Deconstructing Classifiers: Towards A Data Reconstruction Attack Against Text Classification Models
This work addresses privacy risks for users of text classification models by revealing a previously underestimated vulnerability, though it is incremental as it builds on existing attack methods for LLMs.
The authors tackled the vulnerability of text classification models to data reconstruction attacks, demonstrating that their Mix And Match attack can effectively extract training data using both random and organic canaries, highlighting significant privacy risks.
Natural language processing (NLP) models have become increasingly popular in real-world applications, such as text classification. However, they are vulnerable to privacy attacks, including data reconstruction attacks that aim to extract the data used to train the model. Most previous studies on data reconstruction attacks have focused on LLM, while classification models were assumed to be more secure. In this work, we propose a new targeted data reconstruction attack called the Mix And Match attack, which takes advantage of the fact that most classification models are based on LLM. The Mix And Match attack uses the base model of the target model to generate candidate tokens and then prunes them using the classification head. We extensively demonstrate the effectiveness of the attack using both random and organic canaries. This work highlights the importance of considering the privacy risks associated with data reconstruction attacks in classification models and offers insights into possible leakages.