A Sample-Level Evaluation and Generative Framework for Model Inversion Attacks

TL;DR

This paper addresses sample-level privacy in Model Inversion attacks, arguing that per-sample leakage is a critical yet under-examined threat. It introduces Diversity and Distance Composite Score (DDCS) as a per-sample metric that jointly captures reconstruction distance and diversity, mitigating vulnerability to distribution manipulation, and uses DDCS to guide a GAN-augmentation framework. The framework employs entropy loss with natural gradient descent and transfer learning to boost attack coverage and diversity while preserving image quality, validated on face and dog-breed tasks with improved DDCS, coverage, and FID over baselines. The work also shows DDCS can aid defense by identifying vulnerable samples unsupervised, offering a practical route to privacy-preserving ML enhancements. Key contributions include the DDCS metric, a GAN-based MI attack augmentation strategy, and extensive empirical validation across datasets and architectures.

Abstract

Model Inversion (MI) attacks, which reconstruct the training dataset of neural networks, pose significant privacy concerns in machine learning. Recent MI attacks have managed to reconstruct realistic label-level private data, such as the general appearance of a target person from all training images labeled on him. Beyond label-level privacy, in this paper we show sample-level privacy, the private information of a single target sample, is also important but under-explored in the MI literature due to the limitations of existing evaluation metrics. To address this gap, this study introduces a novel metric tailored for training-sample analysis, namely, the Diversity and Distance Composite Score (DDCS), which evaluates the reconstruction fidelity of each training sample by encompassing various MI attack attributes. This, in turn, enhances the precision of sample-level privacy assessments. Leveraging DDCS as a new evaluative lens, we observe that many training samples remain resilient against even the most advanced MI attack. As such, we further propose a transfer learning framework that augments the generative capabilities of MI attackers through the integration of entropy loss and natural gradient descent. Extensive experiments verify the effectiveness of our framework on improving state-of-the-art MI attacks over various metrics including DDCS, coverage and FID. Finally, we demonstrate that DDCS can also be useful for MI defense, by identifying samples susceptible to MI attacks in an unsupervised manner.

Figures (12)

• Figure 1: When each reconstructed sample is close enough to the target dataset, average accuracy or distance fail to differentiate between the rich and poor attack.
• Figure 2: Redundant samples change the data distribution, thus affecting the FID calculation, although both attacks successfully recover four images from the target dataset.
• Figure 3: Visualization of DDCS indicating the proportion of samples for the first 100 labels of VGG16BN-UMDFaces that are matched to $\mathcal{D}_{rec}$ with three attacks (PPA, HLoss and Ours). As explained in the section of DDCS, a target sample $x^i_{tar}$ will be matched if its set $S^i_{tar}$ is non-empty after the execution of Algorithm \ref{['alg:ddcs']}.
• Figure 4: Snapshots and image quality of generated images for three different approaches. Image quality, evaluated by FIDs, are calculated with the same random seed and training configurations. Snapshots are generated using the same and fixed latent codes.
• Figure 5: Visualization of reconstruction pairs between target (left) and reconstructed (right) samples for VGG16BN-UMDFaces with reconstruction distance attached on their bottom right corner. Samples on the right most column have no reconstruction pairs.