Papers
Topics
Authors
Recent
Gemini 2.5 Flash
Gemini 2.5 Flash
156 tokens/sec
GPT-4o
7 tokens/sec
Gemini 2.5 Pro Pro
45 tokens/sec
o3 Pro
4 tokens/sec
GPT-4.1 Pro
38 tokens/sec
DeepSeek R1 via Azure Pro
28 tokens/sec
2000 character limit reached

Re-thinking Model Inversion Attacks Against Deep Neural Networks (2304.01669v2)

Published 4 Apr 2023 in cs.LG, cs.CR, and cs.CV

Abstract: Model inversion (MI) attacks aim to infer and reconstruct private training data by abusing access to a model. MI attacks have raised concerns about the leaking of sensitive information (e.g. private face images used in training a face recognition system). Recently, several algorithms for MI have been proposed to improve the attack performance. In this work, we revisit MI, study two fundamental issues pertaining to all state-of-the-art (SOTA) MI algorithms, and propose solutions to these issues which lead to a significant boost in attack performance for all SOTA MI. In particular, our contributions are two-fold: 1) We analyze the optimization objective of SOTA MI algorithms, argue that the objective is sub-optimal for achieving MI, and propose an improved optimization objective that boosts attack performance significantly. 2) We analyze "MI overfitting", show that it would prevent reconstructed images from learning semantics of training data, and propose a novel "model augmentation" idea to overcome this issue. Our proposed solutions are simple and improve all SOTA MI attack accuracy significantly. E.g., in the standard CelebA benchmark, our solutions improve accuracy by 11.8% and achieve for the first time over 90% attack accuracy. Our findings demonstrate that there is a clear risk of leaking sensitive information from deep learning models. We urge serious consideration to be given to the privacy implications. Our code, demo, and models are available at https://ngoc-nguyen-0.github.io/re-thinking_model_inversion_attacks/

