Knowledge-Enriched Distributional Model Inversion Attacks
This work addresses privacy concerns in online model repositories by enhancing the ability to reconstruct training data, representing an incremental improvement over existing attacks.
The paper tackles the problem of improving model inversion attacks on deep neural networks by introducing a novel inversion-specific GAN that distills knowledge from public data and models private data distributions per class, resulting in a 150% boost in success rate over state-of-the-art attacks.
Model inversion (MI) attacks are aimed at reconstructing training data from model parameters. Such attacks have triggered increasing concerns about privacy, especially given a growing number of online model repositories. However, existing MI attacks against deep neural networks (DNNs) have large room for performance improvement. We present a novel inversion-specific GAN that can better distill knowledge useful for performing attacks on private models from public data. In particular, we train the discriminator to differentiate not only the real and fake samples but the soft-labels provided by the target model. Moreover, unlike previous work that directly searches for a single data point to represent a target class, we propose to model a private data distribution for each target class. Our experiments show that the combination of these techniques can significantly boost the success rate of the state-of-the-art MI attacks by 150%, and generalize better to a variety of datasets and models. Our code is available at https://github.com/SCccc21/Knowledge-Enriched-DMI.