DAAP: Privacy-Preserving Model Accuracy Estimation on Unlabeled Datasets Through Distribution-Aware Adversarial Perturbation

In the dynamic field of deep learning, accurately estimating model performance while ensuring data privacy against diverse and unlabeled test datasets presents a critical challenge. This is primarily due to the significant distributional shifts between training and test datasets, which complicates model evaluation. Traditional methods for assessing model accuracy often require direct access to the entire test dataset, posing significant risks of data leakage and model theft. To address these issues, we propose a novel approach: Distribution-Aware Adversarial Perturbation (DAAP). This method is designed to estimate the accuracy of deep learning models on unlabeled test datasets without compromising privacy. Specifically, DAAP leverages a publicly available dataset as an intermediary to bridge the gap between the model and the test data, effectively circumventing direct interaction and mitigating privacy concerns. By strategically applying adversarial perturbations, DAAP minimizes the distributional discrepancies between datasets, enabling precise estimation of model performance on unseen test data. We present two specialized strategies for white-box and black-box model contexts: the former focuses on reducing output entropy disparities, while the latter manipulates distribution discriminators. Overall, the DAAP introduces a novel framework for privacy-preserving accuracy estimation in model evaluation. This novel approach not only addresses critical challenges related to data privacy and distributional shifts but also enhances the reliability and integrity of model performance assessments. Our extensive evaluation on the CIFAR-10-C, CIFAR-100-C, and CelebA datasets demonstrates the effectiveness of DAAP in accurately estimating performance while safeguarding both data and model privacy.