Rank Matters: Understanding and Defending Model Inversion Attacks via Low-Rank Feature Filtering

TL;DR

This paper introduces a low-rank feature filtering defense against model inversion attacks, revealing that higher-rank features are more vulnerable, and demonstrates its effectiveness across various models and datasets.

Contribution

It proposes a novel low-rank filtering method to enhance privacy protection against MIAs, backed by theoretical insights and extensive empirical validation.

Findings

Higher-rank features are more susceptible to privacy leakage.

The proposed method outperforms existing defenses across multiple settings.

Effective even with high-resolution data and high-capacity models.

Abstract

Model Inversion Attacks (MIAs) pose a significant threat to data privacy by reconstructing sensitive training samples from the knowledge embedded in trained machine learning models. Despite recent progress in enhancing the effectiveness of MIAs across diverse settings, defense strategies have lagged behind, struggling to balance model utility with robustness against increasingly sophisticated attacks. In this work, we propose the ideal inversion error to measure the privacy leakage, and our theoretical and empirical investigations reveals that higher-rank features are inherently more prone to privacy leakage. Motivated by this insight, we propose a lightweight and effective defense strategy based on low-rank feature filtering, which explicitly reduces the attack surface by constraining the dimension of intermediate representations. Extensive experiments across various model architectures and datasets demonstrate that our method consistently outperforms existing defenses, achieving state-of-the-art performance against a wide range of MIAs. Notably, our approach remains effective even in challenging regimes involving high-resolution data and high-capacity models, where prior defenses fail to provide adequate protection. The code is available at https://github.com/Chrisqcwx/LoFt .