Variational Model Inversion Attacks

TL;DR

This paper introduces a variational approach to model inversion attacks on neural networks, improving the realism, diversity, and accuracy of reconstructed private data by leveraging deep generative models trained on auxiliary datasets.

Contribution

It presents a novel probabilistic formulation and variational objective for model inversion attacks, enhancing attack effectiveness using generative models trained on related public data.

Findings

Significantly improves attack accuracy on face and X-ray datasets

Produces more realistic and diverse reconstructed samples

Outperforms previous inversion methods in key metrics

Abstract

Given the ubiquity of deep neural networks, it is important that these models do not reveal information about sensitive data that they have been trained on. In model inversion attacks, a malicious user attempts to recover the private dataset used to train a supervised neural network. A successful model inversion attack should generate realistic and diverse samples that accurately describe each of the classes in the private dataset. In this work, we provide a probabilistic interpretation of model inversion attacks, and formulate a variational objective that accounts for both diversity and accuracy. In order to optimize this variational objective, we choose a variational family defined in the code space of a deep generative model, trained on a public auxiliary dataset that shares some structural similarity with the target dataset. Empirically, our method substantially improves performance in terms of target attack accuracy, sample realism, and diversity on datasets of faces and chest X-ray images.