A Sample-Level Evaluation and Generative Framework for Model Inversion Attacks

Haoyang Li; Li Bai; Qingqing Ye; Haibo Hu; Yaxin Xiao; Huadi Zheng; Jianliang Xu

doi:10.1609/aaai.v39i17.34012

A Sample-Level Evaluation and Generative Framework for Model Inversion Attacks

Haoyang Li, Li Bai, Qingqing Ye, Haibo Hu^*, Yaxin Xiao, Huadi Zheng, Jianliang Xu

^*Corresponding author for this work

Department of Computer Science

Research output: Chapter in book/report/conference proceeding › Conference proceeding › peer-review

1 Citation (Scopus)

Abstract

Model Inversion (MI) attacks, which reconstruct the training dataset of neural networks, pose significant privacy concerns in machine learning. Recent MI attacks have managed to reconstruct realistic label-level private data, such as the general appearance of a target person from all training images labeled on him. Beyond label-level privacy, in this paper we show sample-level privacy, the private information of a single target sample, is also important but under-explored in the MI literature due to the limitations of existing evaluation metrics. To address this gap, this study introduces a novel metric tailored for training-sample analysis, namely, the Diversity and Distance Composite Score (DDCS), which evaluates the reconstruction fidelity of each training sample by encompassing various MI attack attributes. This, in turn, enhances the precision of sample-level privacy assessments. Leveraging DDCS as a new evaluative lens, we observe that many training samples remain resilient against even the most advanced MI attack. As such, we further propose a transfer learning framework that augments the generative capabilities of MI attackers through the integration of entropy loss and natural gradient descent. Extensive experiments verify the effectiveness of our framework on improving state-of-the-art MI attacks over various metrics including DDCS, coverage and FID. Finally, we demonstrate that DDCS can also be useful for MI defense, by identifying samples susceptible to MI attacks in an unsupervised manner.

Original language	English
Title of host publication	Proceedings of the 39th AAAI Conference on Artificial Intelligence, AAAI 2025
Publisher	AAAI press
Pages	18287-18295
Number of pages	9
ISBN (Print)	157735897X, 9781577358978
DOIs	https://doi.org/10.1609/aaai.v39i17.34012
Publication status	Published - 11 Apr 2025
Event	39th AAAI Conference on Artificial Intelligence, AAAI 2025 - Philadelphia, United States Duration: 25 Feb 2025 → 4 Mar 2025 https://ojs.aaai.org/index.php/AAAI/issue/archive (Conference Proceedings)

Publication series

Name	Proceedings of the AAAI Conference on Artificial Intelligence
Publisher	Association for the Advancement of Artificial Intelligence
Number	17
Volume	39
ISSN (Print)	2159-5399
ISSN (Electronic)	2374-3468

Conference

Conference	39th AAAI Conference on Artificial Intelligence, AAAI 2025
Country/Territory	United States
City	Philadelphia
Period	25/02/25 → 4/03/25
Internet address	https://ojs.aaai.org/index.php/AAAI/issue/archive (Conference Proceedings)

Access to Document

10.1609/aaai.v39i17.34012

Cite this

Li, H., Bai, L., Ye, Q., Hu, H., Xiao, Y., Zheng, H., & Xu, J. (2025). A Sample-Level Evaluation and Generative Framework for Model Inversion Attacks. In Proceedings of the 39th AAAI Conference on Artificial Intelligence, AAAI 2025 (pp. 18287-18295). (Proceedings of the AAAI Conference on Artificial Intelligence; Vol. 39, No. 17). AAAI press. https://doi.org/10.1609/aaai.v39i17.34012

@inproceedings{6bf2b4055da444e3aee44e75ea3fe504,

title = "A Sample-Level Evaluation and Generative Framework for Model Inversion Attacks",

abstract = "Model Inversion (MI) attacks, which reconstruct the training dataset of neural networks, pose significant privacy concerns in machine learning. Recent MI attacks have managed to reconstruct realistic label-level private data, such as the general appearance of a target person from all training images labeled on him. Beyond label-level privacy, in this paper we show sample-level privacy, the private information of a single target sample, is also important but under-explored in the MI literature due to the limitations of existing evaluation metrics. To address this gap, this study introduces a novel metric tailored for training-sample analysis, namely, the Diversity and Distance Composite Score (DDCS), which evaluates the reconstruction fidelity of each training sample by encompassing various MI attack attributes. This, in turn, enhances the precision of sample-level privacy assessments. Leveraging DDCS as a new evaluative lens, we observe that many training samples remain resilient against even the most advanced MI attack. As such, we further propose a transfer learning framework that augments the generative capabilities of MI attackers through the integration of entropy loss and natural gradient descent. Extensive experiments verify the effectiveness of our framework on improving state-of-the-art MI attacks over various metrics including DDCS, coverage and FID. Finally, we demonstrate that DDCS can also be useful for MI defense, by identifying samples susceptible to MI attacks in an unsupervised manner.",

author = "Haoyang Li and Li Bai and Qingqing Ye and Haibo Hu and Yaxin Xiao and Huadi Zheng and Jianliang Xu",

note = "This work was supported by the National Natural Science Foundation of China (Grant No: 92270123, 62072390, and 62372122), and the Research Grants Council, Hong Kong SAR, China (Grant No: 15203120, 15226221, 15209922, 15210023, and C2004-21GF). We appreciate Mr Andy Cheung Yat-ming for constructive discussions in the natural gradient descent part and anonymous reviewers for their constructive comments. Publisher Copyright: Copyright {\textcopyright} 2025, Association for the Advancement of Artificial Intelligence (www.aaai.org). All rights reserved.; 39th AAAI Conference on Artificial Intelligence, AAAI 2025 ; Conference date: 25-02-2025 Through 04-03-2025",

