DP-Sniper: Black-Box Discovery of Differential Privacy Violations using Classifiers


We present DP-Sniper, a practical black-box method that automatically finds violations of differential privacy. DP-Sniper is based on two key ideas: (i) training a classifier to predict if an observed output was likely generated from one of two possible inputs, and (ii) transforming this classifier into an approximately optimal attack on differential privacy. Our experimental evaluation demonstrates that DP-Sniper obtains up to 12.4 times stronger guarantees than state-of-the-art, while being 15.5 times faster. Further, we show that DP-Sniper is effective in exploiting floating-point vulnerabilities of naively implemented algorithms: it detects that a supposedly 0.1- differentially private implementation of the Laplace mechanism actually does not satisfy even 0.25-differential privacy.

IEEE Symposium on Security and Privacy, 2021