Visual Privacy Auditing with Diffusion Models
This work addresses privacy risks in image data for machine learning practitioners, but it is incremental as it builds on existing attack methods with a new empirical focus.
The paper tackles the problem of data reconstruction attacks on machine learning models by introducing a diffusion model-based attack that targets differential privacy defenses, finding that real-world image priors significantly influence reconstruction success and that current theoretical bounds inadequately model this risk.
Data reconstruction attacks on machine learning models pose a substantial threat to privacy, potentially leaking sensitive information. Although defending against such attacks using differential privacy (DP) provides theoretical guarantees, determining appropriate DP parameters remains challenging. Current formal guarantees on the success of data reconstruction suffer from overly stringent assumptions regarding adversary knowledge about the target data, particularly in the image domain, raising questions about their real-world applicability. In this work, we empirically investigate this discrepancy by introducing a reconstruction attack based on diffusion models (DMs) that only assumes adversary access to real-world image priors and specifically targets the DP defense. We find that (1) real-world data priors significantly influence reconstruction success, (2) current reconstruction bounds do not model the risk posed by data priors well, and (3) DMs can serve as heuristic auditing tools for visualizing privacy leakage.