Robust or Private? Adversarial Training Makes Models More Vulnerable to Privacy Attacks
This work addresses a critical security problem for machine learning practitioners and researchers by revealing a privacy vulnerability in robust models, which is incremental as it builds on known attacks but highlights a new trade-off.
The paper tackles the trade-off between adversarial robustness and privacy in deep learning models, showing that adversarial training, while improving robustness, makes models significantly more vulnerable to model inversion attacks, with attacks becoming feasible on robustly trained models where they were previously intractable on traditionally trained ones.
Adversarial training was introduced as a way to improve the robustness of deep learning models to adversarial attacks. This training method improves robustness against adversarial attacks, but increases the models vulnerability to privacy attacks. In this work we demonstrate how model inversion attacks, extracting training data directly from the model, previously thought to be intractable become feasible when attacking a robustly trained model. The input space for a traditionally trained model is dominated by adversarial examples - data points that strongly activate a certain class but lack semantic meaning - this makes it difficult to successfully conduct model inversion attacks. We demonstrate this effect using the CIFAR-10 dataset under three different model inversion attacks, a vanilla gradient descent method, gradient based method at different scales, and a generative adversarial network base attacks.