Plug & Play Attacks: Towards Robust and Flexible Model Inversion Attacks
This addresses the need for more robust and flexible privacy attacks in machine learning, though it is incremental by building on prior generative MIAs.
The paper tackles the problem of model inversion attacks (MIAs) being time-consuming, inflexible, and sensitive to dataset shifts by introducing Plug & Play Attacks, which use a single GAN to attack various models with minor adjustments, achieving high-quality image reconstruction even under strong distributional shifts.
Model inversion attacks (MIAs) aim to create synthetic images that reflect the class-wise characteristics from a target classifier's private training data by exploiting the model's learned knowledge. Previous research has developed generative MIAs that use generative adversarial networks (GANs) as image priors tailored to a specific target model. This makes the attacks time- and resource-consuming, inflexible, and susceptible to distributional shifts between datasets. To overcome these drawbacks, we present Plug & Play Attacks, which relax the dependency between the target model and image prior, and enable the use of a single GAN to attack a wide range of targets, requiring only minor adjustments to the attack. Moreover, we show that powerful MIAs are possible even with publicly available pre-trained GANs and under strong distributional shifts, for which previous approaches fail to produce meaningful results. Our extensive evaluation confirms the improved robustness and flexibility of Plug & Play Attacks and their ability to create high-quality images revealing sensitive class characteristics.