Re-thinking Model Inversion Attacks Against Deep Neural Networks
- URL: http://arxiv.org/abs/2304.01669v2
- Date: Thu, 15 Jun 2023 14:00:24 GMT
- Title: Re-thinking Model Inversion Attacks Against Deep Neural Networks
- Authors: Ngoc-Bao Nguyen, Keshigeyan Chandrasegaran, Milad Abdollahzadeh,
Ngai-Man Cheung
- Abstract summary: Model inversion (MI) attacks aim to infer and reconstruct private training data by abusing access to a model.
Recent algorithms for MI have been proposed to improve the attack performance.
We study two fundamental issues pertaining to all state-of-the-art (SOTA) MI algorithms.
- Score: 34.87141698143304
- License: http://arxiv.org/licenses/nonexclusive-distrib/1.0/
- Abstract: Model inversion (MI) attacks aim to infer and reconstruct private training
data by abusing access to a model. MI attacks have raised concerns about the
leaking of sensitive information (e.g. private face images used in training a
face recognition system). Recently, several algorithms for MI have been
proposed to improve the attack performance. In this work, we revisit MI, study
two fundamental issues pertaining to all state-of-the-art (SOTA) MI algorithms,
and propose solutions to these issues which lead to a significant boost in
attack performance for all SOTA MI. In particular, our contributions are
two-fold: 1) We analyze the optimization objective of SOTA MI algorithms, argue
that the objective is sub-optimal for achieving MI, and propose an improved
optimization objective that boosts attack performance significantly. 2) We
analyze "MI overfitting", show that it would prevent reconstructed images from
learning semantics of training data, and propose a novel "model augmentation"
idea to overcome this issue. Our proposed solutions are simple and improve all
SOTA MI attack accuracy significantly. E.g., in the standard CelebA benchmark,
our solutions improve accuracy by 11.8% and achieve for the first time over 90%
attack accuracy. Our findings demonstrate that there is a clear risk of leaking
sensitive information from deep learning models. We urge serious consideration
to be given to the privacy implications. Our code, demo, and models are
available at
https://ngoc-nguyen-0.github.io/re-thinking_model_inversion_attacks/
Related papers
- What Do Learning Dynamics Reveal About Generalization in LLM Reasoning? [83.83230167222852]
We find that a model's generalization behavior can be effectively characterized by a training metric we call pre-memorization train accuracy.
By connecting a model's learning behavior to its generalization, pre-memorization train accuracy can guide targeted improvements to training strategies.
arXiv Detail & Related papers (2024-11-12T09:52:40Z) - Defending against Model Inversion Attacks via Random Erasing [24.04876860999608]
We present a new method to defend against Model Inversion (MI) attacks.
Our idea is based on a novel insight on Random Erasing (RE)
We show that RE can lead to substantial degradation in MI reconstruction quality and attack accuracy.
arXiv Detail & Related papers (2024-09-02T08:37:17Z) - Model Inversion Attacks Through Target-Specific Conditional Diffusion Models [54.69008212790426]
Model inversion attacks (MIAs) aim to reconstruct private images from a target classifier's training set, thereby raising privacy concerns in AI applications.
Previous GAN-based MIAs tend to suffer from inferior generative fidelity due to GAN's inherent flaws and biased optimization within latent space.
We propose Diffusion-based Model Inversion (Diff-MI) attacks to alleviate these issues.
arXiv Detail & Related papers (2024-07-16T06:38:49Z) - Model Inversion Robustness: Can Transfer Learning Help? [27.883074562565877]
Model Inversion (MI) attacks aim to reconstruct private training data by abusing access to machine learning models.
We propose Transfer Learning-based Defense against Model Inversion (TL-DMI) to render MI-robust models.
Our method achieves state-of-the-art (SOTA) MI robustness without bells and whistles.
arXiv Detail & Related papers (2024-05-09T07:24:28Z) - Pseudo Label-Guided Model Inversion Attack via Conditional Generative
Adversarial Network [102.21368201494909]
Model inversion (MI) attacks have raised increasing concerns about privacy.
Recent MI attacks leverage a generative adversarial network (GAN) as an image prior to narrow the search space.
We propose Pseudo Label-Guided MI (PLG-MI) attack via conditional GAN (cGAN)
arXiv Detail & Related papers (2023-02-20T07:29:34Z) - Accuracy-Privacy Trade-off in Deep Ensemble [12.87620316721433]
We show that two goals of ensemble learning, namely improving accuracy and privacy, directly conflict with each other.
We find that ensembling can improve either privacy or accuracy, but not both simultaneously.
Our evaluation of defenses against MI attacks, such as regularization and differential privacy, shows that they can mitigate the effectiveness of the MI attack but simultaneously degrade ensemble accuracy.
arXiv Detail & Related papers (2021-05-12T00:58:04Z) - Knowledge-Enriched Distributional Model Inversion Attacks [49.43828150561947]
Model inversion (MI) attacks are aimed at reconstructing training data from model parameters.
We present a novel inversion-specific GAN that can better distill knowledge useful for performing attacks on private models from public data.
Our experiments show that the combination of these techniques can significantly boost the success rate of the state-of-the-art MI attacks by 150%.
arXiv Detail & Related papers (2020-10-08T16:20:48Z) - How Does Data Augmentation Affect Privacy in Machine Learning? [94.52721115660626]
We propose new MI attacks to utilize the information of augmented data.
We establish the optimal membership inference when the model is trained with augmented data.
arXiv Detail & Related papers (2020-07-21T02:21:10Z)
This list is automatically generated from the titles and abstracts of the papers in this site.
This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.