Querying Kernel Methods Suffices for Reconstructing their Training Data

TL;DR

The paper investigates privacy risks in kernel methods under query-only access, showing that an attacker can reconstruct training data for kernel regression, SVM, and KDE. It formalizes a reconstruction loss that leverages only model outputs and proves that, for strictly positive-definite and almost-analytic kernels, a sufficiently large number of queries ($m > n(d+2)$) suffices to recover the training set with probability 1. Empirically, reconstructions on CIFAR10 and CelebA are high quality across multiple kernels, highlighting that parameter-hiding defenses are insufficient in black-box settings. The work underscores privacy concerns in kernel-based learning and motivates the development of robust privacy-preserving techniques even when model parameters are not exposed.

Abstract

Over-parameterized models have raised concerns about their potential to memorize training data, even when achieving strong generalization. The privacy implications of such memorization are generally unclear, particularly in scenarios where only model outputs are accessible. We study this question in the context of kernel methods, and demonstrate both empirically and theoretically that querying kernel models at various points suffices to reconstruct their training data, even without access to model parameters. Our results hold for a range of kernel methods, including kernel regression, support vector machines, and kernel density estimation. Our hope is that this work can illuminate potential privacy concerns for such models.

Figures (23)

• Figure 1: Black-box reconstruction of training images in a kernel regression task with an RBF kernel pre-trained on 500 images from the celebA dataset. The top row shows 10 reconstructions, and the bottom row shows their nearest neighbors in the training set. The full set of reconstructions can be found in the appendix in Fig. \ref{['fig:krr_rbf_celebA']}.
• Figure 2: Reconstruction of training points from a two-dimensional kernel density estimator that was trained on the ground truth data points marked by blue squares. We initialize our reconstruction with random samples (left panel). The blue contours represent the attacked density estimator $f$. The red dashed contours represent the model generated by our reconstructions at different steps of optimizing Eq. (\ref{['eq:loss_reconstruction']}). The reconstructed points (marked by red crosses) match the ground truth points at convergence (right panel).
• Figure 3: Top reconstructions from multiple kernel models trained on CIFAR10 images. Bottom row: training images from the dataset. Rows 1-4: reconstructions that are nearest to the bottom row images, obtained by attacking trained Laplace kernel, RBF kernel, cubic polynomial kernel, and NTK, respectively.
• Figure 4: Reconstruction quality for different kernels and use cases on CIFAR10. Left: Comparison between kernel regression (KRR) and SVM with the Laplace and RBF kernels. Each point in the graph shows the median DSSIM obtained in a different run with a different number of query points. Right: Comparison between different kernels trained using KRR. In this figure, each graph shows a cumulative plot from one run, showing the quality of reconstruction, measured with DSSIM, obtained with the best $k$ images for $k \in [n]$.
• Figure D.1: Commulative graph comparing the quality of training data reconstructions for different kernels. The $x$-axis denotes DSSIM, and $y$-axis the proportion of reconstructions whose DSSIM is at most that of the $x$-axis.

Theorems & Definitions (9)

• Definition 1
• Theorem 2
• Proposition 3
• proof
• Definition 4
• Definition 5
• Theorem 6
• Remark 7
• proof