Reinforcement Learning-Based Black-Box Model Inversion Attacks

TL;DR

This paper introduces a reinforcement learning-based black-box model inversion attack that effectively reconstructs private data from models, outperforming existing methods and emphasizing the need for privacy-preserving techniques.

Contribution

It formulates the inversion attack as an MDP and uses reinforcement learning to improve attack success in black-box settings, achieving state-of-the-art results.

Findings

Successfully reconstructs private data across various datasets and models.

Outperforms existing black-box inversion attack methods.

Highlights the importance of privacy-preserving machine learning.

Abstract

Model inversion attacks are a type of privacy attack that reconstructs private data used to train a machine learning model, solely by accessing the model. Recently, white-box model inversion attacks leveraging Generative Adversarial Networks (GANs) to distill knowledge from public datasets have been receiving great attention because of their excellent attack performance. On the other hand, current black-box model inversion attacks that utilize GANs suffer from issues such as being unable to guarantee the completion of the attack process within a predetermined number of query accesses or achieve the same level of performance as white-box attacks. To overcome these limitations, we propose a reinforcement learning-based black-box model inversion attack. We formulate the latent space search as a Markov Decision Process (MDP) problem and solve it with reinforcement learning. Our method utilizes the confidence scores of the generated images to provide rewards to an agent. Finally, the private data can be reconstructed using the latent vectors found by the agent trained in the MDP. The experiment results on various datasets and models demonstrate that our attack successfully recovers the private information of the target model by achieving state-of-the-art attack performance. We emphasize the importance of studies on privacy-preserving machine learning by proposing a more advanced black-box model inversion attack.