Skip to main content
Nubint
QUICK REVIEW

[论文解读] Private and interpretable clinical prediction with quantum-inspired tensor train models

José Ramón Pareja Monturiol, Juliette Sinnott|arXiv (Cornell University)|Feb 5, 2026
Adversarial Robustness in Machine Learning被引用 0
一句话总结

该论文提出张量- train (TT) 张量化以实现临床预测模型的私有化与可解释性,显示 TT 防御在保护隐私的同时保持准确性,相较于 DP,在 LR 和 NN 基线上具有优势。它还保持或提升可解释性,并扩展到张量化的神经网络。

ABSTRACT

Machine learning in clinical settings must balance predictive accuracy, interpretability, and privacy. Models such as logistic regression (LR) offer transparency, while neural networks (NNs) provide greater predictive power; yet both remain vulnerable to privacy attacks. We empirically assess these risks by designing attacks that identify which public datasets were used to train a model under varying levels of adversarial access, applying them to LORIS, a publicly available LR model for immunotherapy response prediction, as well as to additional shallow NN models trained for the same task. Our results show that both models leak significant training-set information, with LRs proving particularly vulnerable in white-box scenarios. Moreover, we observe that common practices such as cross-validation in LRs exacerbate these risks. To mitigate these vulnerabilities, we propose a quantum-inspired defense based on tensorizing discretized models into tensor trains (TTs), which fully obfuscates parameters while preserving accuracy, reducing white-box attacks to random guessing and degrading black-box attacks comparably to Differential Privacy. TT models retain LR interpretability and extend it through efficient computation of marginal and conditional distributions, while also enabling this higher level of interpretability for NNs. Our results demonstrate that tensorization is widely applicable and establishes a practical foundation for private, interpretable, and effective clinical prediction.

研究动机与目标

  • 评估在黑盒和白盒访问下,临床预测模型(LR 与 NN)的隐私风险。
  • 评估一种受量子启发的 TT 防御,以混淆模型参数同时保持预测准确性。
  • 比较 TT 基于隐私与同一任务上的差分隐私(DP)防御在 LR 和 NN 上的效果。
  • 演示 TT 模型的可解释性及其在张量化 NN 中的适用性。

提出的方法

  • 设计在白盒、强黑盒和两路黑盒访问下的影子模型成员资格推断攻击。
  • 通过 TT-RSS 将预训练的 LR 与 NN 模型张量化,得到 TT-LR 和 TT-NN 表示,参数被混淆。
  • 在黑盒访问下用 b 个箱对输出分数离散化以控制隐私,并与 DP 基线(LR-DP、NN-DP)进行比较。
  • 训练对抗性多标签分类器以检测用于训练的公开数据集(D1,...,DM)。
  • 在基于 LORIS 的免疫治疗预测和带 TT-RSS 的 NN 基线上评估攻击,包括 WB 防御的量规化。
  • 在攻击分数(汉明距离)、准确性和 AUC 方面,将 TT 防御与 DP 进行对比。
Figure 1: Feature sensitivity scores from LR and TT models (TT-LR and TT-NN, with $b=6$ ). LR scores are coefficients, while TT scores are obtained via marginalization. All values are normalized by the maximum absolute score.
Figure 1: Feature sensitivity scores from LR and TT models (TT-LR and TT-NN, with $b=6$ ). LR scores are coefficients, while TT scores are obtained via marginalization. All values are normalized by the maximum absolute score.

实验结果

研究问题

  • RQ1线性与神经模型在 WB 和 BB 访问下对成员资格推断的脆弱性有多大?
  • RQ2量子启发的 TT 张量化是否能够充分混淆模型参数以对抗此类攻击而不牺牲预测性能?
  • RQ3在同一任务上,TT 基于隐私与线性和神经模型的差分隐私相比如何?
  • RQ4TT 表示是否保留可解释性并实现类似 LR 系数的边际/条件分析?
  • RQ5张量化是否可用于张量化的 NN,以在临床预测中实现可解释性与隐私保护?

