On the Vulnerability of Skip Connections to Model Inversion Attacks

TL;DR

This work investigates how skip connections in DNN architectures influence Model Inversion (MI) attacks, revealing that skip connections notably reinforce MI by enhancing gradient flow during inversion, with the last stage being most impactful. It shows RepVGG's inference-time removal of skips does not mitigate MI vulnerability due to equivalent gradient pathways in training and inference, and introduces MI-resilient architectural designs—Removal of Last Stage Skip-Connection (RoLSS), Skip-Connection Scaling Factor (SSF), and Two-Stage Training Scheme (TTS)—that achieve competitive MI robustness with modest accuracy trade-offs. Across 10 architectures, 4 MI attacks, and multiple private/public dataset settings, these architectural defenses outperform or complement state-of-the-art MI defenses (e.g., BiDO) and generalize to Vision Transformers as demonstrated in supplementary material. The findings establish architectural design as a practical, complementary axis for privacy protection in high-performance models, offering flexible control over the privacy-utility tradeoff and broad applicability to CNNs and ViTs.

Abstract

Skip connections are fundamental architecture designs for modern deep neural networks (DNNs) such as CNNs and ViTs. While they help improve model performance significantly, we identify a vulnerability associated with skip connections to Model Inversion (MI) attacks, a type of privacy attack that aims to reconstruct private training data through abusive exploitation of a model. In this paper, as a pioneer work to understand how DNN architectures affect MI, we study the impact of skip connections on MI. We make the following discoveries: 1) Skip connections reinforce MI attacks and compromise data privacy. 2) Skip connections in the last stage are the most critical to attack. 3) RepVGG, an approach to remove skip connections in the inference-time architectures, could not mitigate the vulnerability to MI attacks. 4) Based on our findings, we propose MI-resilient architecture designs for the first time. Without bells and whistles, we show in extensive experiments that our MI-resilient architectures can outperform state-of-the-art (SOTA) defense methods in MI robustness. Furthermore, our MI-resilient architectures are complementary to existing MI defense methods. Our project is available at https://Pillowkoh.github.io/projects/RoLSS/

Figures (13)

• Figure 1: (I) Illustration of MI attack on ResNet-like architecture (Sec. \ref{['ssec:MI_intro']}). This figure depicts the MI attack framework for SOTA white-box MI attacks zhang2020secretchen2021knowledgewang2021variationalyuan2023pseudonguyen_2023_CVPRstruppek2022plugan2022mirror, which leverage a generative model $G(.)$ to exploit the target model via gradient descent and backpropagation. Specifically, for each iteration, $\tilde{x} = G(w)$ is fed into the target model in the forward pass, and MI loss $\mathcal{L}$ is computed. In the backward pass, gradients of $\mathcal{L}$ are computed and back-propagated to obtain $\partial{\mathcal{L}} / \partial{w}$, which is used to update $w$ to achieve reconstruction of private training data. (II) Additive Skip Connection (Sec. \ref{['ssec:MI_intro']}). During MI attacks, skip connections allow gradients to bypass the residue module and enhance backpropagation. We hypothesize that this reinforces MI attacks. (III) Our study on skip connection removal (Sec. \ref{['ssec:removal']} and Sec. \ref{['Sec:Extensive_Evaluation']}). To validate our hypothesis that skip connections could reinforce MI, we study the effect of skip connections on MI by removing skip connections within various stages of the target model. We study both additive and concatenative skip connections. (IV) Results of stage-wise skip connection removal study (Sec. \ref{['ssec:removal']} and Sec. \ref{['Sec:Extensive_Evaluation']}). The sub-figures show that skip connections have a considerable effect on MI. For both additive and concatenative skip connections, we observe that removal of skip connections result in considerable degradation of MI attack accuracy. Furthermore, we observe that skip connections in the last stage have the most significant effect on MI.Best viewed in color with zooming in.
• Figure 2: MI convergence analysis. We compare histograms of likelihoods for original architecture (Full) and Removal of Last Stage Skip-Connection (RoLSS) architecture for ResNet-101 under PPA attack.
• Figure 3: Additional experiments to validate the impact of skip connections on MI attacks across various architecture designs, including networks with additive skip connections (ResNet-34/50/152 he2016deep), concatenative skip connections (DenseNet-161/169/201 huang2017densely), and compact CNN (EfficientNet-B0 tan2019efficientnet). We strictly follow PPA struppek2022plug for MI setups. In all cases, a significant decrease in attack accuracy is consistently observed when skip connections are removed in the last stage, demonstrating that skip connections reinforce MI attacks.
• Figure 4: Additional experiments on other SOTA MI attacks including KEDMI chen2021knowledge, LOMMA nguyen_2023_CVPR, and PLG-MI yuan2023pseudo. We follow the standard setup, where $T$ = IR152, $\mathcal{D}_{priv}$ = CelebA, $\mathcal{D}_{pub}$ = CelebA/FFHQ. Across all SOTA MI attacks, a consistent and notable reduction in attack accuracy is observed when skip connections are removed in the last stage, demonstrating that skip connections reinforce MI attacks.
• Figure 5: Additional experiments on the Stanford DogsKhoslaYaoJayadevaprakashFeiFei_FGVC2011 dataset as $\mathcal{D}_{priv}$. The experiments are conducted under PPA struppek2022plug attacks across various architectures, including ResNet-50/101 and DenseNet-121/169. We strictly follow MI setups in PPA.