Targeted Model Inversion: Distilling Style Encoded in Predictions

Hoyong Jeong; Kiwon Chung; Sung Ju Hwang; Sooel Son

Targeted Model Inversion: Distilling Style Encoded in Predictions

Hoyong Jeong, Kiwon Chung, Sung Ju Hwang, Sooel Son

22 Sept 2023 (modified: 11 Feb 2024)Submitted to ICLR 2024EveryoneRevisionsBibTeX

Primary Area: societal considerations including fairness, safety, privacy

Code Of Ethics: I acknowledge that I and all co-authors of this work have read and commit to adhering to the ICLR Code of Ethics.

Keywords: model inversion attack, machine learning, privacy

Submission Guidelines: I certify that this submission complies with the submission instructions as described on https://iclr.cc/Conferences/2024/AuthorGuide.

TL;DR: We propose a black-box, fine-grained model inversion attack that simulates the white-box variants in a data-driven manner.

Abstract: Previous model inversion (MI) research has demonstrated the feasibility of reconstructing images representative of specific classes, inadvertently revealing additional feature information. However, there are still two remaining challenges for practical black-box MI: (1) reconstructing a high-quality input image tailored to the observed prediction vector, and (2) minimizing the number of queries made to the target model. We introduce a practical black-box MI attack called Targeted Model Inversion (TMI). Our approach involves altering the mapping network in StyleGAN, so that it can take an observed prediction vector and transform it into a StyleGAN latent representation, which serves as the initial data point for subsequent MI steps. Later, TMI leverages a surrogate model that is also derived from StyleGAN to guide instance-specific MI by optimizing the latent representation. These mapping and surrogate networks work together to conduct high-fidelity MI while significantly decreasing the number of necessary queries. Our experiments demonstrate that TMI outperforms state-of-the-art MI methods, demonstrating a new upper bound on the susceptibility to black-box MI attacks.

Anonymous Url: I certify that there is no URL (e.g., github page) that could be used to find authors' identity.

No Acknowledgement Section: I certify that there is no acknowledgement section in this submission for double blind review.

Submission Number: 5729

Loading