Plug & Play Attacks: Towards Robust and Flexible Model Inversion Attacks

Lukas Struppek, Dominik Hintersdorf, Antonio De Almeida Correira, Antonia Adler, Kristian Kersting
Proceedings of the 39th International Conference on Machine Learning, PMLR 162:20522-20545, 2022.

Abstract

Model inversion attacks (MIAs) aim to create synthetic images that reflect the class-wise characteristics from a target classifier’s private training data by exploiting the model’s learned knowledge. Previous research has developed generative MIAs that use generative adversarial networks (GANs) as image priors tailored to a specific target model. This makes the attacks time- and resource-consuming, inflexible, and susceptible to distributional shifts between datasets. To overcome these drawbacks, we present Plug & Play Attacks, which relax the dependency between the target model and image prior, and enable the use of a single GAN to attack a wide range of targets, requiring only minor adjustments to the attack. Moreover, we show that powerful MIAs are possible even with publicly available pre-trained GANs and under strong distributional shifts, for which previous approaches fail to produce meaningful results. Our extensive evaluation confirms the improved robustness and flexibility of Plug & Play Attacks and their ability to create high-quality images revealing sensitive class characteristics.

Cite this Paper


BibTeX
@InProceedings{pmlr-v162-struppek22a, title = {Plug & Play Attacks: Towards Robust and Flexible Model Inversion Attacks}, author = {Struppek, Lukas and Hintersdorf, Dominik and De Almeida Correira, Antonio and Adler, Antonia and Kersting, Kristian}, booktitle = {Proceedings of the 39th International Conference on Machine Learning}, pages = {20522--20545}, year = {2022}, editor = {Chaudhuri, Kamalika and Jegelka, Stefanie and Song, Le and Szepesvari, Csaba and Niu, Gang and Sabato, Sivan}, volume = {162}, series = {Proceedings of Machine Learning Research}, month = {17--23 Jul}, publisher = {PMLR}, pdf = {https://proceedings.mlr.press/v162/struppek22a/struppek22a.pdf}, url = {https://proceedings.mlr.press/v162/struppek22a.html}, abstract = {Model inversion attacks (MIAs) aim to create synthetic images that reflect the class-wise characteristics from a target classifier’s private training data by exploiting the model’s learned knowledge. Previous research has developed generative MIAs that use generative adversarial networks (GANs) as image priors tailored to a specific target model. This makes the attacks time- and resource-consuming, inflexible, and susceptible to distributional shifts between datasets. To overcome these drawbacks, we present Plug & Play Attacks, which relax the dependency between the target model and image prior, and enable the use of a single GAN to attack a wide range of targets, requiring only minor adjustments to the attack. Moreover, we show that powerful MIAs are possible even with publicly available pre-trained GANs and under strong distributional shifts, for which previous approaches fail to produce meaningful results. Our extensive evaluation confirms the improved robustness and flexibility of Plug & Play Attacks and their ability to create high-quality images revealing sensitive class characteristics.} }
Endnote
%0 Conference Paper %T Plug & Play Attacks: Towards Robust and Flexible Model Inversion Attacks %A Lukas Struppek %A Dominik Hintersdorf %A Antonio De Almeida Correira %A Antonia Adler %A Kristian Kersting %B Proceedings of the 39th International Conference on Machine Learning %C Proceedings of Machine Learning Research %D 2022 %E Kamalika Chaudhuri %E Stefanie Jegelka %E Le Song %E Csaba Szepesvari %E Gang Niu %E Sivan Sabato %F pmlr-v162-struppek22a %I PMLR %P 20522--20545 %U https://proceedings.mlr.press/v162/struppek22a.html %V 162 %X Model inversion attacks (MIAs) aim to create synthetic images that reflect the class-wise characteristics from a target classifier’s private training data by exploiting the model’s learned knowledge. Previous research has developed generative MIAs that use generative adversarial networks (GANs) as image priors tailored to a specific target model. This makes the attacks time- and resource-consuming, inflexible, and susceptible to distributional shifts between datasets. To overcome these drawbacks, we present Plug & Play Attacks, which relax the dependency between the target model and image prior, and enable the use of a single GAN to attack a wide range of targets, requiring only minor adjustments to the attack. Moreover, we show that powerful MIAs are possible even with publicly available pre-trained GANs and under strong distributional shifts, for which previous approaches fail to produce meaningful results. Our extensive evaluation confirms the improved robustness and flexibility of Plug & Play Attacks and their ability to create high-quality images revealing sensitive class characteristics.
APA
Struppek, L., Hintersdorf, D., De Almeida Correira, A., Adler, A. & Kersting, K.. (2022). Plug & Play Attacks: Towards Robust and Flexible Model Inversion Attacks. Proceedings of the 39th International Conference on Machine Learning, in Proceedings of Machine Learning Research 162:20522-20545 Available from https://proceedings.mlr.press/v162/struppek22a.html.

Related Material