Membership Model Inversion Attacks for Deep Networks
This addresses privacy vulnerabilities in AI systems, particularly for domains like OCR or facial recognition, but appears incremental as it builds on existing model inversion concepts with a new approach.
The paper tackles the problem of model inversion attacks on deep networks by introducing a more realistic definition where the adversary knows the model's purpose, aiming to find realistic class representations within a lower-dimensional manifold. They leverage generative adversarial networks to construct this manifold and demonstrate efficient attacks, though specific numerical results are not provided in the abstract.
With the increasing adoption of AI, inherent security and privacy vulnerabilities formachine learning systems are being discovered. One such vulnerability makes itpossible for an adversary to obtain private information about the types of instancesused to train the targeted machine learning model. This so-called model inversionattack is based on sequential leveraging of classification scores towards obtaininghigh confidence representations for various classes. However, for deep networks,such procedures usually lead to unrecognizable representations that are uselessfor the adversary. In this paper, we introduce a more realistic definition of modelinversion, where the adversary is aware of the general purpose of the attackedmodel (for instance, whether it is an OCR system or a facial recognition system),and the goal is to find realistic class representations within the corresponding lower-dimensional manifold (of, respectively, general symbols or general faces). To thatend, we leverage properties of generative adversarial networks for constructinga connected lower-dimensional manifold, and demonstrate the efficiency of ourmodel inversion attack that is carried out within that manifold.