Pseudo-Private Data Guided Model Inversion Attacks

Xiong Peng; Bo Han; Feng Liu; Tongliang Liu; Mingyuan Zhou

Pseudo-Private Data Guided Model Inversion Attacks

Xiong Peng, Bo Han^*, Feng Liu, Tongliang Liu, Mingyuan Zhou

^*Corresponding author for this work

Department of Computer Science

Research output: Chapter in book/report/conference proceeding › Conference proceeding › peer-review

Abstract

In model inversion attacks (MIAs), adversaries attempt to recover the private training data by exploiting access to a well-trained target model. Recent advancements have improved MIA performance using a two-stage generative framework. This approach first employs a generative adversarial network to learn a fixed distributional prior, which is then used to guide the inversion process during the attack. However, in this paper, we observed a phenomenon that such a fixed prior would lead to a low probability of sampling actual private data during the inversion process due to the inherent distribution gap between the prior distribution and the private data distribution, thereby constraining attack performance. To address this limitation, we propose increasing the density around high-quality pseudo-private data-recovered samples through model inversion that exhibit characteristics of the private training data-by slightly tuning the generator. This strategy effectively increases the probability of sampling actual private data that is close to these pseudo-private data during the inversion process. After integrating our method, the generative model inversion pipeline is strengthened, leading to improvements over state-of-the-art MIAs. This paves the way for new research directions in generative MIAs. Our source code is available at: https://github.com/tmlr-group/PPDG-MI.

Original language	English
Title of host publication	Proceedings of 38th Conference on Neural Information Processing Systems, NeurIPS 2024
Editors	A. Globerson, L. Mackey, D. Belgrave, A. Fan, U. Paquet, J. Tomczak, C. Zhang
Publisher	Neural Information Processing Systems Foundation
Pages	1-38
Number of pages	38
ISBN (Electronic)	9798331314385
Publication status	Published - Dec 2024
Event	38th Conference on Neural Information Processing Systems, NeurIPS 2024 - Vancouver Convention Center , Vancouver, Canada Duration: 9 Dec 2024 → 15 Dec 2024 https://neurips.cc/Conferences/2024 https://openreview.net/group?id=NeurIPS.cc/2024 https://proceedings.neurips.cc/paper_files/paper/2024

Publication series

Name	Advances in Neural Information Processing Systems
Publisher	Neural information processing systems foundation
Volume	37
ISSN (Print)	1049-5258

Name	NeurIPS Proceedings

Conference

Conference	38th Conference on Neural Information Processing Systems, NeurIPS 2024
Country/Territory	Canada
City	Vancouver
Period	9/12/24 → 15/12/24
Internet address	https://neurips.cc/Conferences/2024 https://openreview.net/group?id=NeurIPS.cc/2024 https://proceedings.neurips.cc/paper_files/paper/2024

Access to Document

https://proceedings.neurips.cc/paper_files/paper/2024/file/3a797b10ff20562b1ecee0d4e914c1c7-Paper-Conference.pdf

Cite this

Peng, X., Han, B., Liu, F., Liu, T., & Zhou, M. (2024). Pseudo-Private Data Guided Model Inversion Attacks. In A. Globerson, L. Mackey, D. Belgrave, A. Fan, U. Paquet, J. Tomczak, & C. Zhang (Eds.), Proceedings of 38th Conference on Neural Information Processing Systems, NeurIPS 2024 (pp. 1-38). (Advances in Neural Information Processing Systems; Vol. 37), (NeurIPS Proceedings). Neural Information Processing Systems Foundation. https://proceedings.neurips.cc/paper_files/paper/2024/file/3a797b10ff20562b1ecee0d4e914c1c7-Paper-Conference.pdf

Peng, Xiong ; Han, Bo ; Liu, Feng et al. / Pseudo-Private Data Guided Model Inversion Attacks. Proceedings of 38th Conference on Neural Information Processing Systems, NeurIPS 2024. editor / A. Globerson ; L. Mackey ; D. Belgrave ; A. Fan ; U. Paquet ; J. Tomczak ; C. Zhang. Neural Information Processing Systems Foundation, 2024. pp. 1-38 (Advances in Neural Information Processing Systems). (NeurIPS Proceedings).

