GAMIN: An Adversarial Approach to Black-Box Model Inversion
Recent works have demonstrated that machine learning models are vulnerable to model inversion attacks, which lead to the exposure of sensitive information contained in their training dataset. While some model inversion attacks have been developed in the past in the black-box attack setting, in which the adversary does not have direct access to the structure of the model, few of these have been conducted so far against complex models such as deep neural networks. In this paper, we introduce GAMIN (for Generative Adversarial Model INversion), a new black-box model inversion attack framework achieving significant results even against deep models such as convolutional neural networks at a reasonable computing cost. GAMIN is based on the continuous training of a surrogate model for the target model under attack and a generator whose objective is to generate inputs resembling those used to train the target model. The attack was validated against various neural networks used as image classifiers. In particular, when attacking models trained on the MNIST dataset, GAMIN is able to extract recognizable digits for up to 60% of labels produced by the target. Attacks against skin classification models trained on the pilot parliament dataset also demonstrated the capacity to extract recognizable features from the targets.
In recent years, the combination of increasing computing power, significant improvement in machine learning algorithms, as well as the augmentation of storage capacity have led to the development of prediction services. Those services rely on exploiting a wide variety of data, the collection of which has become an integral part of most digital and real-life markets. This push for personalized services has driven forward the use of sensitive data even in public-oriented applications such as evaluating the risk of recidivism of convicted inmates . In addition, the gathered data has also become a vital asset for providers, which often seek to ensure the exclusivity over it.
Unfortunately, data-driven algorithms such as machine learning models are not immune to information leakage [2, 3]. In particular, if those models have been trained over personal information, then an attack exploiting those leakages could result in a privacy breach (e.g., by inferring a sensitive feature for some of these individuals) for the individuals contained in the dataset used to train a learning algorithm. The potency of such an attack was first demonstrated in 2015 by Fredrikson, Jha and Ristenpart , extending as far as retrieving recognizable facial features or inferring with great accuracy a single sensitive feature. In subsequent works, efforts have been made to quantify the vulnerability of machine learning models against inference attacks related to privacy. For instance, new attacks, such as membership inference attack , as well as new metrics such as differential training privacy , have been developed.
Nonetheless some questions remain opened, especially with respect to the exploration of the possible attacks settings. Indeed, depending on the ability of the adversary to access the target model and his auxiliary knowledge of that model, the approach taken as well as the resulting efficiency can change significantly. Considering model inversion attacks, in which the attacker attempts to generate inputs resembling the original ones, Fredrikson and co-authors have left the design of effective black-box attacks as an open problem in their seminal paper . While a first significant step was proposed later , which consists in performing a black-box model extraction attack followed by the same white-box equation-solving attack used by Fredrikson and co-authors, this does not preclude the possibility that other approaches could be more efficient either in terms of the reconstruction accuracy or with respect to the knowledge required on the model attacked. In particular, one of the limits of the equation-solving attack is that it requires the knowledge of the target’s architecture.
In this paper, we propose a novel approach that we coined as GAMIN (for Generative Adversarial Model INversion) to specifically address the problem of black-box model inversion. Our attack is agnostic in the sense that we make no assumptions on the design of the target model or the original data distribution, which could arguably be the most difficult situation for the adversary . In a nutshell, our attack involves the simultaneous training of a surrogate model approximating the decision boundaries of the target and a generator that aims at producing the desired inputs, by mimicking the Generative Adversarial Networks (GANs) training process. To evaluate its cost and performance and how those are impacted by the target’s architecture, our approach was tested against a collection of classifier models. To ensure the genericity of this evaluation, we chose to consider targets of various complexity, the design of which has been observed and tested in previous works in the literature. In particular, we have been able to demonstrate the potency of this attack against image classification models for digit recognition or skin color identification.
The outline of the paper is as follows. First in Section 2, we introduce the machine learning models necessary to the understanding of our work and their vulnerabilities with respect to various privacy attacks. Afterwards in Section 3, we present the architecture of the GAMIN before describing in details how this attack performs against five models trained on the MNIST dataset in Section 4. Finally, we briefly review the related work in Section 5 before concluding in Section 6 by discussing future work.
In this section, we review the relevant background on machine learning as well as model inversion attacks.
2.1 Machine learning models
Supervised learning refers to the sub-domain of the machine learning field whose objective is to learn a function given a training dataset of input-output pairs .
The learning task is said to be a classification problem if is a label or a regression problem if is a continuous vector. The function is called a classifier when the possible values of correspond to a finite number of classes and a regressor if the value of is outputted from a continuous domain. A well-trained function should not only display a low error on the training set but also generalize to unknown .
To provide a concrete example, neural networks have been recently re-popularized as a flexible solution for most supervised machine learning tasks. Neural networks rely on the composition of parametric functions to map an input to an output . Those parametric functions correspond to layers of neurons, which are computing units parametrized by a weight vector and an activation function. Each unit, or neuron, outputs the result of its activation function to the weighted sum of its inputs. The weights themselves are updated by optimizers such as stochastic gradient descent with respect to a loss function.
Deep neural networks are an extension of neural networks to more complex architectures. Examples of such models include recurrent neural networks that allow for the treatment or production of sequences of inputs and outputs or convolutional layers that take into account the local context of each value in the vectors it processed . By accounting for context and evolution, deep neural networks can extract and interpret patterns, which in turn allows for a substantial increase in performance . Such models are now widely used in fields such as computer vision or natural language processing.
2.2 Generative adversarial networks
Generative Adversarial Networks (GANs)  refers to a framework composed of two models competing against each other, hence the term “adversarial”. In this setting, one of the models has the role of the generator while the other takes the role of the discriminator . Figure 1 depicts the associated learning process.
In a nutshell, aims at distinguishing real data from fake one while tries to fools into taking a fake data it has generated for a real one. This process has been formally defined  as a minimax game between and :
in which is the real data distribution and is usually a simple distribution (e.g., ).
