Pseudo-Private Data Guided Model Inversion Attacks
Peng, Xiong Han, Bo Liu, Feng Liu, Tongliang Zhou, Mingyuan
Peng, Xiong
Han, Bo
Liu, Feng
Liu, Tongliang
Zhou, Mingyuan
Supervisor
Department
Machine Learning
Embargo End Date
Type
Conference proceeding
Date
2024
License
Language
English
Collections
Research Projects
Organizational Units
Journal Issue
Abstract
In model inversion attacks (MIAs), adversaries attempt to recover private training data by exploiting access to a well-trained target model. Recent advancements have improved MIA performance using a two-stage generative framework. This approach first employs a generative adversarial network to learn a fixed distributional prior, which is then used to guide the inversion process during the attack. However, in this paper, we observed a phenomenon that such a fixed prior would lead to a low probability of sampling actual private data during the inversion process due to the inherent distribution gap between the prior distribution and the private data distribution, thereby constraining attack performance. To address this limitation, we propose increasing the density around high-quality pseudo-private data—recovered samples through model inversion that exhibit characteristics of the private training data—by slightly tuning the generator. This strategy effectively increases the probability of sampling actual private data that is close to these pseudo-private data during the inversion process. After integrating our method, the generative model inversion pipeline is strengthened, leading to improvements over state-of-the-art MIAs. This paves the way for new research directions in generative MIAs.
Citation
X. Peng, B. Han, F. Liu, T. Liu, and M. Zhou, “Pseudo-Private Data Guided Model Inversion Attacks,” Adv Neural Inf Process Syst, vol. 37, pp. 33338–33375, Dec. 2024, Accessed: Mar. 24, 2025. [Online]. Available: https://github.com/tmlr-group/PPDG-MI.
Source
Advances in Neural Information Processing Systems (NeurIPS 2024)
Conference
Keywords
Model inversion attacks, Pseudo-private data guidance, Training data recovery, Adversarial exploitation, Target model vulnerability
Subjects
Source
Publisher
NEURIPS