Are Your Sensitive Attributes Private? Novel Model Inversion Attribute Inference Attacks on Classification Models

TL;DR

This paper introduces novel model inversion attacks that can infer sensitive attributes from classification models using only black-box access, revealing privacy vulnerabilities especially for certain demographic groups.

Contribution

The paper proposes two new model inversion attack methods that outperform existing techniques and extend to scenarios with unknown non-sensitive attributes.

Findings

Attacks are effective on decision trees and neural networks.

Certain demographic groups are more vulnerable to inversion attacks.

Proposed methods match or surpass state-of-the-art in attack success rate.

Abstract

Increasing use of machine learning (ML) technologies in privacy-sensitive domains such as medical diagnoses, lifestyle predictions, and business decisions highlights the need to better understand if these ML technologies are introducing leakage of sensitive and proprietary training data. In this paper, we focus on model inversion attacks where the adversary knows non-sensitive attributes about records in the training data and aims to infer the value of a sensitive attribute unknown to the adversary, using only black-box access to the target classification model. We first devise a novel confidence score-based model inversion attribute inference attack that significantly outperforms the state-of-the-art. We then introduce a label-only model inversion attack that relies only on the model's predicted labels but still matches our confidence score-based attack in terms of attack effectiveness. We also extend our attacks to the scenario where some of the other (non-sensitive) attributes of a target record are unknown to the adversary. We evaluate our attacks on two types of machine learning models, decision tree and deep neural network, trained on three real datasets. Moreover, we empirically demonstrate the disparate vulnerability of model inversion attacks, i.e., specific groups in the training dataset (grouped by gender, race, etc.) could be more vulnerable to model inversion attacks.