Abstract: There is a growing demand for confidential inference in machine learning services, in which user data privacy is protected in the inference process. In this scenario, model providers can perform privacy attacks by using the output results of models. A previous study inferred only sensitive attributes of user data from the model outputs. In this paper, we present an attack that can reconstruct the input user data of a machine learning model from its outputs. The model provider trains an inference model such that it embeds the reconstruction information for user data into the model outputs while maintaining high inference accuracy. At the same time, the attacker trains another model to obtain the user data from the output of the inference model that contains the reconstruction information. Experimental results on six image datasets of different complexity show that LPIPS, which is the similarity metric between two images, offers a minimum value of 0.01. Additionally, the inference accuracy is maintained at the same level as that of normal training.
Loading