GSMI: A Gradient Sign Optimization Based Model Inversion Method

Tian, Z; Zhang, C; Cui, L; Yu, S

GSMI: A Gradient Sign Optimization Based Model Inversion Method

Tian, Z

Zhang, C Cui, L Yu, S

Permalink

Publisher:: SPRINGER INTERNATIONAL PUBLISHING AG
Publication Type:: Conference Proceeding
Citation:: Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), 2022, 13151 LNAI, pp. 67-78
Issue Date:: 2022-01-01

Closed Access

	Filename	Description	Size
	GSMI A Gradient Sign Optimization Based Model Inversion Method.pdf	Published version	80.56 MB	Adobe PDF	View/Open

Copyright Clearance Process

Recently Added
In Progress
Closed Access

This item is closed access and not available.

Full metadata record

Field	Value	Language
dc.contributor.author	Tian, Z https://orcid.org/0000-0001-8905-0941
dc.contributor.author	Zhang, C
dc.contributor.author	Cui, L
dc.contributor.author	Yu, S https://orcid.org/0000-0003-4485-6743
dc.contributor.editor	Long, G
dc.contributor.editor	Yu, X
dc.contributor.editor	Wang, S
dc.date	2022-02-02
dc.date.accessioned	2023-04-10T22:45:19Z
dc.date.available	2023-04-10T22:45:19Z
dc.date.issued	2022-01-01
dc.identifier.citation	Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), 2022, 13151 LNAI, pp. 67-78
dc.identifier.isbn	9783030975456
dc.identifier.issn	0302-9743
dc.identifier.issn	1611-3349
dc.identifier.uri	http://hdl.handle.net/10453/169405
dc.description.abstract	The vulnerabilities of deep learning models on security and privacy have attracted a lot of attentions. Researchers have revealed the possibility of reconstructing training data of a target model. However, the performances of current works are highly rely on auxiliary datasets. In this paper, we investigate the model inversion problem under a strict restriction, where the adversary aims to reconstruct plausible samples of the target class without help of auxiliary information. To solve this challenge, we propose a Gradient Sign Model Inversion (GSMI) method based on the idea of adversarial examples generation. Specifically, we make three modifications on a popular adversarial examples generation method i-FGSM to generate plausible samples. 1) increasing the number of attack iterations and 2) superposing noises to reveal more obvious features learned by target model. 3) removing subtle noises to make reconstructed samples more plausible. However, we find samples generated by GSMI still contain noisy components. Furthermore, we adopt the idea of image adjacent regions to design a two-pass components selection algorithm to generate more reasonable sample of the target class. Through experiments, we find that the inversion samples of GSMI are close to real target class samples with some fluctuations on different classes. In addition, we also provide detail analysis for reasons of limitations on the optimization-based model inversion methods.
dc.language	en
dc.publisher	SPRINGER INTERNATIONAL PUBLISHING AG
dc.relation	http://purl.org/au-research/grants/arc/DP200101374
dc.relation.ispartof	Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
dc.relation.ispartof	34th Australasian Joint Conference on Artificial Intelligence (AI)
dc.relation.ispartofseries	Lecture Notes in Artificial Intelligence
dc.relation.isbasedon	10.1007/978-3-030-97546-3_6
dc.rights	info:eu-repo/semantics/closedAccess
dc.subject.classification	Artificial Intelligence & Image Processing
dc.title	GSMI: A Gradient Sign Optimization Based Model Inversion Method
dc.type	Conference Proceeding
utslib.citation.volume	13151 LNAI
utslib.location.activity	Univ Technol Sydney, ELECTR NETWORK
pubs.organisational-group	/University of Technology Sydney
pubs.organisational-group	/University of Technology Sydney/Faculty of Engineering and Information Technology
pubs.organisational-group	/University of Technology Sydney/Faculty of Engineering and Information Technology/School of Computer Science
utslib.copyright.status	closed_access	*
dc.date.updated	2023-04-10T22:45:13Z
pubs.finish-date	2022-02-04
pubs.publication-status	Published
pubs.start-date	2022-02-02
pubs.volume	13151 LNAI

Abstract:

The vulnerabilities of deep learning models on security and privacy have attracted a lot of attentions. Researchers have revealed the possibility of reconstructing training data of a target model. However, the performances of current works are highly rely on auxiliary datasets. In this paper, we investigate the model inversion problem under a strict restriction, where the adversary aims to reconstruct plausible samples of the target class without help of auxiliary information. To solve this challenge, we propose a Gradient Sign Model Inversion (GSMI) method based on the idea of adversarial examples generation. Specifically, we make three modifications on a popular adversarial examples generation method i-FGSM to generate plausible samples. 1) increasing the number of attack iterations and 2) superposing noises to reveal more obvious features learned by target model. 3) removing subtle noises to make reconstructed samples more plausible. However, we find samples generated by GSMI still contain noisy components. Furthermore, we adopt the idea of image adjacent regions to design a two-pass components selection algorithm to generate more reasonable sample of the target class. Through experiments, we find that the inversion samples of GSMI are close to real target class samples with some fluctuations on different classes. In addition, we also provide detail analysis for reasons of limitations on the optimization-based model inversion methods.

Please use this identifier to cite or link to this item:

http://hdl.handle.net/10453/169405