Efficient Techniques for Data Reconstruction, with Finite-Width Recovery Guarantees

TL;DR

This paper introduces a unified optimization approach for data reconstruction attacks on neural networks, providing finite-width guarantees and efficient algorithms that improve reconstruction success, especially for low-dimensional data.

Contribution

It offers a novel optimization formulation with provable guarantees in the random feature model and develops an efficient subspace-aware reconstruction algorithm for neural networks.

Findings

Finite-width bounds enable high-probability data reconstruction.

Low-dimensional data subspace relaxes network width requirements.

Subspace-aware method outperforms standard techniques on CIFAR-10.

Abstract

Data reconstruction attacks on trained neural networks aim to recover the data on which the network has been trained and pose a significant threat to privacy, especially if the training dataset contains sensitive information. Here, we propose a unified optimization formulation of the data reconstruction problem based on initial and trained parameter values, incorporating state-of-the-art proposals. We show that in the random feature model, this formulation provably leads to training data reconstruction with high probability, provided the network width is sufficiently large; this unprecedented finite-width result uses PAC-style bounds. Furthermore, when the data lies in a low-dimensional subspace, we show that the network width requirement for successful reconstruction can be relaxed, with bounds depending on the subspace dimension rather than the ambient dimension. For general neural network models and unknown data orientations, we propose an efficient reconstruction algorithm that approximates the low-dimensional data subspace through the change in the first-layer weights during training and uses only the last-layer weights for reconstruction, thus reducing the search space dimension and the required network width for high-quality reconstructions. Our numerical experiments on synthetic datasets and CIFAR-10 confirm that our subspace-aware reconstruction approach outperforms standard full-space techniques.