Variational Model Inversion Attacks
This addresses privacy risks for users of sensitive data in machine learning models, representing an incremental advance in attack methodology.
The paper tackles the problem of model inversion attacks on deep neural networks by proposing a variational objective that balances diversity and accuracy, resulting in substantial improvements in attack accuracy, sample realism, and diversity on face and chest X-ray datasets.
Given the ubiquity of deep neural networks, it is important that these models do not reveal information about sensitive data that they have been trained on. In model inversion attacks, a malicious user attempts to recover the private dataset used to train a supervised neural network. A successful model inversion attack should generate realistic and diverse samples that accurately describe each of the classes in the private dataset. In this work, we provide a probabilistic interpretation of model inversion attacks, and formulate a variational objective that accounts for both diversity and accuracy. In order to optimize this variational objective, we choose a variational family defined in the code space of a deep generative model, trained on a public auxiliary dataset that shares some structural similarity with the target dataset. Empirically, our method substantially improves performance in terms of target attack accuracy, sample realism, and diversity on datasets of faces and chest X-ray images.