2.3 Adversarial setting
When attempting an attack on a machine learning model, an adversary can have different access and knowledge of the target model  that we briefly introduced hereafter.
White-box setting. In the white-box setting, the adversary knows the architecture of the target model as well as its parameters and internal states. Typically, this setting occurs when a malicious client obtains a complete trained model from a MLaaS (Machine Learning as a Service) provider rather than a dataset and wishes to learn more about the original proprietary data this model has been trained on.
Black-box setting. When only given black-box access, the adversary does not have a direct access to the model and can only query it with an input of his choice to receive the corresponding output (usually through an online API). For example, this scenario corresponds to the situation in which a company providing MLaaS is attacked by one of its users. However, in some cases the adversary may have partial knowledge of the data used to train the target model (e.g., the characteristics of the distribution) or of the target model’s architecture.
Black-box agnostic setting. The arguably hardest setting for the adversary is when it has absolutely no information on the training data (including no prior knowledge of the data distribution) as well as the model architecture or any of its parameters besides the dimensions of inputs and outputs. Basically, in this setting, which we refer to as the agnostic black-box setting, the adversary can only query the target model to make inferences about it.
2.4 Model inversion attacks against machine learning models
Model inversion attacks [45, 6] (also known as attribute inference attacks [49, 48]) aim to infer hidden sensitive attribute of instances that belong to a particular output class of a target machine learning model. Pioneering works in this field [45, 6] have proposed a generic framework to conduct model inversion attacks that can be described as follows. Given a target model , an instance — whose non-sensitive attributes and attributes’ prior probabilities are known to the adversary — and the prediction of the target model , the attack identifies the value of the sensitive attribute maximizing the posterior probability .
Model inversion attacks have been successfully conducted against a variety of models, including neural networks in the white-box setting with equation-solving methods , through the reconstruction of recognizable portraits. The question of effective black-box attack with respect to this method was left as an open question. One of the proposed approach to realize this is to run a white-box inversion attack after a successful black-box model extraction attack , thus achieving similar results at a fraction of the cost. However, none of these attacks were performed against a convolutional neural network or other types of deep neural networks. In addition, equations-solving attacks require prior knowledge of the target model’s architecture, which severely undermines their feasibility in an agnostic black-box setting.
For image recognition tasks, the output of a model inversion attack is usually not a member of the training set, but rather an average of the features characterizing the class. Depending on the diversity of inputs yielding the targeted class, this average may lead to a more or less severe privacy breach. For instance, if a class correspond to a particular individual and the training instances corresponding to the latter have small variance (e.g., same location for the face or same shooting angle) then the result of the attack can help in re-identifying the individual. In contrast, if the output class characterizes highly diverse instances (e.g., car of very different types), then the output of the attack is more difficult to interpret. In this case, the output of the attack is very similar to that of a property inference attack  (see Section 5.2 for more details and examples about property inference attacks).
3 Our approach: The GAMIN
In this section, we will first introduce the Generative Adversarial Model INversion (GAMIN) framework before detailing the attack process.
Let us consider a target model and a label corresponding to one of its labels. The objective of our attack is to characterize the inputs such that .
At a high level, GAMIN is composed of two deep neural networks, namely a generator that maps noise to an input and a surrogate model that outputs an estimation of the target model’s output. GAMIN allows to simultaneous train the surrogate model and the generator while performing a model inversion attack over . Thus, the generator aims at learning the distribution of input associated to the label .
Algorithm 1 summarizes the training sequence of GAMIN. For each step of the algorithm, a batch is sampled from random noise . Then, the generator uses the latter to produce a batch . Afterwards, the target model is queried with (1) the output of the generator and (2) a batch sampled from random noise . Subsequently, the predictions of on both and are used to compute the surrogate loss (see Section 3.2.1), which is then used to inform the training of the surrogate . Finally, the generator’s parameters are updated through the training of the combined model (see Section 3.2.2) on a batch sampled from random noise . After convergence, the surrogate learns the target model’s decision boundaries and the generator learns to approximate .
Given the black-box agnostic setting of the adversary, the architecture of GAMIN has to be as generic as possible. More precisely, the only constraint put on the architecture is that the dimensions and ranges of the outputs of the generator match the inputs of the target model and GAMIN’s surrogate . We demonstrate this by using the same architecture — for both GAMIN’s surrogate and the generator — for all the attacks conducted in this paper. In addition, we have deliberately chosen for the surrogate model an architecture different from that of the target models to emphasize the absence of prior knowledge by the adversary. Technical details of GAMIN’s surrogate and generator can be found respectively in Appendix A.1.1 and A.2.1.
3.2 Loss, metrics and convergence
The adversarial nature of GAMIN requires the surrogate and the generator to be trained alternatively, each with its own losses and metrics. However, the training of one component impact the performances of the other. To overcome this challenge, we need to devise appropriate loss functions and metrics to have better control of the training process.
3.2.1 Boundary-equilibrium loss for surrogate model
Initial experiments with this architecture proved its difficulty to assess convergence and to compare the performance performances of both the surrogate and the generator. Since these issues are common in the GAN literature, we adapted the Boundary-Equilibrium Adaptive loss from BEGAN  to GAMIN. The main idea is to have the loss function updating itself to reflect the trade-off between the surrogate loss on samples according to their nature. More precisely, the distinction operated by the surrogate will be between noise inputs and generated samples. Further differences with the original BEGAN include adapting the setting from an auto-encoder perspective to our GAMIN setting. The loss for the surrogate model is defined as:
in which is the cross-entropy loss function, (resp. ) are noise inputs for the surrogate (resp. inputs crafted by the generator ), (resp. ) are predictions of the target model on (resp. ), is a “learning rate” for the parameter and is an equilibrium ratio objective.
