Distributional Black-Box Model Inversion Attack with Multi-Agent Reinforcement Learning

TL;DR

This paper introduces a novel black-box model inversion attack using multi-agent reinforcement learning to construct a probabilistic latent space, enabling more effective recovery of private training data without needing model details.

Contribution

It proposes a distributional MI attack that does not require model parameters or specialized GAN training, utilizing reinforcement learning to better approximate the latent data distribution.

Findings

Outperforms state-of-the-art in attack accuracy

Achieves better K-nearest neighbor feature distance

Improves Peak Signal-to-Noise Ratio

Abstract

A Model Inversion (MI) attack based on Generative Adversarial Networks (GAN) aims to recover the private training data from complex deep learning models by searching codes in the latent space. However, they merely search a deterministic latent space such that the found latent code is usually suboptimal. In addition, the existing distributional MI schemes assume that an attacker can access the structures and parameters of the target model, which is not always viable in practice. To overcome the above shortcomings, this paper proposes a novel Distributional Black-Box Model Inversion (DBB-MI) attack by constructing the probabilistic latent space for searching the target privacy data. Specifically, DBB-MI does not need the target model parameters or specialized GAN training. Instead, it finds the latent probability distribution by combining the output of the target model with multi-agent reinforcement learning techniques. Then, it randomly chooses latent codes from the latent probability distribution for recovering the private data. As the latent probability distribution closely aligns with the target privacy data in latent space, the recovered data will leak the privacy of training samples of the target model significantly. Abundant experiments conducted on diverse datasets and networks show that the present DBB-MI has better performance than state-of-the-art in attack accuracy, K-nearest neighbor feature distance, and Peak Signal-to-Noise Ratio.