"2026-03-20 07:25:44","extension":"pdf","order_by":1,"title":"","display":"","copyAsset":false,"role":"manuscript-pdf","size":6459525,"visible":true,"origin":"","legend":"","description":"","filename":"eCAEGWWW2.24declarations.pdf","url":"https://assets-eu.researchsquare.com/files/rs-8923995/v1_covered_15136267-3eaf-4b75-a83c-8fdb6ac2c868.pdf"}],"financialInterests":"No competing interests reported.","formattedTitle":"Extended Counterfactual Adversarial Examples forMitigating Privacy Risk in Adversarially Robust Models","fulltext":[],"fulltextSource":"","fullText":"","funders":[],"hasAdminPriorityOnWorkflow":false,"hasManuscriptDocX":false,"hasOptedInToPreprint":true,"hasPassedJournalQc":"","hasAnyPriority":false,"hideJournal":false,"highlight":"","institution":"","isAcceptedByJournal":false,"isAuthorSuppliedPdf":true,"isDeskRejected":"","isHiddenFromSearch":false,"isInQc":false,"isInWorkflow":false,"isPdf":true,"isPdfUpToDate":true,"isWithdrawnOrRetracted":false,"journal":{"display":true,"email":"[email protected]","identity":"world-wide-web","isNatureJournal":false,"hasQc":true,"allowDirectSubmit":false,"externalIdentity":"wwwj","sideBox":"Learn more about [World Wide Web](http://link.springer.com/journal/11280)","snPcode":"11280","submissionUrl":"https://submission.nature.com/new-submission/11280/3","title":"World Wide Web","twitterHandle":"","acdcEnabled":true,"dfaEnabled":true,"editorialSystem":"em","reportingPortfolio":"Springer Hybrid","inReviewEnabled":true,"inReviewRevisionsEnabled":false},"keywords":"","lastPublishedDoi":"10.21203/rs.3.rs-8923995/v1","lastPublishedDoiUrl":"https://doi.org/10.21203/rs.3.rs-8923995/v1","license":{"name":"CC BY 4.0","url":"https://creativecommons.org/licenses/by/4.0/"},"manuscriptAbstract":"In this paper, we propose extended Counterfactual Adversarial ExampleGeneration (e-CAEG), which is an advanced version of our published conferencepaper in APWeb-WAIM 2025. Based on the conference paper, we summarizecontributions in this paper as follows. Firstly, e-CAEG leverages latent spacerepresentations to generate in-distribution adversarial examples for both targetedand untargeted scenarios. Secondly, e-CAEG acts as a regularizer that bridgesthe generalization gap by forcing the model to rely on robust semantic features.Finally, experiments on MNIST and Fashion-MNIST, supported by t-SNE distributionalvisualizations, demonstrate that our approach effectively lowers membershipinference accuracy to near-random levels while preserving model utility.Furthermore, we analyze the trade-offs between accuracy, robustness, and privacy,identifying an optimal balance achieved when approximately 95% of thetraining data consists of e-CAEG-generated examples.","manuscriptTitle":"Extended Counterfactual Adversarial Examples forMitigating Privacy Risk in Adversarially Robust Models","msid":"","msnumber":"","nonDraftVersions":[{"code":1,"date":"2026-03-19 14:01:12","doi":"10.21203/rs.3.rs-8923995/v1","editorialEvents":[{"type":"communityComments","content":0},{"type":"decision","content":"Revision requested","date":"2026-03-02T03:38:04+00:00","index":"","fulltext":""},{"type":"editorAssigned","content":"","date":"2026-03-01T01:02:10+00:00","index":"","fulltext":""},{"type":"checksComplete","content":"","date":"2026-02-27T10:48:34+00:00","index":"","fulltext":""},{"type":"submitted","content":"World Wide Web","date":"2026-02-20T08:40:10+00:00","index":"","fulltext":""}],"status":"published","journal":{"display":true,"email":"[email protected]","identity":"world-wide-web","isNatureJournal":false,"hasQc":true,"allowDirectSubmit":false,"externalIdentity":"wwwj","sideBox":"Learn more about [World Wide Web](http://link.springer.com/journal/11280)","snPcode":"11280","submissionUrl":"https://submission.nature.com/new-submission/11280/3","title":"World Wide Web","twitterHandle":"","acdcEnabled":true,"dfaEnabled":true,"editorialSystem":"em","reportingPortfolio":"Springer Hybrid","inReviewEnabled":true,"inReviewRevisionsEnabled":false}}],"origin":"","ownerIdentity":"53956f85-4a08-483d-9903-92ed47646e9f","owner":[],"postedDate":"March 19th, 2026","published":true,"recentEditorialEvents":[],"rejectedJournal":[],"revision":"","amendment":"","status":"under-review","subjectAreas":[],"tags":[],"updatedAt":"2026-03-19T14:01:12+00:00","versionOfRecord":[],"versionCreatedAt":"2026-03-19 14:01:12","video":"","vorDoi":"","vorDoiUrl":"","workflowStages":[]},"version":"v1","identity":"rs-8923995","journalConfig":"researchsquare"},"__N_SSP":true},"page":"/article/[identity]/[[...version]]","query":{"redirect":"/article/rs-8923995","identity":"rs-8923995","version":["v1"]},"buildId":"XKTyCvWXoU3ODBz1xrDgd","isFallback":false,"isExperimentalCompile":false,"dynamicIds":[84888],"gssp":true,"scriptLoader":[]}