Reconstructing Training Data from Trained Neural Networks
Niv Haim, Gal Vardi, Gilad Yehudai, Ohad Shamir, Michal Irani
TL;DR
This paper demonstrates that significant portions of training data can be reconstructed from trained neural networks, highlighting privacy risks and introducing a novel method based on theoretical insights into neural network training.
Contribution
It introduces a new reconstruction scheme that reveals the potential to recover training data from neural network parameters, a first in this research area.
Findings
Large parts of training data can be reconstructed from trained models.
Reconstruction method works on standard computer vision datasets.
Highlights privacy vulnerabilities in neural network training.
Abstract
Understanding to what extent neural networks memorize training data is an intriguing question with practical and theoretical implications. In this paper we show that in some cases a significant fraction of the training data can in fact be reconstructed from the parameters of a trained neural network classifier. We propose a novel reconstruction scheme that stems from recent theoretical results about the implicit bias in training neural networks with gradient-based methods. To the best of our knowledge, our results are the first to show that reconstructing a large portion of the actual training samples from a trained neural network classifier is generally possible. This has negative implications on privacy, as it can be used as an attack for revealing sensitive training data. We demonstrate our method for binary MLP classifiers on a few standard computer vision datasets.
Peer Reviews
No public reviews on file for this paper yet. If you reviewed it on a platform where reviews are public (OpenReview, ICLR, NeurIPS, ICML), you can paste yours below so the community can read it here.
Code & Models
Videos
Taxonomy
TopicsAdversarial Robustness in Machine Learning · Privacy-Preserving Technologies in Data · Stochastic Gradient Optimization Techniques