Plug & Play Attacks: Towards Robust and Flexible Model Inversion Attacks

TL;DR

This paper introduces Plug & Play Attacks, a flexible and robust method for model inversion attacks that leverages pre-trained GANs to generate class-specific images across diverse models and datasets.

Contribution

The authors propose a novel attack framework that decouples the attack from specific generative models, enhancing flexibility and robustness against distributional shifts.

Findings

Effective even with publicly available GANs

Robust against dataset shifts

Requires minimal adjustments for different targets

Abstract

Model inversion attacks (MIAs) aim to create synthetic images that reflect the class-wise characteristics from a target classifier's private training data by exploiting the model's learned knowledge. Previous research has developed generative MIAs that use generative adversarial networks (GANs) as image priors tailored to a specific target model. This makes the attacks time- and resource-consuming, inflexible, and susceptible to distributional shifts between datasets. To overcome these drawbacks, we present Plug & Play Attacks, which relax the dependency between the target model and image prior, and enable the use of a single GAN to attack a wide range of targets, requiring only minor adjustments to the attack. Moreover, we show that powerful MIAs are possible even with publicly available pre-trained GANs and under strong distributional shifts, for which previous approaches fail to produce meaningful results. Our extensive evaluation confirms the improved robustness and flexibility of Plug & Play Attacks and their ability to create high-quality images revealing sensitive class characteristics.