year = "2025",

month = apr,

day = "11",

doi = "10.1609/aaai.v39i17.34012",

language = "English",

isbn = "157735897X",

series = "Proceedings of the AAAI Conference on Artificial Intelligence",

publisher = "AAAI press",

number = "17",

pages = "18287--18295",

booktitle = "Proceedings of the 39th AAAI Conference on Artificial Intelligence, AAAI 2025",

url = "https://ojs.aaai.org/index.php/AAAI/issue/archive",

}

Li, H, Bai, L, Ye, Q, Hu, H, Xiao, Y, Zheng, H & Xu, J 2025, A Sample-Level Evaluation and Generative Framework for Model Inversion Attacks. in Proceedings of the 39th AAAI Conference on Artificial Intelligence, AAAI 2025. Proceedings of the AAAI Conference on Artificial Intelligence, no. 17, vol. 39, AAAI press, pp. 18287-18295, 39th AAAI Conference on Artificial Intelligence, AAAI 2025, Philadelphia, Pennsylvania, United States, 25/02/25. https://doi.org/10.1609/aaai.v39i17.34012

A Sample-Level Evaluation and Generative Framework for Model Inversion Attacks. / Li, Haoyang; Bai, Li; Ye, Qingqing et al.
Proceedings of the 39th AAAI Conference on Artificial Intelligence, AAAI 2025. AAAI press, 2025. p. 18287-18295 (Proceedings of the AAAI Conference on Artificial Intelligence; Vol. 39, No. 17).

Research output: Chapter in book/report/conference proceeding › Conference proceeding › peer-review

TY - GEN

T1 - A Sample-Level Evaluation and Generative Framework for Model Inversion Attacks

AU - Li, Haoyang

AU - Bai, Li

AU - Ye, Qingqing

AU - Hu, Haibo

AU - Xiao, Yaxin

AU - Zheng, Huadi

AU - Xu, Jianliang

N1 - This work was supported by the National Natural Science Foundation of China (Grant No: 92270123, 62072390, and 62372122), and the Research Grants Council, Hong Kong SAR, China (Grant No: 15203120, 15226221, 15209922, 15210023, and C2004-21GF). We appreciate Mr Andy Cheung Yat-ming for constructive discussions in the natural gradient descent part and anonymous reviewers for their constructive comments. Publisher Copyright: Copyright © 2025, Association for the Advancement of Artificial Intelligence (www.aaai.org). All rights reserved.

PY - 2025/4/11

Y1 - 2025/4/11

N2 - Model Inversion (MI) attacks, which reconstruct the training dataset of neural networks, pose significant privacy concerns in machine learning. Recent MI attacks have managed to reconstruct realistic label-level private data, such as the general appearance of a target person from all training images labeled on him. Beyond label-level privacy, in this paper we show sample-level privacy, the private information of a single target sample, is also important but under-explored in the MI literature due to the limitations of existing evaluation metrics. To address this gap, this study introduces a novel metric tailored for training-sample analysis, namely, the Diversity and Distance Composite Score (DDCS), which evaluates the reconstruction fidelity of each training sample by encompassing various MI attack attributes. This, in turn, enhances the precision of sample-level privacy assessments. Leveraging DDCS as a new evaluative lens, we observe that many training samples remain resilient against even the most advanced MI attack. As such, we further propose a transfer learning framework that augments the generative capabilities of MI attackers through the integration of entropy loss and natural gradient descent. Extensive experiments verify the effectiveness of our framework on improving state-of-the-art MI attacks over various metrics including DDCS, coverage and FID. Finally, we demonstrate that DDCS can also be useful for MI defense, by identifying samples susceptible to MI attacks in an unsupervised manner.

AB - Model Inversion (MI) attacks, which reconstruct the training dataset of neural networks, pose significant privacy concerns in machine learning. Recent MI attacks have managed to reconstruct realistic label-level private data, such as the general appearance of a target person from all training images labeled on him. Beyond label-level privacy, in this paper we show sample-level privacy, the private information of a single target sample, is also important but under-explored in the MI literature due to the limitations of existing evaluation metrics. To address this gap, this study introduces a novel metric tailored for training-sample analysis, namely, the Diversity and Distance Composite Score (DDCS), which evaluates the reconstruction fidelity of each training sample by encompassing various MI attack attributes. This, in turn, enhances the precision of sample-level privacy assessments. Leveraging DDCS as a new evaluative lens, we observe that many training samples remain resilient against even the most advanced MI attack. As such, we further propose a transfer learning framework that augments the generative capabilities of MI attackers through the integration of entropy loss and natural gradient descent. Extensive experiments verify the effectiveness of our framework on improving state-of-the-art MI attacks over various metrics including DDCS, coverage and FID. Finally, we demonstrate that DDCS can also be useful for MI defense, by identifying samples susceptible to MI attacks in an unsupervised manner.

UR - http://www.scopus.com/inward/record.url?scp=105004168825&partnerID=8YFLogxK

U2 - 10.1609/aaai.v39i17.34012

DO - 10.1609/aaai.v39i17.34012

M3 - Conference proceeding

AN - SCOPUS:105004168825

SN - 157735897X

SN - 9781577358978

T3 - Proceedings of the AAAI Conference on Artificial Intelligence

SP - 18287

EP - 18295

BT - Proceedings of the 39th AAAI Conference on Artificial Intelligence, AAAI 2025

PB - AAAI press

T2 - 39th AAAI Conference on Artificial Intelligence, AAAI 2025

Y2 - 25 February 2025 through 4 March 2025

ER -

A Sample-Level Evaluation and Generative Framework for Model Inversion Attacks

Abstract

Publication series

Conference

Access to Document

Other files and links

Fingerprint

Cite this