By allowing to balance the training of the surrogate and the generator, this loss helps in avoiding the issue of the unforgiving teacher. This phenomenon is observed when a GAN’s generator does not improve because its outputs are so far from expectations that it receives uniformly negative output . In addition, the adaptive loss helps in determining and improving the component that is limiting the overall performance. Finally, it reduces the occurrences of catastrophic forgetting, which may plague GAN-based architectures, and occurs when the learning of a new skill severely damages a previously learned one .
3.2.2 Generator model training through combined networks
The update of the generator is achieved by merging both the generator and surrogate into a virtual “combined” neural network . Then, the parameters of the combined network are updated through a standard training procedure. During this training, all the parameters related to the surrogate are kept frozen. Recall that the objective of the “combined” model is to map noise to the estimation of the target outputs upon receiving the generated inputs , to achieve through training. Thus, the “combined” model is trained as performing a simple classification task with a cross-entropy loss function. Cross-entropy loss is defined as , with being the distribution of probabilities across labels and the estimation of these probabilities.
3.2.3 Relevance metrics
In this section, we discuss the metrics used to monitor and control the training and convergence of GAMIN.
Surrogate fidelity. One of the fundamental measure for our approach is the surrogate fidelity, which reflects the capacity of the surrogate to imitate the target model’s behaviour. With the same input for the target model and the surrogate , let and be the outputs of these models. The fidelity of the surrogate can be expressed as . In practice, we compute the mean of this fidelity, which is then , being the mean average error, and we test the fidelity over a batch of samples of uniform random noise. Note that fidelity differs from precision in that it needs not be evaluated over testing samples, which means that it can be measured during a black-box attack with no knowledge of the original data. A surrogate with high fidelity (up to ) estimates with good precision the decision boundaries of the target model.
Combined accuracy. The generator’s ability to craft inputs that are classified in the desired way by the surrogate is measured by the categorical accuracy of the “combined” model (see Section 3.2.2). When assessed in a batch, the categorical accuracy is the proportion of inputs categorized in the desired class.
in which is the loss of the surrogate on noise inputs and is the loss of the surrogate on inputs generated by the GAMIN generator.
The M-global convergence score provides an insight on the convergence of both networks, which is helpful to assess the overall convergence since the adversarial nature of the GAMIN architecture means an improvement of the surrogate may impact the generator (and vice versa). A strength of this score is that it can be computed in a black-box setting as it only relies on the discrimination between different types of inputs used to train the surrogate. This score and the adaptive loss are updated at the same time.
3.2.4 Attack protocol and budget
To perform an attack, GAMIN is given a query budget, which represents the number of queries that can be sent to the target model . GAMIN is then trained against the target model, saving both the surrogate and the generator whenever the M-global score improves (see Section 3.2.3) while tracking the remaining query budget. Upon exhausting the query budget, the generator with the lowest M-global score is used as the result of the attack to generate the targeted inputs.
This approach provides two main benefits. First, it helps to determine the actual number of queries needed to achieve the best result. Second, it preserves the best model observed during training, which means that catastrophic forgetting or a decrease in performance will have a lesser impact on the final performance of the attack.
Early experiments lead us to observe that when we attack datasets in which diverse inputs correspond to the same output (i.e, the same class), the individual outputs of the generator do not converge to one of these specific inputs but rather that the mean of those generated inputs converged to the mean of the original inputs. Despite this limitation, we are nonetheless able to exploit the results of the GAMIN training by aggregating its results as described in the following procedure.
3.3.1 Signal post-processing pipeline
Once the generator has been trained, the following process is used to retrieve the best version of the attacked class’ mean. This process has to be applied separately for each channel when dealing with color images, each channel containing one color distribution.
Batch generation of outputs. The first step consists in using our model to generate a large batch of outputs from noise. Our experiments have shown that samples are sufficient to achieve a satisfactory sample of the variation between individual pictures.
Low-pass common frequency filter. Then, each picture is transposed into the frequency domain via a Fast-Fourier Transform (FTT). The frequencies are then counted pixel-wise on all FTT images. Afterward, a filter is applied to remove frequencies that do not appear in at least of the FTT batch samples. Due to the frequency distribution on our experiment, this is equivalent to a low-pass filter.
Reconstruction. The samples are mapped back to the spatial domain before applying a Gaussian blur to each of them, followed by an edge detection filter. Finally, the “final” output is obtained from the pixel-wise median of the transformed batch.
The post-processing routine has considerably enhanced the visual quality of generated images by removing a good part of the noise cluttering the individual output (see Figure 2 for an example).
Further post-processing such as thresholds or posterization could still be added to improve the quality of images, but those are not central to our study and are left to explore as future work.
4 Black-box model inversion attacks
In this section, we present the results obtained against several target models. First, we present the datasets used to trained the target models as well as the models themselves before reporting on the results obtained. Afterwards, we discuss on how to evaluate the success of a GAMIN attack as well as the associated cost before finally reporting how models trained with differential privacy as a possible countermeasure are affected by the attack. The source code of GAMIN is available on github111https://github.com/definitively-not-a-lab-rat/gamin.
4.1 Targets and evaluation setting
4.1.1 MNIST dataset
The MNIST Dataset of 70,000 handwritten digits (see examples in Figure 3) was used to train target models for a image recognition task. More precisely, in this case the recognition task consists in associating an image passed as input to a class corresponding to the digit the image represent. In this dataset, the images are of low-sizes (square of size 28 by 28 pixels) and black-and-white, which provides a relatively low-cost task.
The target models were trained on a defined proportion of the dataset accounting for 60,000 images, the rest being used for testing.
4.1.2 Pilot parliament dataset
Compiled by Joy Buolamwini  from official portraits of parliament representatives across the globe, this dataset of 1270 color images of different sizes is classified according to sex and skin color (across the 6 Fitzpatrick skin categories), which are inherently sensitive attributes. In contrast to MNIST, this dataset is composed of colored pictures. Note that for our experiment we have reshape all images to the same size, which implies that some faces are distorted compared to the original versions. The target models were trained on 1079 portraits, the remainder being kept for the testing phase.
