Data-Centric Defense: Shaping Loss Landscape with Augmentations to Counter Model Inversion

Download PDF

Si Chen, Feiyang Kang, Nikhil Abhyankar, Ming Jin, Ruoxi Jia

Published: 24 Nov 2024, Last Modified: 24 Nov 2024Accepted by TMLREveryoneRevisionsBibTeXCC BY 4.0
Abstract: Machine Learning models have shown susceptibility to various privacy attacks, with model inversion (MI) attacks posing a significant threat. Current defense techniques are mostly \emph{model-centric}, involving modifying model training or inference. However, these approaches require model trainers' cooperation, are computationally expensive, and often result in a significant privacy-utility tradeoff. To address these limitations, we propose a novel \emph{data-centric} approach to mitigate MI attacks. Compared to traditional model-centric techniques, our approach offers the unique advantage of enabling each individual user to control their data's privacy risk, aligning with findings from a Cisco survey that only a minority actively seek privacy protection. Specifically, we introduce several privacy-focused data augmentations that modify the private data uploaded to the model trainer. These augmentations shape the resulting model's loss landscape, making it challenging for attackers to generate private target samples. Additionally, we provide theoretical analysis to explain why such augmentations can reduce the risk of model inversion. We evaluate our approach against state-of-the-art MI attacks and demonstrate its effectiveness and robustness across various model architectures and datasets. Specifically, in standard face recognition benchmarks, we reduce face reconstruction success rates to $\leq5\%$, while maintaining high utility with only a 2\% classification accuracy drop, significantly surpassing state-of-the-art model-centric defenses. This is the first study to propose a data-centric approach for mitigating model inversion attacks, showing promising potential for decentralized privacy protection.
Submission Length: Regular submission (no more than 12 pages of main content)
Changes Since Last Submission: - We have corrected typos/ format, polished our writing based on the reviewers' suggestions. - We have added clarification on our assumption and potential outcomes for surrogate injection. - We have added experiment results for potential adaptive attacks as suggested by Reviewer jUiK.
Code: https://github.com/SCccc21/DCD.git
Supplementary Material: zip
Assigned Action Editor: ~Sanghyun_Hong1
Submission Number: 2700