Definition Search Book Streamline Icon: https://streamlinehq.com
References (53)
  1. Revisit multimodal meta-learning through the lens of multi-task learning. Advances in Neural Information Processing Systems, 34:14632–14644, 2021.
  2. Privacy-preserving generative deep neural networks support clinical data sharing. Circulation: Cardiovascular Quality and Outcomes, 12(7):e005122, 2019.
  3. Privacy-preserving classification on deep neural network. Cryptology ePrint Archive, 2017.
  4. Discovering Transferable Forensic Features for CNN-generated Images Detection. In Proceedings of the European Conference on Computer Vision (ECCV), Oct 2022.
  5. A Closer Look at Fourier Spectrum Discrepancies for CNN-Generated Images Detection. In Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR), pages 7200–7209, June 2021.
  6. Revisiting label smoothing and knowledge distillation compatibility: What was missing? In Proceedings of the 39th International Conference on Machine Learning, volume 162 of Proceedings of Machine Learning Research, pages 2890–2916. PMLR, 17-23 Jul 2022.
  7. Knowledge-enriched distributional model inversion attacks. In Proceedings of the IEEE/CVF international conference on computer vision, pages 16178–16187, 2021.
  8. Know you at one glance: A compact vector representation for low-shot learning. In 2017 IEEE International Conference on Computer Vision Workshops (ICCVW), pages 1924–1932, 2017.
  9. Know you at one glance: A compact vector representation for low-shot learning. In Proceedings of the IEEE International Conference on Computer Vision Workshops, pages 1924–1932, 2017.
  10. Label-only membership inference attacks. In International conference on machine learning, pages 1964–1974. PMLR, 2021.
  11. Emnist: Extending mnist to handwritten letters. In 2017 International Joint Conference on Neural Networks (IJCNN), pages 2921–2926. IEEE, 2017.
  12. Arcface: Additive angular margin loss for deep face recognition. In Proceedings of the IEEE/CVF conference on computer vision and pattern recognition, pages 4690–4699, 2019.
  13. Model inversion attacks that exploit confidence information and basic countermeasures. In Proceedings of the 22nd ACM SIGSAC conference on computer and communications security, pages 1322–1333, 2015.
  14. Privacy in pharmacogenetics: An {{\{{End-to-End}}\}} case study of personalized warfarin dosing. In 23rd USENIX Security Symposium (USENIX Security 14), pages 17–32, 2014.
  15. Generative adversarial networks. Communications of the ACM, 63(11):139–144, 2020.
  16. Momentum contrast for unsupervised visual representation learning. In Proceedings of the IEEE/CVF conference on computer vision and pattern recognition, pages 9729–9738, 2020.
  17. Deep residual learning for image recognition. In Proceedings of the IEEE conference on computer vision and pattern recognition, pages 770–778, 2016.
  18. Gans trained by a two time-scale update rule converge to a local nash equilibrium. Advances in neural information processing systems, 30, 2017.
  19. Distilling the knowledge in a neural network, 2015.
  20. Searching for mobilenetv3. In Proceedings of the IEEE/CVF international conference on computer vision, pages 1314–1324, 2019.
  21. Densely connected convolutional networks. In Proceedings of the IEEE conference on computer vision and pattern recognition, pages 4700–4708, 2017.
  22. Label-only model inversion attacks via boundary repulsion. In Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition, pages 15045–15053, 2022.
  23. Training generative adversarial networks with limited data. In Proc. NeurIPS, 2020.
  24. A style-based generator architecture for generative adversarial networks. In Proceedings of the IEEE/CVF conference on computer vision and pattern recognition, pages 4401–4410, 2019.
  25. Supervised contrastive learning. Advances in neural information processing systems, 33:18661–18673, 2020.
  26. Glow: Generative flow with invertible 1x1 convolutions. Advances in neural information processing systems, 31, 2018.
  27. Grounding language models to images for multimodal generation. arXiv preprint arXiv:2301.13823, 2023.
  28. Cifar-10 (canadian institute for advanced research). URL http://www. cs. toronto. edu/kriz/cifar. html, 5(4):1, 2010.
  29. Imagenet classification with deep convolutional neural networks. In F. Pereira, C.J. Burges, L. Bottou, and K.Q. Weinberger, editors, Advances in Neural Information Processing Systems, volume 25. Curran Associates, Inc., 2012.
  30. Gradient-based learning applied to document recognition. Proceedings of the IEEE, 86(11):2278–2324, 1998.
  31. Privacy-preserving machine learning with fully homomorphic encryption for deep neural network. IEEE Access, 10:30039–30054, 2022.
  32. Doping: Generative data augmentation for unsupervised anomaly detection with gan. In 18th IEEE International Conference on Data Mining, ICDM 2018, pages 1122–1127. Institute of Electrical and Electronics Engineers Inc., 2018.
  33. Deep learning face attributes in the wild. In Proceedings of the IEEE international conference on computer vision, pages 3730–3738, 2015.
  34. Does label smoothing mitigate label noise? In Hal Daumé III and Aarti Singh, editors, Proceedings of the 37th International Conference on Machine Learning, volume 119 of Proceedings of Machine Learning Research, pages 6448–6458. PMLR, 13–18 Jul 2020.
  35. When does label smoothing help? In H. Wallach, H. Larochelle, A. Beygelzimer, F. d'Alché-Buc, E. Fox, and R. Garnett, editors, Advances in Neural Information Processing Systems, volume 32. Curran Associates, Inc., 2019.
  36. Bilateral dependency optimization: Defending against model-inversion attacks. KDD, 2022.
  37. Learning transferable visual models from natural language supervision. In International conference on machine learning, pages 8748–8763. PMLR, 2021.
  38. Claudio Filipi Gonçalves Dos Santos and João Paulo Papa. Avoiding overfitting: A survey on regularization methods for convolutional neural networks. ACM Computing Surveys (CSUR), 54(10s):1–25, 2022.
  39. Is label smoothing truly incompatible with knowledge distillation: An empirical study. In International Conference on Learning Representations, 2021.
  40. Very deep convolutional networks for large-scale image recognition. arXiv preprint arXiv:1409.1556, 2014.
  41. A gan-based image transformation scheme for privacy-preserving deep neural networks. In 2020 28th European Signal Processing Conference (EUSIPCO), pages 745–749. IEEE, 2021.
  42. An analysis of the vulnerability of two common deep learning-based medical image segmentation techniques to model inversion attacks. Sensors, 21(11):3874, 2021.
  43. Efficientnet: Rethinking model scaling for convolutional neural networks. In International conference on machine learning, pages 6105–6114. PMLR, 2019.
  44. Fair generative models via transfer learning. arXiv preprint arXiv:2212.00926, 2022.
  45. On data augmentation for gan training. IEEE Transactions on Image Processing, 30:1882–1897, 2021.
  46. Variational model inversion attacks. Advances in Neural Information Processing Systems, 34:9706–9719, 2021.
  47. Adversarial neural network inversion via auxiliary knowledge alignment. arXiv preprint arXiv:1902.08552, 2019.
  48. Neural network inversion in adversarial setting via background knowledge alignment. In Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security, pages 225–240, 2019.
  49. Understanding robust overfitting of adversarial training and beyond. In International Conference on Machine Learning, pages 25595–25610. PMLR, 2022.
  50. Cross-modal contrastive learning for text-to-image generation. In Proceedings of the IEEE/CVF conference on computer vision and pattern recognition, pages 833–842, 2021.
  51. The secret revealer: Generative model-inversion attacks against deep neural networks. In Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition, pages 253–261, 2020.
  52. Exploiting explanations for model inversion attacks. In Proceedings of the IEEE/CVF International Conference on Computer Vision, pages 682–692, 2021.
  53. Few-shot image generation via adaptation-aware kernel modulation. In Advances in Neural Information Processing Systems, 2022.
Citations (26)
View on Semantic Scholar

Summary

We haven't generated a summary for this paper yet.

Ai Sparkles Streamline Icon: https://streamlinehq.com Summarize Now
Github Logo Streamline Icon: https://streamlinehq.com

GitHub

  1. Re-thinking Model Inversion Attacks Against Deep Neural Networks