4.1.3 Target models and training setup
Types of models. Targets of various architectures were trained in order to see if a model’s complexity impact the performance of the GAMIN attack. Overall, five models were considered as targets, which are named by order of increasing complexity: one softmax regression (Soft), two multilayer perceptron networks (MLP1 and MLP2), and two convolutional neural networks (CNN1 and CNN2). The architectures of these models are detailed in Appendix A.1.2. These architectures were chosen because of their prevalence in privacy and security-oriented literature. More precisely, Soft and MLP1 models were attacked in  and , while MLP2, CNN1 and CNN2 were part of the targets in .
Performance with respect to overfitting. The objective of our study is to attack realistic models with imperfect performance and not ones that have overfitted. Indeed, as overfitted models present very sharp decision boundaries, this usually renders the model inversion attack quite easy but also unrelated to real-world problems. While training with the pilot parliament dataset, only CNN1 and CNN2 models delivered good results. However, the Soft model was also included in the study for comparison despite its lesser performance. The full details of each target model performance are summarized in Appendix B.
Training setup. The surrogate has been trained with an Adam optimizer  regarding to this adaptive loss with the following parameters for the optimizer: learning rate of , , , and for the adaptive loss: , = and . The generator has also been trained with an Adam optimizer configured similarly to the surrogate’s with the following parameters for the optimizer: learning rate of , , and . These parameters are fairly standard and yield good results for the problems the GAMIN was confronted to. Remark that an extensive hyperparameter search is a non-trivial process in the black-box setting.
4.2 Attack against MNIST-trained targets
4.2.1 Evaluation survey
To measure how well GAMIN solves the model inversion problem from a privacy point of view, we cannot rely on pixel-wise errors or distances between distributions. Indeed, since the objective is to extract sensitive information from a model, we have to rely on human interpretation of the results to evaluate whether they successfully disclose information about the training data or not. In order to measure this information leakage on MNIST, we set up a survey in which we showed to participants the results of the model inversion of the GAMIN and asked them to guess which specific digit they thought was represented.
The results of the survey are summarized in Figure 5. In this figure, average displays the percentage of correct inference of digits averaged across all digits while majority depicts the percentage of classes (i.e., digits) for which more than half the volunteers guessed the correct digit from the pictures they were shown. In our experiments, a correct guess is awarded only when the participant picked the right digit. In opposition, giving a wrong answer or selecting the option “unable to decide” answers were counted as negative results.
In the best case, when attacking the soft model, volunteers were able to pick the attacked digit in of cases, assessing the reconstruction of out of digits. However, the ability of the GAMIN to invert models seems to be dramatically affected by the complexity of the target model, with both average number of correct answers and number of classes successfully inverted dropping to respectively and out of for the CNN2 architecture.
Convolutional models, which were not targeted by model inversion attacks in previous works, proved to be more resistant to these attacks. In particular, the drop in reconstruction accuracy that occurs when attacking deeper models could be explained directly by their complexity, as the link between decision boundaries and classification becomes less and less direct.
By taking a look at the GAMIN output for the same digit, we can observe the captured decision boundaries (see Figure 6), which confirm that the reconstruction given when attacking the soft architecture has usually sharp and identifiable features that are directly linked to the value of a region, whereas models using convolutions (i.e., CNN1 and CNN2) use patterns and filters before selecting the class resulting in blurred and more abstract images.
A closer look at the results breakdown between digits (displayed on Figure 7) shows a strong disparity among digits. Interestingly, some digits ( and ) are consistently inverted with success, whereas others such as for instance , display the opposite behaviour as the GAMIN attack fails to reconstruct these most of the time. A plausible explanation of the difference in accuracy when attacking those different classes could be the amount of recognizable features each of these class have. While this might considered a subjective notion, recall that the mean of the GAMIN outputs tends to converge to the mean of the targeted class.
4.3 Metrics and relation to success of the attack
The average metrics defined previously in Section 3.2 for each target model trained on MNIST are displayed in Table 1. For each GAMIN attack, the average over all digits is denoted as for the fidelity of the surrogate model, for the categorical accuracy of the combined model and for the best global score of convergence. The ratio of correct re-identification by the respondants of the survey is also provided for comparison.
First, we can observe that there is an absence of correlations between the accuracy of the combined model and the success rate of the re-identification by human volunteers. For instance, by comparing the mean of a digit with frequent success (the 3) to a digit with rare success (such as the 1) displayed on Figure 8, we observe that the classification task of a representation of an image’s mean might not be sufficient to evaluate completely the success of the model inversion attack. Nonetheless, the relatively high fidelity scores yielded by most attacks demonstrate that the surrogate is able to capture, at least partially, the decision boundaries of the target model.
To further investigate the link between and as well as the attack success, we provide an extensive review of the final score when attacking each digit against the MLP1 architecture in Table 2. These results show that a surrogate model achieving a very high fidelity or very low global convergence score might not be sufficient to achieve a good model inversion. In particular, this table provides examples with digits and of attacks that failed to reconstruct recognizable digits, yet achieve scores among the lowest. Furthermore, attacks against digit also achieved fidelity scores comparable to that of any successful attack.
The results demonstrate that the GAMIN surrogate needs to achieve a high fidelity to succeed, which is consistent with using fidelity as a measure of how well the decision boundaries are captured. However, this is a necessary but not a sufficient condition to ensure the success of the attack.
4.4 Attacks against skin color classifiers
Subtle, yet recognizable facial shapes can be observed on the images generated after attacking a skin color classifier trained on the pilot parliament dataset (see Figures 9 and 10). Interestingly enough, even the central area of the image does not give a hint of the skin color of individuals. Instead, the decision boundaries captured by the surrogate model are based on contours.
While the outputs of the GAMIN attack against the CNN1 architecture remain blurry and noisy enough to disclose few features of the members of each class, the attack against the soft architecture gives away more precise contours. However, the attack against the Softmax skin classifier yields results which, unlike the ones obtained on MNIST classifier in Section 4.2.2, did not seem to converge to the attacked class mean (compare for instance Figure 10 to Figure 11).
