Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Unlocking Visual Secrets: Inverting Features with Diffusion Priors for Image Reconstruction

Sai Qian Zhang, Ziyun Li, Chuan Guo, Saeed Mahloujifar, Deeksha Dangwal, Edward Suh, Barbara De Salvo, Chiao Liu

TL;DR

This work investigates privacy risks posed by feature inversion attacks on DNN representations, especially in split DNN setups. It introduces diffusion-model priors, via latent diffusion models, to invert intermediate features, and augments them with textual priors and cross-frame temporal coherence to boost reconstruction quality. The authors demonstrate that diffusion-prior-based inversion significantly outperforms direct optimization and decoder baselines across image classification, object detection, and multimodal CLIP backbones, in both white-box and black-box scenarios, and show gains from text and temporal priors. They also discuss practical defense options (MPC, HE, differential privacy) and emphasize that deeper models do not inherently guarantee privacy, prompting further study of robust safeguards. Overall, the paper reveals strong privacy leakage through generative priors and lays groundwork for both advancing inversion-attacks and informing defenses in real-world DNN feature-based systems.

Abstract

Inverting visual representations within deep neural networks (DNNs) presents a challenging and important problem in the field of security and privacy for deep learning. The main goal is to invert the features of an unidentified target image generated by a pre-trained DNN, aiming to reconstruct the original image. Feature inversion holds particular significance in understanding the privacy leakage inherent in contemporary split DNN execution techniques, as well as in various applications based on the extracted DNN features. In this paper, we explore the use of diffusion models, a promising technique for image synthesis, to enhance feature inversion quality. We also investigate the potential of incorporating alternative forms of prior knowledge, such as textual prompts and cross-frame temporal correlations, to further improve the quality of inverted features. Our findings reveal that diffusion models can effectively leverage hidden information from the DNN features, resulting in superior reconstruction performance compared to previous methods. This research offers valuable insights into how diffusion models can enhance privacy and security within applications that are reliant on DNN features.

Unlocking Visual Secrets: Inverting Features with Diffusion Priors for Image Reconstruction

TL;DR

This work investigates privacy risks posed by feature inversion attacks on DNN representations, especially in split DNN setups. It introduces diffusion-model priors, via latent diffusion models, to invert intermediate features, and augments them with textual priors and cross-frame temporal coherence to boost reconstruction quality. The authors demonstrate that diffusion-prior-based inversion significantly outperforms direct optimization and decoder baselines across image classification, object detection, and multimodal CLIP backbones, in both white-box and black-box scenarios, and show gains from text and temporal priors. They also discuss practical defense options (MPC, HE, differential privacy) and emphasize that deeper models do not inherently guarantee privacy, prompting further study of robust safeguards. Overall, the paper reveals strong privacy leakage through generative priors and lays groundwork for both advancing inversion-attacks and informing defenses in real-world DNN feature-based systems.

Abstract

Inverting visual representations within deep neural networks (DNNs) presents a challenging and important problem in the field of security and privacy for deep learning. The main goal is to invert the features of an unidentified target image generated by a pre-trained DNN, aiming to reconstruct the original image. Feature inversion holds particular significance in understanding the privacy leakage inherent in contemporary split DNN execution techniques, as well as in various applications based on the extracted DNN features. In this paper, we explore the use of diffusion models, a promising technique for image synthesis, to enhance feature inversion quality. We also investigate the potential of incorporating alternative forms of prior knowledge, such as textual prompts and cross-frame temporal correlations, to further improve the quality of inverted features. Our findings reveal that diffusion models can effectively leverage hidden information from the DNN features, resulting in superior reconstruction performance compared to previous methods. This research offers valuable insights into how diffusion models can enhance privacy and security within applications that are reliant on DNN features.

Paper Structure

This paper contains 46 sections, 14 equations, 25 figures, 8 tables, 3 algorithms.

Table of Contents

  1. Introduction
  2. Background and Related Works
  3. Diffusion Models
  4. Feature Inversion Attacks against DNNs
  5. Split DNN Computing
  6. Applications based on Extracted Features
  7. Threat Models
  8. Threat Model for White-Box Settings
  9. Threat Model for Black-Box Settings
  10. Generalizability of the Threat Model
  11. White-box Feature Inversion
  12. White-box Inversion with Textual Prior
  13. White-box Multi-frame Reconstruction
  14. Black-box Feature Inversion
  15. Black-box Inversion with Textual Prior
  16. ...and 31 more sections

Figures (25)

  • Figure 1: The DNN undergoes layer-wise partitioning and is divided between the edge and the cloud, with the intermediate features being transferred between them. In this example, we focus on the presence of a single edge device.
  • Figure 2: Feature inversion attack against Split DNN execution with white-box settings. $F_{1}(.)$ is exposed to the attacker.
  • Figure 3: Black-box feature inversion attack procedures.
  • Figure 4: Feature inversion with diffusion model.
  • Figure 5: Impact of textual prior on feature inversion.
  • ...and 20 more figures