Private and interpretable clinical prediction with quantum-inspired tensor train models

Machine learning in clinical settings must balance predictive accuracy, interpretability, and privacy. Models such as logistic regression (LR) offer transparency, while neural networks (NNs) provide greater predictive power; yet both remain vulnerable to privacy attacks. We empirically assess these risks by designing attacks that identify which public datasets were used to train a model under varying levels of adversarial access, applying them to LORIS, a publicly available LR model for immunotherapy response prediction, as well as to additional shallow NN models trained for the same task. Our results show that both models leak significant training-set information, with LRs proving particularly vulnerable in white-box scenarios. Moreover, we observe that common practices such as cross-validation in LRs exacerbate these risks. To mitigate these vulnerabilities, we propose a quantum-inspired defense based on tensorizing discretized models into tensor trains (TTs), which fully obfuscates parameters while preserving accuracy, reducing white-box attacks to random guessing and degrading black-box attacks comparably to Differential Privacy. TT models retain LR interpretability and extend it through efficient computation of marginal and conditional distributions, while also enabling this higher level of interpretability for NNs. Our results demonstrate that tensorization is widely applicable and establishes a practical foundation for private, interpretable, and effective clinical prediction.

💡 Research Summary

Machine learning models deployed for clinical decision‑making must simultaneously satisfy three demanding criteria: high predictive performance, transparent interpretability, and robust protection of patient privacy. This paper investigates the tension among these criteria by first quantifying the privacy leakage of two widely used model families—logistic regression (LR) and shallow neural networks (NNs)—and then proposing a novel defense based on quantum‑inspired tensor train (TT) representations.

Privacy threat assessment.
The authors design a membership‑inference attack that, given a target model, determines which of a set of publicly available clinical cohorts were used during training. The attack follows a standard shadow‑model pipeline: for each possible combination of public datasets and a range of hyper‑parameters, many shadow models are trained; their observable outputs (either discretized scores for black‑box (b‑WBB) or raw scores for strong black‑box (SBB) access, or the full parameter vector for white‑box (WB) access) are paired with the known dataset‑membership vectors; a multi‑label meta‑classifier is then trained to predict the presence of each dataset. The threat model assumes the adversary knows the model architecture, the list of public datasets, and the training procedure (including cross‑validation).

Applying this attack to LORIS—a publicly released LR model for predicting response to immunotherapy—and to comparable shallow NNs trained on the same six clinical/genomic features, the authors find substantial leakage. In white‑box settings, LR parameters expose the training set with >90 % accuracy, and even the averaged models produced by extensive K‑fold cross‑validation retain enough signal to be identified. Shallow NNs are slightly harder to attack (≈70 % accuracy) but still leak significant information. Moreover, the use of cross‑validation, a common practice to improve generalisation, paradoxically amplifies privacy risk because the averaged parameters encode statistics from all folds.

Tensor‑train based defense.
To mitigate these risks, the paper introduces a quantum‑inspired defense: after training, the model (LR or NN) is discretized (output scores are bucketed into b bins) and then “tensorized” into a tensor‑train format using the TT‑RSS algorithm. A TT represents a high‑dimensional tensor as a chain of low‑rank core tensors; many distinct parameterizations can realize the same function, effectively obfuscating the original weights. Consequently, even if an attacker obtains the full TT representation (white‑box), they cannot recover the original parameters, reducing white‑box attack success to random guessing (≈50 %). The discretization of outputs also shrinks the observable output space, weakening black‑box attacks to a level comparable with differential privacy (DP) mechanisms, without explicitly adding calibrated noise.

Empirically, TT‑converted LR and NN models retain virtually unchanged AUROC compared with the original models. White‑box attacks drop to chance level, while black‑box attacks with b = 2, 6, 10 see accuracy reductions mirroring DP with ε≈1. Importantly, the TT representation preserves the interpretability of LR: the original coefficients can be recovered, and the TT cores enable efficient computation of marginal and conditional probabilities, allowing richer feature‑sensitivity analyses (e.g., assessing the effect of a specific mutation given cancer type). For NNs, the same tensorization yields a post‑hoc interpretable structure, granting access to conditional distributions that are otherwise unavailable.

Broader implications and recommendations.
The study highlights that standard ML practices—cross‑validation, model averaging, and even the choice of a simple linear model—can unintentionally increase privacy exposure. By contrast, tensorization offers a post‑training, model‑agnostic pipeline that simultaneously delivers (i) strong white‑box privacy via parameter obfuscation, (ii) configurable black‑box privacy through output discretization, (iii) negligible loss in predictive performance, and (iv) enhanced interpretability for both linear and nonlinear models. The authors argue that such a pipeline should become a routine step before releasing clinical predictive models, especially in regulated environments where privacy guarantees and explainability are mandated.

In summary, the paper makes three key contributions: (1) a concrete demonstration that clinical LR and shallow NN models can leak substantial training‑set information, especially under white‑box access; (2) a systematic evaluation showing that differential‑privacy defenses often trade off accuracy, whereas tensor‑train based defenses achieve comparable privacy with minimal utility loss; and (3) a practical, scalable method to convert any trained model into a TT form that preserves—or even extends—interpretability while providing strong, tunable privacy protection. This work bridges quantum‑inspired tensor network theory with real‑world clinical AI security, offering a viable path toward trustworthy, privacy‑preserving medical machine learning.