A prediction vector is the output tensor of a machine learning classifier, containing a confidence score for every possible class label. In neural networks, this is typically the result of a softmax activation function, which normalizes raw logits into a probability distribution where all values sum to 1. The vector's dimensionality equals the number of classes the model was trained to distinguish.
Glossary
Prediction Vector

What is a Prediction Vector?
The raw numerical output of a classifier's final layer, typically a softmax, representing the model's confidence distribution across all possible classes.
These vectors are the primary target of model inversion attacks and membership inference attacks, as the granular confidence scores leak information about the model's decision boundaries and training data. Defenses like confidence score masking truncate the vector to return only the top-k labels, while differential privacy mechanisms add calibrated noise to obscure the influence of individual training records on the output distribution.
Core Characteristics of Prediction Vectors
A prediction vector is the raw numerical output of a classifier's final layer, typically a softmax function, representing the model's confidence distribution across all possible classes. Understanding its structure is critical for diagnosing privacy leakage and defending against inversion attacks.
Probability Distribution
The prediction vector is a probability mass function where each element corresponds to a class label and sums to 1.0. The values represent the model's calibrated confidence that the input belongs to each class. In a standard softmax output, even incorrect classes receive non-zero probabilities, creating a rich information signal that can be exploited by model inversion attacks to reconstruct representative class features.
Information Leakage Vector
The full prediction vector leaks significantly more information than a hard label. The relative confidence margins between the top-k classes encode the model's decision boundary geometry. Attackers exploit this by performing gradient-based optimization on a dummy input to match the target prediction vector, effectively reversing the forward pass to reconstruct training data. This is the core mechanism behind Deep Leakage from Gradients (DLG) and confidence-based inversion.
Confidence Score Masking
A primary defense truncates the prediction vector to return only the top-k class labels without their associated probabilities. By suppressing the exact confidence values and zeroing out low-probability classes, the attack surface for inversion is dramatically reduced. This technique trades off some model interpretability for a substantial increase in privacy preservation, as the attacker loses the fine-grained gradient signal needed for reconstruction.
Temperature Scaling
The softmax temperature parameter T controls the sharpness of the probability distribution. A high temperature (T > 1) produces a softer, more uniform distribution that masks the model's true confidence margins, acting as a natural defense. Conversely, a low temperature (T < 1) sharpens the distribution toward a one-hot vector, which can reduce information leakage but may also impact model calibration and training dynamics in defensive distillation.
Output Perturbation Target
In differential privacy frameworks, the prediction vector is a direct target for output perturbation. Calibrated Gaussian or Laplacian noise is added to the raw logits or softmax probabilities before release. The sensitivity of the prediction vector—how much it changes when a single training record is modified—determines the privacy budget (epsilon) consumed per query. This mechanism provides formal guarantees against inversion and membership inference.
Label-Only Attack Surface
Even when confidence scores are hidden, the hard-label prediction alone can be exploited. In label-only inversion attacks, an adversary queries the model with perturbed inputs and observes the decision boundary crossing points. By mapping the geometry of where the predicted class changes, the attacker can reconstruct class-level prototypes without ever seeing a prediction vector, demonstrating that defense strategies must consider the entire query-response interface.
Enabling Efficiency, Speed & Accuracy
Intelligent Analysis, Decision & Execution
We build AI systems for teams that need search across company data, workflow automation across tools, or AI features inside products and internal software.
Talk to Us
Search across company data
Give teams answers from docs, tickets, runbooks, and product data with sources and permissions.
Useful when people spend too long searching or get different answers from different systems.

Automate internal workflows
Use AI to route work, draft outputs, trigger actions, and keep approvals and logs in place.
Useful when repetitive work moves across multiple tools and teams.

Add AI to products and internal tools
Build assistants, guided actions, or decision support into the software your team or customers already use.
Useful when AI needs to be part of the product, not a separate tool.
Frequently Asked Questions
Clear answers to common questions about how a model's output layer can leak sensitive training data and the defenses used to mitigate these risks.
A prediction vector is the final output of a classification model, typically produced by a softmax layer, containing a probability distribution over all possible classes. For each class, the vector holds a confidence score between 0 and 1, with all scores summing to 1. For example, a facial recognition model might output [0.91, 0.06, 0.03] for classes [Alice, Bob, Charlie]. The vector encodes not just the winning class but the model's entire uncertainty landscape, including the margin between the top prediction and the runner-up. This rich signal is essential for model calibration but is also the primary attack surface exploited by model inversion and membership inference attacks.
Related Terms
Understanding the prediction vector requires context from the attacks that exploit it and the defenses designed to protect it. These cards cover the critical concepts surrounding model inversion and membership inference.
Confidence Score Masking
A defense mechanism that truncates the prediction vector to return only the top-k class labels instead of full probability distributions. By hiding low-probability scores, the information available for inversion attacks is dramatically reduced.
- Top-1 masking: Returns only the predicted class label
- Top-5 masking: Returns the five highest-confidence classes
- Trade-off: Reduces model explainability and calibration visibility
Output Perturbation
A privacy mechanism that directly adds random noise to the prediction vector before returning it to the user. Unlike DP-SGD which protects training data, output perturbation protects individual inference queries.
- Noise calibration: Scaled to the sensitivity of the softmax function
- Laplace mechanism: Common choice for L1 sensitivity
- Gaussian mechanism: Preferred for L2 sensitivity bounds

About the author
Prasad Kumkar
CEO & MD, Inference Systems
Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.
His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.
Partnered with leading AI, data, and software stack.
How We Work
Custom AI workflows for your Business
One-fit-all AI don't work for modern businesses. At Inferensys, we aim to understand your business & custom requirements; which we use to define most efficient agentic workflows, the data, and the tools for your business.
01
Review the use case
We understand the task, the users, and where AI can actually help.
Read more02
Pick the right approach
We define what needs search, automation, or product integration.
Read more03
Build the first useful version
We implement the part that proves the value first.
Read more04
Improve from there
We add the checks and visibility needed to keep it useful.
Read moreThe first call is a practical review of your use case and the right next step.
Talk to Us