GAN-based Domain Inference Attack

TL;DR

This paper introduces a GAN-based method to infer the likely domain of a target model by measuring how much the model distracts GAN training, aiding in more effective model-inversion attacks.

Contribution

It proposes a novel GAN-based domain inference attack that does not require prior knowledge of the model's application domain.

Findings

The method can accurately rank candidate domains based on distraction levels.

Using the inferred domain improves the success rate of model-inversion attacks.

Experiments demonstrate the effectiveness of the approach in real scenarios.

Abstract

Model-based attacks can infer training data information from deep neural network models. These attacks heavily depend on the attacker's knowledge of the application domain, e.g., using it to determine the auxiliary data for model-inversion attacks. However, attackers may not know what the model is used for in practice. We propose a generative adversarial network (GAN) based method to explore likely or similar domains of a target model -- the model domain inference (MDI) attack. For a given target (classification) model, we assume that the attacker knows nothing but the input and output formats and can use the model to derive the prediction for any input in the desired form. Our basic idea is to use the target model to affect a GAN training process for a candidate domain's dataset that is easy to obtain. We find that the target model may distract the training procedure less if the domain is more similar to the target domain. We then measure the distraction level with the distance between GAN-generated datasets, which can be used to rank candidate domains for the target model. Our experiments show that the auxiliary dataset from an MDI top-ranked domain can effectively boost the result of model-inversion attacks.