Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

CapRecover: A Cross-Modality Feature Inversion Attack Framework on Vision Language Models

Kedong Xiu, Sai Qian Zhang

TL;DR

CapRecover reveals a privacy risk in Vision-Language Models deployed in split-DNN configurations by directly recovering semantic content (captions and labels) from intermediate visual features, without reconstructing pixel-level images. The framework links intermediate features to text through a Feature Projection, a Feature-Text Alignment module using a Q-Former, and a Caption Generation step driven by a frozen language model, trained with a cross-entropy objective. Experiments across COCO2017, Flickr8K, ImageNet-1K, CIFAR-10, and TinyImageNet show strong semantic recovery, with ROUGE-L scores around 0.52–0.53 on captions and Top-1 accuracies up to 92.71% for label recovery, while analysis indicates deeper encoder layers carry more semantic information. The paper also proposes lightweight defenses like per-layer noise injection and discusses homomorphic encryption as a longer-term safeguard, highlighting practical privacy implications for edge-cloud VLM deployments.

Abstract

As Vision-Language Models (VLMs) are increasingly deployed in split-DNN configurations--with visual encoders (e.g., ResNet, ViT) operating on user devices and sending intermediate features to the cloud--there is a growing privacy risk from semantic information leakage. Existing approaches to reconstructing images from these intermediate features often result in blurry, semantically ambiguous images. To directly address semantic leakage, we propose CapRecover, a cross-modality inversion framework that recovers high-level semantic content, such as labels or captions, directly from intermediate features without image reconstruction. We evaluate CapRecover on multiple datasets and victim models, demonstrating strong performance in semantic recovery. Specifically, CapRecover achieves up to 92.71% Top-1 label accuracy on CIFAR-10 and generates fluent captions from ResNet50 features on COCO2017 with ROUGE-L scores up to 0.52. Our analysis further reveals that deeper convolutional layers encode significantly more semantic information compared to shallow layers. To mitigate semantic leakage, we introduce a simple yet effective protection method: adding random noise to intermediate features at each layer and removing the noise in the next layer. Experimental results show that this approach prevents semantic leakage without additional training costs. Our code is available at https://jus1mple.github.io/Image2CaptionAttack.

CapRecover: A Cross-Modality Feature Inversion Attack Framework on Vision Language Models

TL;DR

CapRecover reveals a privacy risk in Vision-Language Models deployed in split-DNN configurations by directly recovering semantic content (captions and labels) from intermediate visual features, without reconstructing pixel-level images. The framework links intermediate features to text through a Feature Projection, a Feature-Text Alignment module using a Q-Former, and a Caption Generation step driven by a frozen language model, trained with a cross-entropy objective. Experiments across COCO2017, Flickr8K, ImageNet-1K, CIFAR-10, and TinyImageNet show strong semantic recovery, with ROUGE-L scores around 0.52–0.53 on captions and Top-1 accuracies up to 92.71% for label recovery, while analysis indicates deeper encoder layers carry more semantic information. The paper also proposes lightweight defenses like per-layer noise injection and discusses homomorphic encryption as a longer-term safeguard, highlighting practical privacy implications for edge-cloud VLM deployments.

Abstract

As Vision-Language Models (VLMs) are increasingly deployed in split-DNN configurations--with visual encoders (e.g., ResNet, ViT) operating on user devices and sending intermediate features to the cloud--there is a growing privacy risk from semantic information leakage. Existing approaches to reconstructing images from these intermediate features often result in blurry, semantically ambiguous images. To directly address semantic leakage, we propose CapRecover, a cross-modality inversion framework that recovers high-level semantic content, such as labels or captions, directly from intermediate features without image reconstruction. We evaluate CapRecover on multiple datasets and victim models, demonstrating strong performance in semantic recovery. Specifically, CapRecover achieves up to 92.71% Top-1 label accuracy on CIFAR-10 and generates fluent captions from ResNet50 features on COCO2017 with ROUGE-L scores up to 0.52. Our analysis further reveals that deeper convolutional layers encode significantly more semantic information compared to shallow layers. To mitigate semantic leakage, we introduce a simple yet effective protection method: adding random noise to intermediate features at each layer and removing the noise in the next layer. Experimental results show that this approach prevents semantic leakage without additional training costs. Our code is available at https://jus1mple.github.io/Image2CaptionAttack.

Paper Structure

This paper contains 30 sections, 9 equations, 7 figures, 7 tables.

Table of Contents

  1. Introduction
  2. Our work and contributions
  3. Threat Model
  4. Adversary's Capabilities and Access.
  5. Adversary's Objective.
  6. Methodology of CapRecover
  7. Overview of CapRecover
  8. Feature Projection Module
  9. Feature-Text Alignment Module
  10. Caption Generation
  11. Model Training Objective and Settings
  12. Experiments on Caption Reconstruction
  13. Experimental Settings
  14. Datasets
  15. Victim Models
  16. ...and 15 more sections

Figures (7)

  • Figure 1: Illustration of the cross-modality feature inversion attack scenario. In the depicted attack scenario, the adversary steals the intermediate image features from the visual model. Leveraging these stolen features, the adversary employs CapRecover to reconstruct the image caption/label, potentially revealing sensitive or private information.
  • Figure 2: Overview of CapRecover. CapRecover mainly consists of: (1) Feature projection module, (2) Feature-text alignment module, and (3) Caption generation module. We freeze the language model and optimize other modules.
  • Figure 3: Distribution of cosine similarities across three datasets. We use intermediate features extracted from the final layer of the victim model to train CapRecover. We analyze how other intermediate layers' features impact performance in Sec. \ref{['subsec:further_study_analysis']}.
  • Figure 4: Example of visualizing the heatmaps of ResNet50's different middle layers. Below each figure is the generated/ground truth caption. These figures demonstrate that the shallow layer (e.g., RN50-Layer1) pays more attention to edges and local features, while the deeper the layer (e.g., RN50-Layer4), the more attention is paid to the more semantic areas in the image.
  • Figure 5: Evaluate the distributions of cosine similarity on the COCO2017 dataset. We train CapRecover using the intermediate image features produced by their final linear projection layers. We further discuss how other middle layers' intermediate features affect CapRecover's performance in Sec. \ref{['subsec:further_study_analysis']}.
  • ...and 2 more figures