CompLeak: Privacy Risks in Compression
- CompLeak is a framework that assesses if deep learning model compression increases privacy leakage by comparing membership signals across original and compressed models.
- It evaluates three methods—pruning, quantization, and weight clustering—showing that differences in posterior shifts can boost attack success rates dramatically (e.g., TPR improvements from 1.3% to up to 95.7%).
- The research highlights that while single compressed models can seem secure, aggregating outputs from multiple variants exposes latent vulnerabilities in both image and text deep learning models.
CompLeak is a privacy risk evaluation framework for deep learning model compression that studies whether compression exacerbates membership inference attacks (MIAs). It examines three widely used compression configurations—pruning, quantization, and weight clustering—under deployment settings in which an attacker may access a single compressed model, an original model together with one compressed model, or multiple compressed variants. Its central finding is that compression is not privacy-neutral: even when a single compressed model appears no more vulnerable than the original, the comparative behavior of members and non-members across compressed versions yields additional membership signals that can be exploited (Li et al., 22 Jul 2025).
1. Problem formulation and attacker model
CompLeak addresses the question: does model compression exacerbate privacy leakage, especially when multiple compressed models are available. The framework adopts membership inference as its leakage lens. In this setting, the attacker seeks to determine whether a target sample was part of the victim model’s training set.
The threat model is black-box. The attacker can query models and observe posterior probability outputs, knows the architecture, knows the compression configuration, and has a shadow dataset from the same distribution as the victim’s training data. For the multi-reference setting, the paper distinguishes two attacker capabilities: Adversary 1, who has access to the original model and multiple compressed versions, and Adversary 2, who has access only to multiple compressed versions and not the original model (Li et al., 22 Jul 2025).
The paper’s key observation is that members and non-members shift differently under compression. A compressed model may remain close to the original in overall accuracy, while posterior distributions, losses, and the change in these quantities across compression levels differ markedly between training-set members and non-members. High compression often reduces capacity and suppresses memorization, so a single compressed model can appear less vulnerable than the original under a standard MIA. CompLeak argues that this apparent reduction can be misleading, because relative differences between the original and compressed models, or across several compressed models, reveal additional privacy leakage.
2. Compression regimes and empirical scope
CompLeak studies three compression operations supported by commercial mobile and deployment toolchains. For pruning, the main method is L1 unstructured pruning using Microsoft NNI, with the standard train-prune-finetune workflow. The reported pruning ratios are 60%, 70%, 80%, and 90% for CIFAR-10, CIFAR-100, and Mini-ImageNet, and 40%, 50%, 60%, and 70% for Tiny-ImageNet because higher ratios hurt usability. For quantization, the main setting is 8-bit quantization, using QAT for many image models and dynamic quantization for foundation models. The toolkits include PyTorch Mobile, TF-Lite, and TensorTensorFlow 2.7.0 for some clustering experiments. For weight clustering, the main settings are cluster counts on several image models, with additional cluster counts such as 14 and 8 on CIFAR-10 / ResNet18 in the appendix (Li et al., 22 Jul 2025).
The evaluation spans seven diverse model architectures, from ResNet18, ResNet50, VGG16, MobileNetV2, and FCN to foundation models BERT-base and GPT-2. The datasets include CIFAR-10, CIFAR-100, Mini-ImageNet, Tiny-ImageNet, Location, and textual experiments fine-tuned on SST-5. The paper also reports appendix results on Texas. This experimental design is intended to test whether compression-induced leakage patterns persist across both image and textual workloads.
3. Variant family
CompLeak is organized into three attack variants, each corresponding to a different access assumption and a different way of extracting leakage signals.
| Variant | Available models | Core signal |
|---|---|---|
| CompLeak | One model | Existing MIAs on a single original or compressed model |
| CompLeak | Original + one compressed model | Combined meta information from both models |
| CompLeak | Multiple compressed models, with or without original model | Aggregated posterior and loss signals across models |
The underlying membership inference map is defined as
where is the target sample, is the victim model, denotes “member,” and denotes “non-member” (Li et al., 22 Jul 2025).
This organization is important because the paper does not treat compression as a single-model perturbation problem. Instead, it treats compression as a source of comparative leakage: privacy signals may emerge not from one model in isolation, but from differences among model variants released for different resource budgets.
4. Single-model and single-reference attacks
CompLeak is the no-reference baseline. It assumes access to only one model—either the original model or a single compressed model—and adopts existing MIAs. The paper includes training-based attacks derived from Shokri et al., Nasr et al., and Yuan et al. for pruned networks, and metric-based attacks derived from Yeom et al. and Song and Mittal. Under this baseline, low or moderate compression often yields privacy leakage similar to the original model, while high compression often reduces MIA success because the model has less capacity to memorize. On VGG16 with Mini-ImageNet, 90% pruning reduced the best attack accuracy compared to the original, whereas 8-bit quantization and mild pruning often looked similar to the original (Li et al., 22 Jul 2025).
