The Role of Class Information in Model Inversion Attacks against Image Deep Learning Classifiers

Tian, Z; Cui, L; Zhang, C; Tan, S; Yu, S; Tian, Y

The Role of Class Information in Model Inversion Attacks against Image Deep Learning Classifiers

Tian, Z

Cui, L Zhang, C

Tan, S Yu, S

Tian, Y

Permalink

Publisher:: Institute of Electrical and Electronics Engineers (IEEE)
Publication Type:: Journal Article
Citation:: IEEE Transactions on Dependable and Secure Computing, 2023, PP, (99), pp. 1-14
Issue Date:: 2023-01-01

Closed Access

	Filename	Description	Size
	The_Role_of_Class_Information_in_Model_Inversion_Attacks_against_Image_Deep_Learning_Classifiers.pdf	Accepted version	3.58 MB	Adobe PDF	View/Open

Copyright Clearance Process

Recently Added
In Progress
Closed Access

This item is closed access and not available.

Full metadata record

Field	Value	Language
dc.contributor.author	Tian, Z https://orcid.org/0000-0001-8905-0941
dc.contributor.author	Cui, L
dc.contributor.author	Zhang, C https://orcid.org/0000-0002-2352-0485
dc.contributor.author	Tan, S
dc.contributor.author	Yu, S https://orcid.org/0000-0003-4485-6743
dc.contributor.author	Tian, Y
dc.date.accessioned	2024-03-12T00:09:31Z
dc.date.available	2024-03-12T00:09:31Z
dc.date.issued	2023-01-01
dc.identifier.citation	IEEE Transactions on Dependable and Secure Computing, 2023, PP, (99), pp. 1-14
dc.identifier.issn	1545-5971
dc.identifier.issn	1941-0018
dc.identifier.uri	http://hdl.handle.net/10453/176509
dc.description.abstract	Model inversion attacks can reconstruct the training samples of victim deep learning models. The existing efforts heavily rely on auxiliary information of the target samples (prior target information) to achieve their adversarial goals. However, prior target information is hard to obtain in practice. In this paper, we explore the effect of class information in model inversion attacks to reduce the reliance of prior target information. Our contributions on class information exploitation are two-fold. Firstly, we propose a supervised inversion model, Supervised Model Inversion (SMI). The proposed inversion model learns pixel-level features and data-to-class features from the rounded-outputs of the victim model and labeled auxiliary dataset. Secondly, we leverage victim model's rounded-outputs to guide the optimization of reconstructing inversion samples after trained inversion model. Our experimental results show that inversion samples reconstructed by SMI are more visually plausible with more details, comparing to the three representative model inversion attacks. We further perform an extensive study on various auxiliary dataset settings. It is found that the class combination in the auxiliary dataset rather than the number of classes that determines the quality of inversion samples. The ground-truth labels can improve the qualities of inversion samples but not essential to inversion attacks.
dc.language	en
dc.publisher	Institute of Electrical and Electronics Engineers (IEEE)
dc.relation.ispartof	IEEE Transactions on Dependable and Secure Computing
dc.relation.isbasedon	10.1109/TDSC.2023.3306748
dc.rights	info:eu-repo/semantics/closedAccess
dc.subject	0803 Computer Software, 0804 Data Format, 0805 Distributed Computing
dc.subject.classification	Strategic, Defence & Security Studies
dc.subject.classification	4604 Cybersecurity and privacy
dc.subject.classification	4606 Distributed computing and systems software
dc.title	The Role of Class Information in Model Inversion Attacks against Image Deep Learning Classifiers
dc.type	Journal Article
utslib.citation.volume	PP
utslib.for	0803 Computer Software
utslib.for	0804 Data Format
utslib.for	0805 Distributed Computing
pubs.organisational-group	University of Technology Sydney
pubs.organisational-group	University of Technology Sydney/Faculty of Engineering and Information Technology
pubs.organisational-group	University of Technology Sydney/Faculty of Engineering and Information Technology/School of Computer Science
pubs.organisational-group	University of Technology Sydney/Strength - CCSP - Centre for Cyber Security and Privacy
utslib.copyright.status	closed_access	*
dc.date.updated	2024-03-12T00:09:30Z
pubs.issue	99
pubs.publication-status	Published
pubs.volume	PP
utslib.citation.issue	99

Abstract:

Model inversion attacks can reconstruct the training samples of victim deep learning models. The existing efforts heavily rely on auxiliary information of the target samples (prior target information) to achieve their adversarial goals. However, prior target information is hard to obtain in practice. In this paper, we explore the effect of class information in model inversion attacks to reduce the reliance of prior target information. Our contributions on class information exploitation are two-fold. Firstly, we propose a supervised inversion model, Supervised Model Inversion (SMI). The proposed inversion model learns pixel-level features and data-to-class features from the rounded-outputs of the victim model and labeled auxiliary dataset. Secondly, we leverage victim model's rounded-outputs to guide the optimization of reconstructing inversion samples after trained inversion model. Our experimental results show that inversion samples reconstructed by SMI are more visually plausible with more details, comparing to the three representative model inversion attacks. We further perform an extensive study on various auxiliary dataset settings. It is found that the class combination in the auxiliary dataset rather than the number of classes that determines the quality of inversion samples. The ground-truth labels can improve the qualities of inversion samples but not essential to inversion attacks.

Please use this identifier to cite or link to this item:

http://hdl.handle.net/10453/176509