ALGEN: Few-shot Inversion Attacks on Textual Embeddings using Alignment and Generation

TL;DR

This work introduces ALGEN, a few-shot textual embedding inversion attack that first aligns victim embeddings to an attacker space and then reconstructs text with a trained generator. It demonstrates that the attack requires only a small amount of leaked data and transfers across languages and domains, exposing privacy risks in vector databases and retrieval-augmented generation. The study also evaluates several defenses, finding none effective in black-box settings, underscoring significant security vulnerabilities and motivating the development of robust embedding protections. The approach broadens embedding alignment in NLP and has practical implications for privacy in multilingual and cross-domain settings.

Abstract

With the growing popularity of Large Language Models (LLMs) and vector databases, private textual data is increasingly processed and stored as numerical embeddings. However, recent studies have proven that such embeddings are vulnerable to inversion attacks, where original text is reconstructed to reveal sensitive information. Previous research has largely assumed access to millions of sentences to train attack models, e.g., through data leakage or nearly unrestricted API access. With our method, a single data point is sufficient for a partially successful inversion attack. With as little as 1k data samples, performance reaches an optimum across a range of black-box encoders, without training on leaked data. We present a Few-shot Textual Embedding Inversion Attack using ALignment and GENeration (ALGEN), by aligning victim embeddings to the attack space and using a generative model to reconstruct text. We find that ALGEN attacks can be effectively transferred across domains and languages, revealing key information. We further examine a variety of defense mechanisms against ALGEN, and find that none are effective, highlighting the vulnerabilities posed by inversion attacks. By significantly lowering the cost of inversion and proving that embedding spaces can be aligned through one-step optimization, we establish a new textual embedding inversion paradigm with broader applications for embedding alignment in NLP.

Figures (6)

• Figure 1: An illustration of inversion attacks on textual embeddings stored in a vector DB, in scenarios where (I) a user exploits API access to extract excessive embeddings to train attack model; (II) a generative AI agent's interaction channel with the DB is compromised; (III) the DB is misconfigured by an insider to expose private embeddings.
• Figure 2: Three steps for Few-shot Inversion Attack, (1) Train a Local Embedding-to-Text Generation Model; (2) Transform victim embeddings ${\bm{e}}_{V}$ to the attack embeddings space $A$ with matrix ${\bm{W}}$; and (3) Textual embedding inversion attack.
• Figure 3: Inversion Performance in Rouge-L (Top) and Cosine Similarities (Bottom) by Victim Models and Alignment samples. Dashed lines are results of Vec2Text and solid lines are results of ALGEN.
• Figure 4: The Inversion and Utility Performance in Accuracy on Classification Tasks on SNLI dataset with local DP, across $\epsilon$. The solid lines represent utility performance for non-private embeddings, while the dashed lines are for LDP-guaranteed embeddings.
• Figure 5: The Analysis of Alignment Transformation Weight (${\bm{W}}$) on Victim Encoders on different datasets.

Theorems & Definitions (3)

• Definition B.1
• Definition B.2
• Definition B.3