CapRecover: A Cross-Modality Feature Inversion Attack Framework on Vision Language Models
Kedong Xiu, Sai Qian Zhang
TL;DR
CapRecover is a novel framework that directly recovers high-level semantic content like labels and captions from intermediate features of vision-language models, exposing privacy risks and proposing simple defenses.
Contribution
It introduces CapRecover, the first method to recover semantic information directly from intermediate features of VLMs, and proposes a noise-based defense to prevent leakage.
Findings
Achieves up to 92.71% Top-1 accuracy on CIFAR-10
Generates captions with ROUGE-L scores up to 0.52 on COCO2017
Deeper layers encode more semantic information
Abstract
As Vision-Language Models (VLMs) are increasingly deployed in split-DNN configurations--with visual encoders (e.g., ResNet, ViT) operating on user devices and sending intermediate features to the cloud--there is a growing privacy risk from semantic information leakage. Existing approaches to reconstructing images from these intermediate features often result in blurry, semantically ambiguous images. To directly address semantic leakage, we propose CapRecover, a cross-modality inversion framework that recovers high-level semantic content, such as labels or captions, directly from intermediate features without image reconstruction. We evaluate CapRecover on multiple datasets and victim models, demonstrating strong performance in semantic recovery. Specifically, CapRecover achieves up to 92.71% Top-1 label accuracy on CIFAR-10 and generates fluent captions from ResNet50 features on…
Peer Reviews
No public reviews on file for this paper yet. If you reviewed it on a platform where reviews are public (OpenReview, ICLR, NeurIPS, ICML), you can paste yours below so the community can read it here.
Videos
No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.