@inproceedings{b3a1a70de0ab4e1cafa4dd01434db58a,

title = "Pseudo-Private Data Guided Model Inversion Attacks",

abstract = "In model inversion attacks (MIAs), adversaries attempt to recover the private training data by exploiting access to a well-trained target model. Recent advancements have improved MIA performance using a two-stage generative framework. This approach first employs a generative adversarial network to learn a fixed distributional prior, which is then used to guide the inversion process during the attack. However, in this paper, we observed a phenomenon that such a fixed prior would lead to a low probability of sampling actual private data during the inversion process due to the inherent distribution gap between the prior distribution and the private data distribution, thereby constraining attack performance. To address this limitation, we propose increasing the density around high-quality pseudo-private data-recovered samples through model inversion that exhibit characteristics of the private training data-by slightly tuning the generator. This strategy effectively increases the probability of sampling actual private data that is close to these pseudo-private data during the inversion process. After integrating our method, the generative model inversion pipeline is strengthened, leading to improvements over state-of-the-art MIAs. This paves the way for new research directions in generative MIAs. Our source code is available at: https://github.com/tmlr-group/PPDG-MI.",

author = "Xiong Peng and Bo Han and Feng Liu and Tongliang Liu and Mingyuan Zhou",

note = "XP and BH were supported by NSFC General Program No. 62376235, Guangdong Basic and Applied Basic Research Foundation Nos. 2022A1515011652 and 2024A1515012399, HKBU Faculty Niche Research Areas No. RC-FNRA-IG/22-23/SCI/04, and HKBU CSD Departmental Incentive Scheme. TLL was partially supported by the following Australian Research Council projects: FT220100318, DP220102121, LP220100527, LP220200949, and IC190100031. FL is supported by the Australian Research Council (ARC) with grant numbers DP230101540 and DE240101089, and the NSF&CSIRO Responsible AI program with grant number 2303037. Publisher Copyright: {\textcopyright} 2024 Neural information processing systems foundation. All rights reserved.; 38th Conference on Neural Information Processing Systems, NeurIPS 2024 ; Conference date: 09-12-2024 Through 15-12-2024",

year = "2024",

month = dec,

language = "English",

series = "Advances in Neural Information Processing Systems",

publisher = "Neural Information Processing Systems Foundation",

pages = "1--38",

editor = "A. Globerson and L. Mackey and D. Belgrave and A. Fan and U. Paquet and J. Tomczak and C. Zhang",

booktitle = "Proceedings of 38th Conference on Neural Information Processing Systems, NeurIPS 2024",

url = "https://neurips.cc/Conferences/2024, https://openreview.net/group?id=NeurIPS.cc/2024, https://proceedings.neurips.cc/paper_files/paper/2024",

}

Peng, X, Han, B, Liu, F, Liu, T & Zhou, M 2024, Pseudo-Private Data Guided Model Inversion Attacks. in A Globerson, L Mackey, D Belgrave, A Fan, U Paquet, J Tomczak & C Zhang (eds), Proceedings of 38th Conference on Neural Information Processing Systems, NeurIPS 2024. Advances in Neural Information Processing Systems, vol. 37, NeurIPS Proceedings, Neural Information Processing Systems Foundation, pp. 1-38, 38th Conference on Neural Information Processing Systems, NeurIPS 2024, Vancouver, Canada, 9/12/24. <https://proceedings.neurips.cc/paper_files/paper/2024/file/3a797b10ff20562b1ecee0d4e914c1c7-Paper-Conference.pdf>

Pseudo-Private Data Guided Model Inversion Attacks. / Peng, Xiong; Han, Bo; Liu, Feng et al.
Proceedings of 38th Conference on Neural Information Processing Systems, NeurIPS 2024. ed. / A. Globerson; L. Mackey; D. Belgrave; A. Fan; U. Paquet; J. Tomczak; C. Zhang. Neural Information Processing Systems Foundation, 2024. p. 1-38 (Advances in Neural Information Processing Systems; Vol. 37), (NeurIPS Proceedings).