In this case, it could be argue that even if the faces are undetermined, the clothes alone might be enough to constitute a privacy breach. The privacy leak depicted here is more similar to a property inference attack [34, 35], which aim at inferring global properties of the training set of the target model. In contrast to previous implementations of such attacks [34, 35] that work in the white-box setting, GAMIN aims to infer properties of the target model’s training set in the black-box agnostic setting.
While Fredrikson and co-authors have already obtained recognizable faces against a model of similar architecture in the white-box setting  and Tramèr and colleagues proposed a more efficient black-box attack based on successive extraction and inversion of the model , the GAMIN provides another black-box alternative that does not require the adversary to have information about the target’s architecture.
4.5 Cost of the attack
The budget allowed for attacking each model was queries (or equivalently batches of queries). However, the protocol described previously in Section 3.2.4 enabled to easily retrieve the required number of batches to achieve convergence in terms of the M-global score. Depending on the attacked digits, the GAMIN achieves convergence towards “final” results after to batches of training, with an average of batches. In particular, each epoch requires queries to the target model, giving an average of queries per attack.
Compared to other black-box attacks targeting even larger datasets ( online queries in , and in  for attacking a model trained on the AT&T Faces dataset of larger dimension ), the GAMIN is significantly more expensive in terms of queries. However, this increased cost could be attributed to the higher complexity of target models and is also balanced by the flexibility of GAMIN.
Despite the higher complexity in terms of queries, if we estimate that it takes ms in terms of latency for querying the target, as in [6, 14] and not accounting for the speed increase offered by batch queries, a GAMIN attack could be completed in six hours. In addition assuming the adversary benefits from GPU acceleration, the networks training takes negligible time compared to querying the oracle.
4.6 Attacks against models trained with differential privacy
To evaluate how well our attack fare against protection mechanisms, we evaluate the effect of differential privacy on the success on an inversion attack against a MLP model. For this experiment, we focus on the MLP1 architecture described in Section 4.1.3. To train models with this architecture with differential privacy, we use the noisy batched stochastic gradient descent algorithm , with the implementation provided in tensorflow/privacy 222https://github.com/tensorflow/privacy. In particular, we set the privacy parameter to and train a model achieving a test accuracy of for a privacy parameter .
Table 3 and Figure 12 summarize the results obtained. These results seem to indicate that the use of differential privacy does not prevent the convergence of the training of GAMIN and the success of the attack. This observation is consistent with findings from previous works that have analyzed the impact of differential privacy on inversion attacks [26, 41, 48]. Intuitively this can be explained by the fact that differentially private learning techniques are essentially designed to protect against membership attack. In contrast protecting against model inversion attacks is similar in spirit as protecting the membership of all items that belong to a particular class, which require to apply some notion of group privacy. However, by doing so, the utility of the model will be negatively impacted.
5 Related work
Prior works related to privacy attacks against discriminative models in the supervised learning setting include adversarial attacks, membership inference attacks [5, 37], property inference attacks [34, 35], model inversion attacks [6, 26] and model extraction attacks [10, 39, 38]. In addition to regularization techniques, differential privacy is the workhorse used to address most of the inference attacks against machine learning models.
5.1 Adversarial attacks
The main idea of the adversarial setting is that an attack consists in crafting an input, which is then sent to the target model. The objective is to affect the target model in a controlled and desired manner. For example, evasion attacks aims to avoid a certain classification, in the sense that the objective is to produce anything but the specified class for a certain input [31, 32]. Such attacks were successfully performed against shallow models such as SVMs or RBF Kernels, using a gradient-descent-based algorithm, by crafting adversarial examples that crossed decision boundaries by a large margin (which translates as a high confidence in the faked class) . A more modern approach based on GANs has also proved to be able to fool deep neural models , even on temporal or recurrent architectures .
Both of the approaches described above rely on learning how to respectively maximize a utility or minimize a loss function reflecting the confusion of the target model. The learning process uses the gradient of this function to change parameters but such gradients are not accessible in a white-box setting. However, this can be countered by the concept of shadow training , which consists in training surrogate models, learning to attack these surrogate - or “shadow” - models and then transferring the attack to the target model [29, 30]. The use of a surrogate model in the GAMIN is inspired from the shadow training method.
5.2 Inference attacks against machine learning models
Membership attacks against machine learning models have been introduced by Shokri, Stronati, Song and Shmatikov . Given a data record and a trained model trained over a training dataset , a membership inference attack consist in trying to evaluate if . For instance, the authors demonstrated in 2017 the possibility for an adversary to assess the presence of a given individual in hospital datasets in a true black-box setting, highlighting the potential privacy damage this type of attack can cause. This type of attack exploits the fact that machine learning models may be subject to overfitting (i.e, being significantly more accurate at predicting outputs for the training data than predicting outputs for the test data). The attack involves training multiple shadow models, each using the same machine learning technique as that of the target model, and using a dataset similar to that of the target model. However, this is done by explicitly labeling predictions vectors on its training set and its test set differently. Finally, a classifier is trained to distinguish training data from test data. Membership attacks have also been studied by Melis, Song, de Cristofaro and Shmatikov  in the context of collaborative learning, in which the authors showed that the interactive nature of the collaboration can be exploited by a participant to conduct a membership attack on other participants’ training sets. In addition, Hayes, Melis, Danezis and de Cristofaro have demonstrated in the context of generative models  that generative adversarial networks  can be used to infer the presence of a particular individual in the training set.
