Data Reconstruction Attacks and Defenses: A Systematic Evaluation
This work addresses data leakage issues in machine learning, providing a more rigorous framework for evaluating attacks and defenses, though it is incremental in refining existing approaches.
The authors tackled the problem of data reconstruction attacks in machine learning by framing it as an inverse problem, enabling theoretical and systematic evaluation; they derived upper and lower bounds on reconstruction error for two-layer neural networks and proposed a strong attack that updated previous understandings of defense methods.
Reconstruction attacks and defenses are essential in understanding the data leakage problem in machine learning. However, prior work has centered around empirical observations of gradient inversion attacks, lacks theoretical grounding, and cannot disentangle the usefulness of defending methods from the computational limitation of attacking methods. In this work, we propose to view the problem as an inverse problem, enabling us to theoretically and systematically evaluate the data reconstruction attack. On various defense methods, we derived the algorithmic upper bound and the matching (in feature dimension and architecture dimension) information-theoretical lower bound on the reconstruction error for two-layer neural networks. To complement the theoretical results and investigate the utility-privacy trade-off, we defined a natural evaluation metric of the defense methods with similar utility loss among the strongest attacks. We further propose a strong reconstruction attack that helps update some previous understanding of the strength of defense methods under our proposed evaluation metric.