CompLeak0 is the first new attack introduced by the paper. It assumes access to the original model and one compressed version. Its core intuition is that compression changes the same sample differently in the original and compressed models, and that members often show a larger posterior shift than non-members. The paper studies this through KL divergence between the two posterior distributions.
For shadow models, let 1 be the posterior from the shadow original model and 2 the posterior from the shadow compressed model. After sorting posterior vectors in descending order by the original model output, the paper constructs 3 and 4, then uses either
5
or
6
where 7 is the one-hot ground-truth label. The attack meta-classifier 8 is trained with binary cross-entropy:
9
This design captures both the usual per-model overfitting signal and the difference induced by compression itself. The reported gains are substantial. On 90%-pruned VGG16 with Mini-ImageNet, the best TPR @ 0.1% FPR improved from 1.3% to 25.5%, the best AUC improved from 61.9% to 88.6%, and the best balanced accuracy improved from 59.3% to 79.9% (Li et al., 22 Jul 2025).
5. Multi-reference aggregation
CompLeak0 is the strongest variant. It assumes access to multiple compressed models, with or without the original model. The attack aggregates leakage information across compressed versions because different pruning, quantization, and clustering settings affect the same sample in slightly different ways.
For Adversary 1, who has the original model and multiple compressed models, CompLeak1 queries each CompLeak2 attack model, collects its meta-posterior, and concatenates the results:
3
For Adversary 2, who has only compressed models, it directly concatenates the posteriors from those compressed victim models:
4
The paper also constructs a loss trajectory across compressed models. For each compressed model 5, it computes cross-entropy loss
6
then concatenates
7
The final meta-data stack combines concatenated posteriors and concatenated losses, and an MLP-based meta-classifier 8 is trained on this representation (Li et al., 22 Jul 2025).
The empirical results are the strongest in the paper. For Mini-ImageNet under Adversary 1, the reported results are: pruning with TPR @ 0.1% FPR 61.3% and AUC 98.9%; clustering with TPR @ 0.1% FPR 72.7% and AUC 99.0%; and all three operations together with TPR @ 0.1% FPR 95.7% and AUC 99.9%. For Adversary 2, performance drops without the original model, but still exceeds the best single-compressed-model attack.
6. Empirical interpretation, deployment significance, and limitations
The paper reports several recurring patterns. Under CompLeak9, low or moderate compression often keeps privacy leakage similar to the original; high pruning or strong clustering usually reduces leakage; and quantization often leaves leakage nearly unchanged. Under CompLeak0 and CompLeak1, however, compression reveals additional membership signals not visible in single-model evaluation. Members often suffer more from compression-induced posterior and loss shifts; member loss tends to increase with stronger pruning; non-member loss may fluctuate rather than move monotonically; and many samples that become newly vulnerable after compression are members. The paper further reports that these vulnerable members tend to be high-value or high-importance points by KNN-Shapley analysis (Li et al., 22 Jul 2025).
A notable control experiment compares compression with duplication. Multiple similar models produced by different training hyperparameters are much less effective than compression-based multi-model leakage, which the paper uses to argue that the observed effect is not merely a consequence of having more models available. This suggests that compression-specific differences, rather than generic model multiplicity, drive the additional leakage.
The deployment significance is direct. CompLeak is framed around model releases through TF-Lite, PyTorch Mobile, NNI, and TensorRT, where providers may expose multiple efficiency and accuracy tiers. A plausible implication is that offering several compressed versions of the same model, or releasing both original and compressed versions, creates a stronger attack surface for membership inference than evaluating any one released model in isolation would indicate.
The paper does not propose a dedicated defense, but it discusses differential privacy, synthetic data, and reducing overfitting before releasing models through query APIs. It also evaluates DP-SGD and finds that it reduces all attacks, while CompLeak2 still often outperforms single-model attacks. The framework itself is therefore an auditing method rather than a mitigation.
Within the broader study of leakage, CompLeak differs from source-to-sink privacy leak detectors for Android, timing-leak fuzzers, cache side-channel characterizers, and speculative-leak repair systems: those works focus on program traces, microarchitectural observations, or control/data-flow paths, whereas CompLeak focuses on training-set membership leakage induced by model release and compression choices (Li et al., 2014, He et al., 2019, Chen et al., 2023, Vassena et al., 2020, Bard et al., 2023). This suggests that model-compression privacy should be treated as a distinct leakage domain, with comparative access to model variants as a first-class part of the attacker model.