Network Inversion for Training-Like Data Reconstruction

TL;DR

This paper introduces a network inversion method called TLDR that can reconstruct training-like data from trained models, revealing privacy risks associated with sharing model weights.

Contribution

The paper presents a novel network inversion technique that reconstructs training-like data from models using a conditioned generator and classifier properties.

Findings

Successfully reconstructs training-like images from models

Highlights privacy risks in sharing trained models

Demonstrates effectiveness on standard vision datasets

Abstract

Machine Learning models are often trained on proprietary and private data that cannot be shared, though the trained models themselves are distributed openly assuming that sharing model weights is privacy preserving, as training data is not expected to be inferred from the model weights. In this paper, we present Training-Like Data Reconstruction (TLDR), a network inversion-based approach to reconstruct training-like data from trained models. To begin with, we introduce a comprehensive network inversion technique that learns the input space corresponding to different classes in the classifier using a single conditioned generator. While inversion may typically return random and arbitrary input images for a given output label, we modify the inversion process to incentivize the generator to reconstruct training-like data by exploiting key properties of the classifier with respect to the training data along with some prior knowledge about the images. To validate our approach, we conduct empirical evaluations on multiple standard vision classification datasets, thereby highlighting the potential privacy risks involved in sharing machine learning models.