Julien Ferry, Ricardo Fukasawa, Timothée Pascal, Thibaut Vidal
This paper presents a framework for reconstructing tabular training data from a trained random forest model. The approach is based on solving an optimisation problem where the constraints are derived from the random forest’s structure (such as the number of trees and their depth) and the dataset’s characteristics (such as the number of examples and features).
The success of the reconstruction varies depending on the level of bagging randomisation and the nature of the data. For simpler cases, such as when there is little randomisation and there are only binary features, the method can nearly perfectly reconstruct the training data.
However, in more practical scenarios—such as those involving more extensive randomisation, larger datasets or real-valued features—the reconstruction error increases significantly. Further, API-only attacks, where the attacker has limited visibility into the model, are not feasible under this framework.
Much of the existing literature on data privacy and reconstruction attacks focuses on neural networks, especially in domains like images and text. This paper highlights that training data reconstruction is a more general property of machine learning models. This observation puts the data privacy conversation in a better context – focusing us more on properties of the data and the learning algorithm that determine reconstruction success, rather than just on the model architecture.
Trained Random Forests Completely Reveal your Dataset