DRAG: Data Reconstruction Attack using Guided Diffusion

Download PDF

Wa-Kin Lei, Jun-Cheng Chen, Shang-Tse Chen

Published: 01 May 2025, Last Modified: 18 Jun 2025ICML 2025 posterEveryoneRevisionsBibTeXCC BY 4.0
TL;DR: We use diffusion model as the image prior to improve data reconstruction attack in the context of split inference.
Abstract: With the rise of large foundation models, split inference (SI) has emerged as a popular computational paradigm for deploying models across lightweight edge devices and cloud servers, addressing data privacy and computational cost concerns. However, most existing data reconstruction attacks have focused on smaller CNN classification models, leaving the privacy risks of foundation models in SI settings largely unexplored. To address this gap, we propose a novel data reconstruction attack based on guided diffusion, which leverages the rich prior knowledge embedded in a latent diffusion model (LDM) pre-trained on a large-scale dataset. Our method performs iterative reconstruction on the LDM’s learned image prior, effectively generating high-fidelity images resembling the original data from their intermediate representations (IR). Extensive experiments demonstrate that our approach significantly outperforms state-of-the-art methods, both qualitatively and quantitatively, in reconstructing data from deep-layer IRs of the vision foundation model. The results highlight the urgent need for more robust privacy protection mechanisms for large models in SI scenarios.
Lay Summary: Modern AI systems often split computation between local devices and cloud servers to improve efficiency and privacy. However, when these systems share encoded information between devices and servers, malicious actors can steal users' data by reconstructing it from these encoded pieces. Previous studies focused on smaller models and overlooked privacy risks for the large, powerful vision models now widely used. We propose DRAG, a new privacy attack using advanced diffusion models to recover original images from encoded information generated by large vision models like CLIP and DINOv2. These large diffusion models' extensive knowledge of images provides malicious actors with powerful tools, enabling high-quality recovery of users' data, even after heavy processing through multiple layers, outperforming prior attacks. Our findings reveal serious privacy vulnerabilities in current split inference systems using large vision models, highlighting the urgent need for stronger privacy protections. Our insights will help researchers and practitioners better understand and mitigate privacy risks, ensuring AI technologies remain both effective and secure.
Link To Code: https://github.com/ntuaislab/DRAG
Primary Area: Social Aspects->Privacy
Keywords: Data Reconstruction Attack, Privacy, Diffusion Model
Submission Number: 9875