Research output: Chapter in book/report/conference proceeding › Conference proceeding › peer-review

TY - GEN

T1 - Pseudo-Private Data Guided Model Inversion Attacks

AU - Peng, Xiong

AU - Han, Bo

AU - Liu, Feng

AU - Liu, Tongliang

AU - Zhou, Mingyuan

N1 - XP and BH were supported by NSFC General Program No. 62376235, Guangdong Basic and Applied Basic Research Foundation Nos. 2022A1515011652 and 2024A1515012399, HKBU Faculty Niche Research Areas No. RC-FNRA-IG/22-23/SCI/04, and HKBU CSD Departmental Incentive Scheme. TLL was partially supported by the following Australian Research Council projects: FT220100318, DP220102121, LP220100527, LP220200949, and IC190100031. FL is supported by the Australian Research Council (ARC) with grant numbers DP230101540 and DE240101089, and the NSF&CSIRO Responsible AI program with grant number 2303037. Publisher Copyright: © 2024 Neural information processing systems foundation. All rights reserved.

PY - 2024/12

Y1 - 2024/12

N2 - In model inversion attacks (MIAs), adversaries attempt to recover the private training data by exploiting access to a well-trained target model. Recent advancements have improved MIA performance using a two-stage generative framework. This approach first employs a generative adversarial network to learn a fixed distributional prior, which is then used to guide the inversion process during the attack. However, in this paper, we observed a phenomenon that such a fixed prior would lead to a low probability of sampling actual private data during the inversion process due to the inherent distribution gap between the prior distribution and the private data distribution, thereby constraining attack performance. To address this limitation, we propose increasing the density around high-quality pseudo-private data-recovered samples through model inversion that exhibit characteristics of the private training data-by slightly tuning the generator. This strategy effectively increases the probability of sampling actual private data that is close to these pseudo-private data during the inversion process. After integrating our method, the generative model inversion pipeline is strengthened, leading to improvements over state-of-the-art MIAs. This paves the way for new research directions in generative MIAs. Our source code is available at: https://github.com/tmlr-group/PPDG-MI.

AB - In model inversion attacks (MIAs), adversaries attempt to recover the private training data by exploiting access to a well-trained target model. Recent advancements have improved MIA performance using a two-stage generative framework. This approach first employs a generative adversarial network to learn a fixed distributional prior, which is then used to guide the inversion process during the attack. However, in this paper, we observed a phenomenon that such a fixed prior would lead to a low probability of sampling actual private data during the inversion process due to the inherent distribution gap between the prior distribution and the private data distribution, thereby constraining attack performance. To address this limitation, we propose increasing the density around high-quality pseudo-private data-recovered samples through model inversion that exhibit characteristics of the private training data-by slightly tuning the generator. This strategy effectively increases the probability of sampling actual private data that is close to these pseudo-private data during the inversion process. After integrating our method, the generative model inversion pipeline is strengthened, leading to improvements over state-of-the-art MIAs. This paves the way for new research directions in generative MIAs. Our source code is available at: https://github.com/tmlr-group/PPDG-MI.

UR - https://proceedings.neurips.cc/paper_files/paper/2024

UR - http://www.scopus.com/inward/record.url?scp=105000541851&partnerID=8YFLogxK

M3 - Conference proceeding

AN - SCOPUS:105000541851

T3 - Advances in Neural Information Processing Systems

SP - 1

EP - 38

BT - Proceedings of 38th Conference on Neural Information Processing Systems, NeurIPS 2024

A2 - Globerson, A.

A2 - Mackey, L.

A2 - Belgrave, D.

A2 - Fan, A.

A2 - Paquet, U.

A2 - Tomczak, J.

A2 - Zhang, C.

PB - Neural Information Processing Systems Foundation

T2 - 38th Conference on Neural Information Processing Systems, NeurIPS 2024

Y2 - 9 December 2024 through 15 December 2024

ER -

Peng X, Han B, Liu F, Liu T, Zhou M. Pseudo-Private Data Guided Model Inversion Attacks. In Globerson A, Mackey L, Belgrave D, Fan A, Paquet U, Tomczak J, Zhang C, editors, Proceedings of 38th Conference on Neural Information Processing Systems, NeurIPS 2024. Neural Information Processing Systems Foundation. 2024. p. 1-38. (Advances in Neural Information Processing Systems). (NeurIPS Proceedings).

Pseudo-Private Data Guided Model Inversion Attacks

Abstract

Publication series

Conference

Access to Document

Other files and links

Fingerprint

Cite this