SoK: Data Reconstruction Attacks Against Machine Learning Models: Definition, Metrics, and Benchmark

TL;DR

This paper introduces a unified framework with formal definitions, evaluation metrics, and a benchmark for data reconstruction attacks on machine learning models, addressing current gaps in standardization and assessment.

Contribution

It proposes a formal taxonomy, quantitative metrics, and a benchmark for evaluating data reconstruction attacks, facilitating systematic comparison and future research.

Findings

Metrics effectively evaluate attack quality

Large language models assist in visual assessment

Framework reveals strengths and limitations of existing attacks

Abstract

Data reconstruction attacks, which aim to recover the training dataset of a target model with limited access, have gained increasing attention in recent years. However, there is currently no consensus on a formal definition of data reconstruction attacks or appropriate evaluation metrics for measuring their quality. This lack of rigorous definitions and universal metrics has hindered further advancement in this field. In this paper, we address this issue in the vision domain by proposing a unified attack taxonomy and formal definitions of data reconstruction attacks. We first propose a set of quantitative evaluation metrics that consider important criteria such as quantifiability, consistency, precision, and diversity. Additionally, we leverage large language models (LLMs) as a substitute for human judgment, enabling visual evaluation with an emphasis on high-quality reconstructions. Using our proposed taxonomy and metrics, we present a unified framework for systematically evaluating the strengths and limitations of existing attacks and establishing a benchmark for future research. Empirical results, primarily from a memorization perspective, not only validate the effectiveness of our metrics but also offer valuable insights for designing new attacks.