TY - GEN
T1 - Model Inversion Attack with Least Information and an In-depth Analysis of its Disparate Vulnerability
AU - Dibbo, Sayanton V.
AU - Chung, Dae Lim
AU - Mehnaz, Shagufta
N1 - Publisher Copyright:
© 2023 IEEE.
PY - 2023
Y1 - 2023
N2 - In this paper, we study model inversion attribute inference (MIAI), a machine learning (ML) privacy attack that aims to infer sensitive information about the training data given access to the target ML model. We design a novel black-box MIAI attack that assumes the least adversary knowledge/capabilities to date while still performing similarly to the state-of-the-art attacks. Further, we extensively analyze the disparate vulnerability property of our proposed MIAI attack, i.e., elevated vulnerabilities of specific groups in the training dataset (grouped by gender, race, etc.) to model inversion attacks. First, we investigate existing ML privacy defense techniques- (1) mutual information regularization, and (2) fairness constraints, and show that none of these techniques can mitigate MIAI disparity. Second, we empirically identify possible disparity factors and discuss potential ways to mitigate disparity in MIAI attacks. Finally, we demonstrate our findings by extensively evaluating our attack in estimating binary and multi-class sensitive attributes on three different target models trained on three real datasets.
AB - In this paper, we study model inversion attribute inference (MIAI), a machine learning (ML) privacy attack that aims to infer sensitive information about the training data given access to the target ML model. We design a novel black-box MIAI attack that assumes the least adversary knowledge/capabilities to date while still performing similarly to the state-of-the-art attacks. Further, we extensively analyze the disparate vulnerability property of our proposed MIAI attack, i.e., elevated vulnerabilities of specific groups in the training dataset (grouped by gender, race, etc.) to model inversion attacks. First, we investigate existing ML privacy defense techniques- (1) mutual information regularization, and (2) fairness constraints, and show that none of these techniques can mitigate MIAI disparity. Second, we empirically identify possible disparity factors and discuss potential ways to mitigate disparity in MIAI attacks. Finally, we demonstrate our findings by extensively evaluating our attack in estimating binary and multi-class sensitive attributes on three different target models trained on three real datasets.
UR - https://www.scopus.com/pages/publications/85163183088
UR - https://www.scopus.com/inward/citedby.url?scp=85163183088&partnerID=8YFLogxK
U2 - 10.1109/SaTML54575.2023.00017
DO - 10.1109/SaTML54575.2023.00017
M3 - Conference contribution
AN - SCOPUS:85163183088
T3 - Proceedings - 2023 IEEE Conference on Secure and Trustworthy Machine Learning, SaTML 2023
SP - 119
EP - 135
BT - Proceedings - 2023 IEEE Conference on Secure and Trustworthy Machine Learning, SaTML 2023
PB - Institute of Electrical and Electronics Engineers Inc.
T2 - 2023 IEEE Conference on Secure and Trustworthy Machine Learning, SaTML 2023
Y2 - 8 February 2023 through 10 February 2023
ER -