Class Attribute Inference Attacks: Inferring Sensitive Class Information by Diffusion-Based Attribute Manipulations

TL;DR

This paper introduces CAIA, a black-box attack leveraging text-to-image synthesis to infer sensitive class attributes in neural network classifiers, revealing privacy vulnerabilities especially in robust models.

Contribution

The paper presents the first Class Attribute Inference Attack (CAIA) that effectively infers sensitive class attributes using diffusion-based methods in a black-box setting.

Findings

CAIA accurately infers sensitive attributes like hair color, gender, and race.

Adversarially robust models are more vulnerable to attribute inference attacks.

Privacy leakage is more significant in robust models, indicating a robustness-privacy trade-off.

Abstract

Neural network-based image classifiers are powerful tools for computer vision tasks, but they inadvertently reveal sensitive attribute information about their classes, raising concerns about their privacy. To investigate this privacy leakage, we introduce the first Class Attribute Inference Attack (CAIA), which leverages recent advances in text-to-image synthesis to infer sensitive attributes of individual classes in a black-box setting, while remaining competitive with related white-box attacks. Our extensive experiments in the face recognition domain show that CAIA can accurately infer undisclosed sensitive attributes, such as an individual's hair color, gender, and racial appearance, which are not part of the training labels. Interestingly, we demonstrate that adversarial robust models are even more vulnerable to such privacy leakage than standard models, indicating that a trade-off between robustness and privacy exists.