Property inference attacks against machine learning models have been introduced by Ateniese and co-authors . This type of attack involves training a meta-classifier to detect if the target model has a given property . To conduct such an attack, the adversary trains a set of shadow models using a dataset and machine learning technique similar to that of the target model, but in addition, explicitly labeled as having the property or not. Finally, the meta-classifier is trained to detect the presence of the property . The authors have used this attack to learn that the training set of a speech recognition system have been produced by people speaking a particular dialect. Remark that the shadow training technique developed here is the same that has inspired the membership attacks . More recently, property inference attacks have been studied  in the context of collaborative learning, in which the authors demonstrated that the collaborative gradient update that occurs in this type of learning can be exploited by the adversary to infer properties that are true for a subset of the training set of other participants. Ganju, Wang, Yang, Gunther and Borisov  have further demonstrated the effectiveness of property inference attacks on more complex machine learning models such as fully connected neural networks.
Model inversion attacks aim at inferring, given a target model and an output class , sensitive hidden features of inputs corresponding to the class . As a result, the adversary will learn the average of the features of inputs that belong to the class . Model inversion attacks have been used originally  to infer if participants to a survey admitted of having cheated on their significant other by inverting decision trees, and to reconstruct people’s faces by inverting a facial recognition system trained using three different classifiers, namely a softmax classifier, a multilayer perceptron network and a denoising autoencoder. Recently, Hitaj, Ateniese and Perez-Cruz  have demonstrated that model inversion can be more powerful in collaborative machine learning context in which the adversary can train a generative adversarial network during the update phase to create prototypical examples of its target’s training set. Hidano, Murakami, Katsumata, Kiyomoto and Hanaoka  have introduced a model inversion attack that does not leverage on the knowledge of non-sensitive attributes of the input, under the assumption that the target model is operating in the online setting. In particular, a poisoning attack  is conducted on the target model to turn the regression coefficients of the non-sensitive attributes to zero. The resulting target model then becomes easy to invert, using the same approach proposed in [45, 6], without requiring additional knowledge of the non-sensitive attributes.
Finally, model extraction attacks aim at inferring, given a target model and its predictions (or explanations) for a chosen set of inputs, the parameters and/or hyper-parameters of . Tramer and co-authors  have demonstrated the effectiveness of such attacks by reconstructing several machine learning models after querying online machine learning as a service platforms. Wang and Cong  have also proposed attacks to steal hyper-parameters of several machine learning models. More recently, Milli, Schmidt, Dragan and Hardt  have shown how attacks exploiting gradient-based explanations can allow to extract models with significant less query budget compared to attacks based on predictions. Batina, Bashin, Jap and Picek  have proposed an attack against neural networks that leverages on a side-channel attack. In particular, it monitors the power use of the microprocessor on which the target model is evaluated to extract its weights. Jagielski, Carlini, Berthelot, Kurakin and Papernot  have leveraged on MixMatch , a semi-supervised learning technique, to produce a query-efficient learning-based extraction attack, which trains a surrogate on inputs labelled by the target model. The authors also introduced a functionally-equivalent extraction attack, which produces a surrogate that belongs to the equivalence class of the target model, that demonstrated better fidelity. Finally, they proposed a hybrid approach that combines functionally-equivalent extraction attacks and learning-based extraction attacks to improve the fidelity of the surrogate model.
Remark that model extraction is not per se a privacy attack. However, it can be used to build white-box surrogates of the target model and thus ultimately help in improving the efficiency of other inference attacks. The main difference between GAMIN and the existing attacks is that it operates in a black-box agnostic setting, which allows the attack to be easily deployed against any machine learning model. In addition, the computational cost of the attack (about 6 hours on a MLP) is acceptable. To compare, the estimated cost of a black-box attack — based on numeric gradient approximation  — against a MLP is about to days.
5.3 Countermeasures against inference attacks
Adding noise to individual records while maintaining global distribution and correlations is at the core of the concept of differential privacy, a privacy model developed by Dwork and co-authors  to balance the risk of privacy loss and the degradation of accuracy results of analysis run on a dataset of private records. Recently, the application of differential private methods to machine learning has drawn a lot of attention from privacy researchers and stemmed multiple approaches. One of these approaches relied on the training of deep networks over data distributed among multiple users . Afterwards, new attacks were designed to address this specific setting [26, 27]. Differential privacy was also integrated in the design of a stochastic gradient descent algorithm . However, the inherent trade-off between the privacy level and the performance of models trained with this method has already been pointed out in previous works [28, 48].
To measure the resistance of a model against membership inference attacks, Long, Bindschaedler and Gunter introduced the concept of differential training privacy  and showed that countermeasures such as distillation may not be sufficient to counter this type of attack. In their study of model inversion attacks , Fredrikson, Jha and Ristenpart suggest to round confidence scores to reduce the vulnerability of models to equation-solving attacks in the black-box setting. However, this can decrease the precision on the gradient retrieved from target model as intended. Against a black-box GAMIN attack, this would reduce the capacity of the surrogate to correctly approximate the target’s decision boundaries. While this may result in a lesser quality of the reconstructions or even a failure of GAMIN attacks, the efficiency of this defense could be also differ greatly as boundaries retrieved by the surrogate could appear less strict, which could ultimately facilitate the training of the generator.
6 Conclusion and future works
In this paper, we have demonstrated how adversarial approaches can be adapted to achieve model inversion attacks against machine learning models in an agnostic black-box setting. We have shown the potential threat of privacy leakage posed by these attacks by testing our architecture against models trained on a dataset of handwritten digits and another of face portraits for which we were able to reconstruct recognizable digits or features. In addition our attack works in multiple scenarios, including the situation in which the adversary has absolutely no prior knowledge of the target models and without specific parameter optimization.
We have also reviewed a variety of measures that could be proposed to measure the success of model inversion attacks and shows that usual and intuitive metrics may not be sufficient to predict the attack success. Furthermore, we show that models of increasing complexity, like convolutional neural networks, are more resistant to model inversion thanks to the abstraction and dilution of their decision boundaries.
