GAMIN: An Adversarial Approach to Black-Box Model Inversion

TL;DR

GAMIN introduces a black-box adversarial framework that effectively inverts complex neural network models, revealing sensitive training data with high accuracy while maintaining reasonable computational costs.

Contribution

This paper presents GAMIN, a novel generative adversarial approach for black-box model inversion, capable of attacking deep neural networks and extracting training data features.

Findings

Achieves up to 60% recognizable digit extraction on MNIST

Successfully extracts features from skin classification models

Operates efficiently against complex deep models

Abstract

Recent works have demonstrated that machine learning models are vulnerable to model inversion attacks, which lead to the exposure of sensitive information contained in their training dataset. While some model inversion attacks have been developed in the past in the black-box attack setting, in which the adversary does not have direct access to the structure of the model, few of these have been conducted so far against complex models such as deep neural networks. In this paper, we introduce GAMIN (for Generative Adversarial Model INversion), a new black-box model inversion attack framework achieving significant results even against deep models such as convolutional neural networks at a reasonable computing cost. GAMIN is based on the continuous training of a surrogate model for the target model under attack and a generator whose objective is to generate inputs resembling those used to train the target model. The attack was validated against various neural networks used as image classifiers. In particular, when attacking models trained on the MNIST dataset, GAMIN is able to extract recognizable digits for up to 60% of labels produced by the target. Attacks against skin classification models trained on the pilot parliament dataset also demonstrated the capacity to extract recognizable features from the targets.