Class Attribute Inference Attacks: Inferring Sensitive Class Information by Diffusion-Based Attribute Manipulations
This addresses privacy concerns for users of image classification systems, particularly in sensitive domains like face recognition, and is incremental by applying text-to-image synthesis to a new attack scenario.
The paper tackles the problem of neural network image classifiers inadvertently leaking sensitive class attributes, and shows that their Class Attribute Inference Attack can accurately infer undisclosed attributes like hair color, gender, and racial appearance, with adversarial robust models being more vulnerable.
Neural network-based image classifiers are powerful tools for computer vision tasks, but they inadvertently reveal sensitive attribute information about their classes, raising concerns about their privacy. To investigate this privacy leakage, we introduce the first Class Attribute Inference Attack (CAIA), which leverages recent advances in text-to-image synthesis to infer sensitive attributes of individual classes in a black-box setting, while remaining competitive with related white-box attacks. Our extensive experiments in the face recognition domain show that CAIA can accurately infer undisclosed sensitive attributes, such as an individual's hair color, gender, and racial appearance, which are not part of the training labels. Interestingly, we demonstrate that adversarial robust models are even more vulnerable to such privacy leakage than standard models, indicating that a trade-off between robustness and privacy exists.