Random Erasing vs. Model Inversion: A Promising Defense or a False Hope?

Download PDF

TMLR Paper4677 Authors

15 Apr 2025 (modified: 11 Jun 2025)Under review for TMLREveryoneRevisionsBibTeXCC BY 4.0
Abstract: Model Inversion (MI) attacks pose a significant privacy threat by reconstructing private training data from machine learning models. While existing defenses primarily concentrate on model-centric approaches, the impact of data on MI robustness remains largely unexplored. In this work, we explore Random Erasing (RE)—a technique traditionally used for improving model generalization under occlusion—and uncover its surprising effectiveness as a defense against MI attacks. Specifically, our novel feature space analysis shows that model trained with RE-images introduces a significant discrepancy between the features of MI-reconstructed images and those of the private data. At the same time, features of private images remain distinct from other classes and well-separated from different classification regions. These effects collectively degrade MI reconstruction quality and attack accuracy while maintaining reasonable natural accuracy. Furthermore, we explore two critical properties of RE including Partial Erasure and Random Location. First, Partial Erasure prevents the model from observing entire objects during training, and we find that this has significant impact on MI, which aims to reconstruct the entire objects. Second, the Random Location of erasure plays a crucial role in achieving a strong privacy-utility trade-off. Our findings highlight RE as a simple yet effective defense mechanism that can be easily integrated with existing privacy-preserving techniques. Extensive experiments of 37 setups demonstrate that our method achieves SOTA performance in privacy-utility tradeoff. The results consistently demonstrate the superiority of our defense over existing defenses across different MI attacks, network architectures, and attack configurations. For the first time, we achieve significant degrade in attack accuracy without decrease in utility for some configurations. Our code and additional results are included in Supplementary.
Submission Length: Regular submission (no more than 12 pages of main content)
Changes Since Last Submission: * We have updated Section 4.2 to include the reconstructed images, as suggested by the reviewer. Additional samples can be found in Section B.4 of the Supplementary and our Anonymous GitHub Repository (linked on the first page of the Supplementary) * We have updated the Introduction to include recent MI attacks, as suggested by the reviewers. * We have added Section D.1 (Supplementary) to present new results on alternative masking strategies, following the reviewers' recommendations.
Assigned Action Editor: ~bo_han2
Submission Number: 4677