Knowledge-Enriched Distributional Model Inversion Attacks | IEEE Conference Publication | IEEE Xplore
Subscribe
ADVANCED SEARCH
Conferences >2021 IEEE/CVF International C...

Knowledge-Enriched Distributional Model Inversion Attacks

PDF
Si Chen; Mostafa Kahla; Ruoxi Jia; Guo-Jun Qi
All Authors

Abstract:

Model inversion (MI) attacks are aimed at reconstructing training data from model parameters. Such attacks have triggered increasing concerns about privacy, especially gi...Show More

Metadata

Abstract:

Model inversion (MI) attacks are aimed at reconstructing training data from model parameters. Such attacks have triggered increasing concerns about privacy, especially given a growing number of online model repositories. However, existing MI attacks against deep neural networks (DNNs) have large room for performance improvement. We present a novel inversion-specific GAN that can better distill knowledge useful for performing attacks on private models from public data. In particular, we train the discriminator to differentiate not only the real and fake samples but the soft-labels provided by the target model. Moreover, unlike previous work that directly searches for a single data point to represent a target class, we propose to model a private data distribution for each target class. Our experiments show that the combination of these techniques can significantly boost the success rate of the state-of-the-art MI attacks by 150%, and generalize better to a variety of datasets and models. Our code is available at https://github.com/SCccc21/Knowledge-Enriched-DMI.
Published in: 2021 IEEE/CVF International Conference on Computer Vision (ICCV)
Date of Conference: 10-17 October 2021
Date Added to IEEE Xplore: 28 February 2022
ISBN Information:

ISSN Information:

DOI: 10.1109/ICCV48922.2021.01587
Conference Location: Montreal, QC, Canada
Contents

1. Introduction

Many attractive applications of machine learning (ML) techniques involve training models on sensitive and proprietary datasets. One major concern for these applications is that models could be subject to privacy attacks and reveal inappropriate details of the training data. One type of privacy attacks is MI attacks, aimed at recovering training data from the access to a model. The access could either be black-box or white-box. In the blackbox setting, the attacker can only make prediction queries to the model, while in the whitebox setting, the attacker has complete knowledge of the model. Given a growing number of online platforms where users can download entire models, such as Tensorflow Hub and ModelDepot, whitebox MI attacks have posed an increasingly serious threat to privacy.

Contact IEEE to Subscribe
More Like This
Finding an Optimal Small Sample of Training Dataset for Computer Vision Deep-Learning Models

2024 International Conference on Machine Learning and Applications (ICMLA)

Published: 2024

Balancing Privacy and Accuracy: Exploring the Impact of Data Anonymization on Deep Learning Models in Computer Vision

IEEE Access

Published: 2024

Show More

References

References is not available for this document.

IEEE Account

Purchase Details

Profile Information

Need Help?

A not-for-profit organization, IEEE is the world's largest technical professional organization dedicated to advancing technology for the benefit of humanity.
© Copyright 2025 IEEE - All rights reserved. Use of this web site signifies your agreement to the terms and conditions.