We are planning to extend our approach in several directions. In particular, future work will include the testing of GAMIN against different types of targets, such as regressors or recurrent architectures and the study of countermeasures against this type of attack. We believe that the GAMIN can still be improved to further improve accuracy or to decrease the cost of this attack in terms of queries. The GAMIN could benefit from being tested against targets trained on different types of data, either as inputs (i.e., sequential data for instance) or as outputs (i.e., regressors). Further development of this architecture could allow for instance a single GAMIN to invert multiple outputs. In this case, the cost of the attack would not decrease directly, but a single attack could invert multiple classes, which would dramatically reduce the cost of inverting all classes of the model.
-  Electronic Privacy Information Center, "EPIC - Algorithms in the Criminal Justice System" (2016).
-  M. Barreno, B. Nelson, R. Sears A., D. Joseph and J. D. Tygar, “Can machine learning be secure?”, Proceedings of the ACM Symposium on Information, Computer and Communications Security (AsiaCCS), pp. 16–25, 2006.
-  S.P. Kasiviswanathan, M. Rudelson and A. Smith, “The power of linear reconstruction attacks”, Proceedings of the Twenty-Fourth Annual ACM-SIAM Symposium on Discrete Algorithms (SODA), pp. 1415–1433, 2013.
-  Y. Long, V. Bindschaedler and C.A. Gunter, “Towards measuring membership privacy”, arXiv preprint arXiv:1712.09136, 2017.
-  R. Shokri, M. Stronati, C. Song and V. Shmatikov, “Membership inference attacks against machine learning models”, Proceedings of IEEE Symposium on Security and Privacy (S&P), pp. 3–18, 2017.
-  M. Fredrikson, S. Jha and T. Ristenpart, “Model inversion attacks that exploit confidence information and basic countermeasures”, Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security (CCS), pp. 1322–1333, 2015.
-  Y. LeCun, L. Bottou, Y. Bengio and P. Haffner, “Gradient-based learning applied to document recognition”, Proceedings of the IEEE 86(11): 2278–2324, 1998.
-  N. Papernot, P. Mcdaniel, A. Sinha and M. Wellman, “SoK: Towards the science of security and privacy in machine learning”, arXiv preprint arXiv:1611.03814, 2016.
-  A. Krizhevsky, I. Sutskever and G.E. Hinton, “ImageNet classification with deep convolutional neural networks", Proceedings of Advances in Neural Information Processing Systems (NIPS), pp. 1106-1114, 2012.
-  F. Tramèr, F. Zhang, A. Juels, M. K. Reiter and T. Ristenpart, “Stealing machine learning models via prediction APIs”, Proceedings of 25th USENIX Security Symposium, pp. 601–618, 2016.
-  I.J. Goodfellow, J. Pouget-Abadie, M. Mirza, B. Xu, D. Warde-Farley, S. Ozair, A. Courville and Y. Bengio, “Generative adversarial nets", Proceedings of Advances in Neural Information Processing Systems (NIPS), pp. 2672–2680, 2014.
-  K. Simonyan and A. Zisserman, “Very deep convolutional networks for large-scale image recognition”, Proceedings of the International Conference on Learning Representations (ICLR), 2015.
-  X. Wu, M. Fredrikson, S. Jha and J.F. Naughton, “A methodology for formalizing model-inversion attacks”, Proceedings of the IEEE Computer Security Foundations Symposium (CSF), pp. 355–370, 2016.
-  N. Papernot, P. McDaniel, I. Goodfellow, S. Jha, Z.B. Celik and A. Swami., “Practical black-box attacks against machine learning", Proceedings of the ACM Asia Conference on Computer and Communications Security (AsiaCCS), pp. 506–519, 2017.
-  D. Berthelot, T. Schumm and L. Metz, “BEGAN: Boundary equilibrium generative adversarial networks, arXiv preprint arXiv:1703.10717, 2017.
-  T. Salimans, I. Goodfellow, W. Zaremba, V. Cheung, A. Radford and X. Chen., “Improved techniques for training gans”, Proceedings of Neural Information Processing Systems (NIPS), pp. 2226–2234, 2016.
-  R.M. French, “Catastrophic forgetting in connectionist networks", Trends in Cognitive Sciences 3(4):128–135, 1999.
-  D.P. Kingma and J. Ba, “Adam: A method for stochastic optimization”, Proceedings of International Conference for Learning Representations (ICLR), 2015.
-  J. Buolamwini and T. Gebru, “Gender shades: Intersectional accuracy disparities in commercial gender classification”, Proceedings of Conference on Fairness, Accountability, and Transparency (FATML), pp. 77–91, 2018.
-  F.S. Samaria and A.C. Harter, “Parameterisation of a stochastic model for human face identification”, Proceedings of the IEEE Workshop on Applications of Computer Vision (WACV), pp. 138–142, 1994.
-  L. Sweeney, "Weaving technology and policy together to maintain confidentiality", Journal of Law, Medicine and Ethics 25(2-3): 98–110, 1997.
-  M. Koot , G. Noordende and C. de Laat, “A study on the re-identifiability of Dutch citizens”, Proceedings of the Workshop on Privacy Enhancing Technologies, 2010.
-  C. Dwork and A. Roth, “The algorithmic foundations of differential privacy", Foundations and Trends in Theoretical Computer Science 9(3-4): 211–407, 2014.
-  R. Shokri and V. Shmatikov, “Privacy-preserving deep learning”, Proceedings of the ACM SIGSAC Conference on Computer and Communications Security (CCS), pp. 1310–1321, 2015.
-  M. Abadi, A. Chu, I. Goodfellow, H.B. McMahan, I. Mironov, K. Talwar and L Zhang, "Deep learning with differential privacy", Proceedings of the ACM SIGSAC Conference on Computer and Communications Security (CCS), pp. 308–318, 2016.
-  B. Hitaj, G. Ateniese and F. Perez-Cruz, "Deep models under the GAN: Information leakage from collaborative deep learning", Proceedings of the ACM SIGSAC Conference on Computer and Communications Security (CCS), pp. 603–618, 2017.
