Understanding Reconstruction Attacks with the Neural Tangent Kernel and Dataset Distillation

TL;DR

This paper investigates the effectiveness of dataset reconstruction attacks on neural networks, demonstrating their ability to recover entire training sets in the infinite width regime and revealing factors influencing attack success.

Contribution

It introduces a stronger reconstruction attack, proves its ability to recover full datasets in the infinite width limit, and links attack success to deviations from the Neural Tangent Kernel regime.

Findings

Reconstruction attack can recover entire training datasets in the infinite width limit.

Success of attack depends on deviations from the Neural Tangent Kernel regime.

Reconstructed images are often dataset outliers and can be used for dataset distillation.

Abstract

Modern deep learning requires large volumes of data, which could contain sensitive or private information that cannot be leaked. Recent work has shown for homogeneous neural networks a large portion of this training data could be reconstructed with only access to the trained network parameters. While the attack was shown to work empirically, there exists little formal understanding of its effective regime which datapoints are susceptible to reconstruction. In this work, we first build a stronger version of the dataset reconstruction attack and show how it can provably recover the \emph{entire training set} in the infinite width regime. We then empirically study the characteristics of this attack on two-layer networks and reveal that its success heavily depends on deviations from the frozen infinite-width Neural Tangent Kernel limit. Next, we study the nature of easily-reconstructed images. We show that both theoretically and empirically, reconstructed images tend to "outliers" in the dataset, and that these reconstruction attacks can be used for \textit{dataset distillation}, that is, we can retrain on reconstructed images and obtain high predictive accuracy.