Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Trap-MID: Trapdoor-based Defense against Model Inversion Attacks

Zhen-Ting Liu, Shang-Tse Chen

TL;DR

Theoretical insights into the impacts of trapdoor's effectiveness and naturalness on deceiving MI attacks are provided and empirical experiments demonstrate the state-of-the-art defense performance of Trap-MID against various MI attacks without the requirements for extra data or large computational overhead.

Abstract

Model Inversion (MI) attacks pose a significant threat to the privacy of Deep Neural Networks by recovering training data distribution from well-trained models. While existing defenses often rely on regularization techniques to reduce information leakage, they remain vulnerable to recent attacks. In this paper, we propose the Trapdoor-based Model Inversion Defense (Trap-MID) to mislead MI attacks. A trapdoor is integrated into the model to predict a specific label when the input is injected with the corresponding trigger. Consequently, this trapdoor information serves as the "shortcut" for MI attacks, leading them to extract trapdoor triggers rather than private data. We provide theoretical insights into the impacts of trapdoor's effectiveness and naturalness on deceiving MI attacks. In addition, empirical experiments demonstrate the state-of-the-art defense performance of Trap-MID against various MI attacks without the requirements for extra data or large computational overhead. Our source code is publicly available at https://github.com/ntuaislab/Trap-MID.

Trap-MID: Trapdoor-based Defense against Model Inversion Attacks

TL;DR

Theoretical insights into the impacts of trapdoor's effectiveness and naturalness on deceiving MI attacks are provided and empirical experiments demonstrate the state-of-the-art defense performance of Trap-MID against various MI attacks without the requirements for extra data or large computational overhead.

Abstract

Model Inversion (MI) attacks pose a significant threat to the privacy of Deep Neural Networks by recovering training data distribution from well-trained models. While existing defenses often rely on regularization techniques to reduce information leakage, they remain vulnerable to recent attacks. In this paper, we propose the Trapdoor-based Model Inversion Defense (Trap-MID) to mislead MI attacks. A trapdoor is integrated into the model to predict a specific label when the input is injected with the corresponding trigger. Consequently, this trapdoor information serves as the "shortcut" for MI attacks, leading them to extract trapdoor triggers rather than private data. We provide theoretical insights into the impacts of trapdoor's effectiveness and naturalness on deceiving MI attacks. In addition, empirical experiments demonstrate the state-of-the-art defense performance of Trap-MID against various MI attacks without the requirements for extra data or large computational overhead. Our source code is publicly available at https://github.com/ntuaislab/Trap-MID.

Paper Structure

This paper contains 75 sections, 1 theorem, 12 equations, 13 figures, 20 tables, 1 algorithm.

Table of Contents

  1. Introduction
  2. Related Work
  3. Model Inversion Attacks
  4. Defenses against Model Inversion Attacks
  5. Backdoor Attacks
  6. Methodology
  7. Problem Setup
  8. Target Classifier
  9. Adversary
  10. Motivation and Overview
  11. Model Training
  12. Theoretical Analysis
  13. Experiments
  14. Experimental Setups
  15. Datasets.
  16. ...and 60 more sections

Key Result

Theorem 1

If $\;\forall y$, the trapdoor is $(\delta, y)$-effective and $\epsilon$-natural on model $f$ with injection function $\Pi_y(\cdot)$, then $\mathbb{E}_{Y \sim p(Y)}\mathbb{E}_{X \sim p(X)}[\log p_f(\Pi_y(X)|Y)] \ge \mathbb{E}_{(X, Y) \sim p(X, Y)}[\log p_f(X|Y)] + (\delta - \epsilon)$.

Figures (13)

  • Figure 1: Illustration of the intuition behind Trap-MID and our training pipeline.
  • Figure 2: Reconstructed images from PLG-MI.
  • Figure 3: Illustration of trapdoor detection.
  • Figure 4: Sample poisoned images for TeD's ($\alpha=0.1$) and our trapdoor injection methods. Each column depicts a poisoned image with a specific target label. The blend ratio $\alpha$ is multiplied by a factor of 10 for better visualization ($\alpha = 1$ and 0.2 for TeD's and our triggers, respectively).
  • Figure 5: Defense comparison with different augmentation against PLG-MI, using VGG-16 models.
  • ...and 8 more figures

Theorems & Definitions (4)

  • Definition 1
  • Definition 2
  • Theorem 1
  • proof