-  L. Melis, C. Song, E. De Cristofaro and V. Shmatikov, “Inference attacks against collaborative learning”, arXiv preprint arXiv:1805.04049, 2018.
-  M.A. Rahman, T. Rahman and R. Laganière, N. Mohammed and Y. Wang, “Membership inference attack against differentially private deep learning model", Transactions On Data Privacy 11(1): 61–79, 2018.
-  F. Tramèr, N. Papernot, I. Goodfellow, D. Boneh and P. McDaniel, “The space of transferable adversarial examples”, arXiv preprint arXiv:1704.03453, 2017.
-  F. Tramèr, A. Kurakin, N. Papernot, I. Goodfellow, D. Boneh and P. McDaniel, “Ensemble adversarial training: Attacks and defenses”, Proceedings of the International Conference on Learning Representations (ICLR), 2018.
-  B. Biggio, I. Corona, D. Maiorca, B. Nelson, N. Srndic, P. Laskov, G. Giacinto and F. Roli, “Evasion attacks against machine learning at test time", Proocedings of Machine Learning and Knowledge Discovery in Databases ECML/PKDD, pp. 387–402, 2013.
-  P. Laskov and M. Kloft, “A framework for quantitative security analysis of machine learning”,Proceedings of the 2nd ACM Workshop on Security and Artificial Intelligence (AISec), 2009.
-  N. Papernot, P. Mcdaniel, A. Swami and R. Harang, “Crafting adversarial input sequences for recurrent neural networks”, Proceedings of the IEEE Military Communications Conference (MILCOM), pp. 7–12, 2016.
-  G. Ateniese, L.V. Mancini, A. Spognardi, A. Villani, D. Vitali and G. Felici, "Hacking smart machines with smarter ones: How to extract meaningful data from machine learning classifiers", International Journal of Security and Networks 10(3), 137, 2015.
-  K. Ganju, Q. Wang, W. Yang, C.A. Gunter and N. Borisov, “Property inference attacks on fully connected neural networks using permutation invariant representations”, Proceedings of the ACM SIGSAC Conference on Computer and Communications Security (CCS), pp. 619–633, 2018.
-  J. Hayes, L. Melis, G. Danezis and E. De Cristofaro, “Logan: Membership inference attacks against generative models”, Proceedings on Privacy Enhancing Technologies (PoPETs) 1: 133–152, 2018.
-  L. Melis, C. Song, E. De Cristofaro and V. Shmatikov, “Exploiting unintended feature leakage in collaborative learning”, Proceedings of 2019 IEEE Symposium on Security & Privacy (S&P), 2019.
-  S. Milli, L. Schmidt, A.D. Dragan and M. Hardt,“Model reconstruction from model explanations”, arXiv preprint arXiv:1807.05185, 2018.
-  B. Wang and N.Z. Gong, “Stealing hyperparameters in machine learning”, arXiv preprint arXiv:1802.05351, 2018.
-  S. Song, K. Chaudhuri, and A.D. Sarwate, “Stochastic gradient descent with differentially private updates”, Proceedings of the 2013 IEEE Global Conference on Signal and Information Processing, pp. 245–248, 2013.
-  M. Abadi, U. Erlingsson, I. Goodfellow, H.B. McMahan, I. Mironov, N. Papernot, K. Talwar and L. Zhang, “On the protection of private information in machine learning systems:Two recent apparoches”, Proceedings of the 30th Computer Security Foundations Symposium (CSF), pp. 1–6, 2017.
-  L. Batina, S. Bhasin, D. Jap and S. Picek, “Csi neural network: Using side-channels to recover your artificial neural network information”, arXiv preprint arXiv:1810.09076, 2018.
-  D. Berthelot, N. Carlini, I. Goodfellow, N. Papernot, A. Oliver and C. Raffel, “Mixmatch: A holistic approach to semi-supervised learning”, arXiv preprint arXiv:1905.02249, 2019.
-  B. Biggio, B. Nelson and P. Laskov, “Poisoning attacks against support vector machines”, arXiv preprint arXiv:1206.6389, 2012.
-  M. Fredrikson, E. Lantz, S. Jha, S. Lin, D. Page and T. Ristenpart, “Privacy in pharmacogenetics: An end-to-end case study of personalized warfarin dosing”, Proceedings of the 23rd USENIX Security Symposium, pp. 17–32, 2014.
-  S. Hidano, T. Murakami, S. Katsumata, S. Kiyomoto, and G. Hanaoka, “Model inversion attacks for online prediction systems: without knowledge of non-sensitive attributes”, IEICE Transactions on Information and Systems 101(11):2665–2676, 2018.
-  M. Jagielski, N. Carlini, D. Berthelot, A. Kurakin and N. Papernot, “High-fidelity extraction of neural network models”, arXiv preprint arXiv:1909.01838, 2019.
-  B. Jayaraman and D. Evans, “Evaluating differentially private machine learning in practice”, Proceedings of the 28th USENIX Security Symposium, 2019.
-  S. Yeom, I. Giacomelli, M. Fredrikson and S. Jha, “Privacy risk in machine learning: Analyzing the connection to overfitting”, Proceedings of the 2018 IEEE 31st Computer Security Foundations Symposium (CSF), pp. 268–282, 2018.
Appendix A Gallery of models
This appendix lists the models used in this study, both as parts of the GAMIN architecture and as targets models.
a.1 Image classification
a.1.1 GAMIN surrogate model
Table 4 describes the model used to perform the GAMIN attack against models trained over the MNIST dataset. Note that since the convolutions used in this model have a different filter size than those used for the targets (see Section A.1.2), the surrogate has very little in common with the target beyond the dimensions of its inputs and outputs.
a.1.2 Target models
Table 5 describes all models used to classify MNIST digits.
a.2 Image generation
a.2.1 GAMIN generator mode
Table 6 displays the details of the GAMIN Generator architecture for reconstructing handwritten digits.