Abstract:Model Inversion (MI) attacks aim to recover the private training data from the target model, which has raised security concerns about the deployment of DNNs in practice. Recent advances in generative adversarial models have rendered them particularly effective in MI attacks, primarily due to their ability to generate high-fidelity and perceptually realistic images that closely resemble the target data. In this work, we propose a novel Dynamic Memory Model Inversion Attack (DMMIA) to leverage historically learned knowledge, which interacts with samples (during the training) to induce diverse generations. DMMIA constructs two types of prototypes to inject the information about historically learned knowledge: Intra-class Multicentric Representation (IMR) representing target-related concepts by multiple learnable prototypes, and Inter-class Discriminative Representation (IDR) characterizing the memorized samples as learned prototypes to capture more privacy-related information. As a result, our DMMIA has a more informative representation, which brings more diverse and discriminative generated results. Experiments on multiple benchmarks show that DMMIA performs better than state-of-the-art MI attack methods.

What problem does this paper attempt to address?

The problem that this paper attempts to solve is the privacy leakage issue of deep neural networks (DNNs) in practical applications, especially the recovery of private training data through model inversion attacks (MI). Specifically, the paper focuses on how to use generative adversarial networks (GANs) to conduct efficient MI attacks while solving the common "catastrophic forgetting" problem in these attacks. The author proposes a new MI attack method based on a dynamic memory mechanism - Dmmia (Dynamic Memory Model Inversion Attack), aiming to enhance the diversity of generated samples and the attack effect by introducing two prototype representations (i.e., the intra - class multi - center representation IMR and the inter - class discriminative representation IDR). ### Main contributions of the paper: 1. **Proposing a new dynamic memory model inversion attack (Dmmia)**: This method combines the intra - class multi - center representation (IMR) and the inter - class discriminative representation (IDR), and maintains historical knowledge through memory reuse, thereby improving the attack performance and the diversity of generated samples. 2. **Theoretical and empirical verification**: The author theoretically analyzes how Dmmia increases sample diversity and verifies its effectiveness through experiments. 3. **Reaching a new state - of - the - art level on multiple benchmarks**: Experimental results show that Dmmia outperforms existing MI attack methods on multiple datasets and model architectures. ### Technical details of the paper: - **Intra - class multi - center representation (IMR)**: Represent multiple concepts of the target class through multiple learnable prototypes to increase the diversity of intra - class samples. - **Inter - class discriminative representation (IDR)**: Maintain a memory bank to store the features of historically generated images, making the embedding features of generated samples closer to their corresponding prototypes, thereby enhancing the inter - class discrimination. - **Momentum update**: Use a momentum update mechanism to stably update the prototypes in the memory bank and prevent catastrophic forgetting. ### Experimental results: - **Attack accuracy**: Dmmia significantly improves the attack success rate on multiple datasets. For example, the Acc@1 on the CelebA dataset reaches 94.02%, which is approximately 6.26% higher than existing methods. - **Sample diversity**: The samples generated by Dmmia have higher diversity and more realistic visual effects, which are verified by indicators such as FID, Precision, and Recall. - **Sample authenticity**: The generated images are more visually realistic and can better reflect the characteristics of the target class. ### Conclusion: Dmmia effectively solves the catastrophic forgetting problem in MI attacks by introducing a dynamic memory mechanism, and improves the attack performance and the diversity of generated samples. This method performs well on multiple benchmarks and provides new ideas and technical support for future MI attack research.

Model Inversion Attack via Dynamic Memory Learning

The Secret Revealer: Generative Model-Inversion Attacks Against Deep Neural Networks

NetGuard: Protecting Commercial Web APIs from Model Inversion Attacks Using GAN-generated Fake Samples

A GAN-Based Defense Framework Against Model Inversion Attacks.

Model Inversion Attacks Through Target-Specific Conditional Diffusion Models

Distributional Black-Box Model Inversion Attack with Multi-Agent Reinforcement Learning

Breaking the Black-Box: Confidence-Guided Model Inversion Attack for Distribution Shift

Re-thinking Model Inversion Attacks Against Deep Neural Networks

Model Inversion Robustness: Can Transfer Learning Help?

C2FMI: Corse-to-Fine Black-box Model Inversion Attack

Privacy Leakage on DNNs: A Survey of Model Inversion Attacks and Defenses

Model Inversion Attacks: A Survey of Approaches and Countermeasures

An Evolutionary Attack for Revealing Training Data of DNNs with Higher Feature Fidelity

Pseudo Label-Guided Model Inversion Attack Via Conditional Generative Adversarial Network.

Reconstructing Training Data from Diverse ML Models by Ensemble Inversion

Model Inversion Attack by Integration of Deep Generative Models: Privacy-Sensitive Face Generation From a Face Recognition System

Variational Model Inversion Attacks

Reinforcement Learning-Based Black-Box Model Inversion Attacks

CALoR: Towards Comprehensive Model Inversion Defense

Boosting Model Inversion Attacks with Adversarial Examples

A Closer Look at GAN Priors: Exploiting Intermediate Features for Enhanced Model Inversion Attacks