主要发现

ModelAccess typeAttack typeHamming score (mean ± std)
LR (vanilla)2-WBBLR coefficients recovered from TT (star)0.8178 ± 0.0035
LR (vanilla)SBBLR coefficients recovered from TT (star)0.9129 ± 0.0089
LR (vanilla)WBLR coefficients recovered from TT (star)0.9330 ± 0.0010
LR (averaged)2-WBBLR coefficients recovered from TT (star)0.9149 ± 0.0058
LR (averaged)SBBLR coefficients recovered from TT (star)0.9910 ± 0.0132
LR (averaged)WBLR coefficients recovered from TT (star)0.9999 ± 0.0000
LR-DP (ε=0.1)2-WBBattack0.5314 ± 0.0081
LR-DP (ε=0.1)SBBattack0.5352 ± 0.0064
LR-DP (ε=0.1)WBattack0.5088 ± 0.0059
LR-DP (ε=1)2-WBBattack0.5710 ± 0.0074
LR-DP (ε=1)SBBattack0.5808 ± 0.0059
LR-DP (ε=1)WBattack0.5178 ± 0.0107
LR-DP (ε=10)2-WBBattack0.7163 ± 0.0087
LR-DP (ε=10)SBBattack0.7840 ± 0.0140
LR-DP (ε=10)WBattack0.6403 ± 0.0149
LR-DP (ε=100)2-WBBattack0.7663 ± 0.0060
LR-DP (ε=100)SBBattack0.8610 ± 0.0260
LR-DP (ε=100)WBattack0.8672 ± 0.0076
TT-LR (b=2)2-WBBattack0.6666 ± 0.0025
TT-LR (b=2)SBBattack0.8231 ± 0.0065
TT-LR (b=2)WBattack0.7461 ± 0.0025
TT-LR (b=6)2-WBBattack0.7535 ± 0.0022
TT-LR (b=6)SBBattack0.8604 ± 0.0066
TT-LR (b=6)WBattack0.7979 ± 0.0027
TT-LR (b=10)2-WBBattack0.7687 ± 0.0020
TT-LR (b=10)SBBattack0.8710 ± 0.0053
TT-LR (b=10)WBattack0.8129 ± 0.0021
NN (BB)2-WBBattack0.7375 ± 0.0056
NN (BB)SBBattack0.8608 ± 0.0240
NN (BB)WBattack0.6336 ± 0.0064
TT-NN (b=2)2-WBBattack0.5759 ± 0.0055
TT-NN (b=2)SBBattack0.6184 ± 0.0209
TT-NN (b=2)WBattack0.5061 ± 0.0053
  • 原始的 LR 和 NN 模型显示高攻击分数,表明存在隐私泄露的脆弱性。
  • 更大的隐私预算(更高的 b,更高的 ε)会在 TT 和 DP 防御中增加数据泄露。
  • 平均化的 LR 模型比未改变的模型更易受攻击,且对 WB 攻击的平均化模型接近完美分类。
  • TT 模型在各访问等级下降低攻击性能,WB 攻击降至随机猜测,BB 防护与 DP 相当,同时保持接近未保护模型的准确性。
  • TT 输出在 b=2 时提供强隐私保护,并在小 ε 的 DP 下具备可比的效用,同时 TT-LR 通过边际和条件性保持可解释性。
  • TT 表示保持了类似 LR 的单调性,并使癌症类型特异的子组分析成为可能,将可解释性拓展到张量化的 NN。
Figure 2: Feature sensitivities from conditioned TT-LR models ( $b=6$ ). The legend indicates cancer type and balanced accuracy of each conditioned TT on the corresponding data.
Figure 2: Feature sensitivities from conditioned TT-LR models ( $b=6$ ). The legend indicates cancer type and balanced accuracy of each conditioned TT on the corresponding data.

更好的研究,从现在开始

从论文设计到论文写作,大幅缩短您的研究时间。

无需绑定信用卡

本解读由 AI 生成,并经人工编辑审核。