Abstract
Collaborative machine learning settings such as federated learning can be susceptible to adversarial interference and attacks. One class of such attacks is termed model inversion attacks, characterised by the adversary reverse-engineering the model into disclosing the training data. Previous implementations of this attack typically only rely on the shared data representations, ignoring the adversarial priors, or require that specific layers are present in the target model, reducing the potential attack surface. In this work, we propose a novel context-agnostic model inversion framework that builds on the foundations of gradient-based inversion attacks, but additionally exploits the features and the style of the data controlled by an in-the-network adversary. Our technique outperforms existing gradient-based approaches both qualitatively and quantitatively across all training settings, showing particular effectiveness against the collaborative medical imaging tasks. Finally, we demonstrate that our method achieves significant success on two downstream tasks: sensitive feature inference and facial recognition spoofing.
Supplemental Material
Available for Download
Supplementary material
- [1] . 2016. Deep learning with differential privacy. In Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security. 308–318.Google ScholarDigital Library
- [2] Borja Balle, Giovanni Cherubin, and Jamie Hayes. 2022. Reconstructing training data with informed adversaries. In 2022 IEEE Symposium on Security and Privacy (SP). (2022), 1138–1156.Google Scholar
- [3] . 2016. Practical secure aggregation for federated learning on user-held data. In NIPS Workshop on Private Multi-Party Machine Learning (2016).Google Scholar
- [4] . 2020. A machine learning algorithm to estimate sarcopenia on abdominal CT. Academic Radiology 27, 3 (2020), 311–320.Google ScholarCross Ref
- [5] . 2019. Self-supervised learning for medical image analysis using image context restoration. Medical Image Analysis 58 (2019), 101539.Google ScholarCross Ref
- [6] . 2015. Image super-resolution using deep convolutional networks. IEEE Transactions on Pattern Analysis and Machine Intelligence 38, 2 (2015), 295–307.Google ScholarDigital Library
- [7] . 2018. Pairwise confusion for fine-grained visual classification. In Proceedings of the European conference on computer vision. 70–86.Google ScholarDigital Library
- [8] . 2010. FACES–A database of facial expressions in young, middle-aged, and older women and men: Development and validation. Behavior Research Methods 42, 1 (2010), 351–362.Google ScholarCross Ref
- [9] . 2020. New machine learning method for image-based diagnosis of COVID-19. Plos One 15, 6 (2020), e0235187.Google ScholarCross Ref
- [10] . 2013. Spoofing 2D face recognition systems with 3D masks. In Proceedings of the 2013 International Conference of the BIOSIG Special Interest Group. IEEE, 1–8.Google Scholar
- [11] . 2015. Model inversion attacks that exploit confidence information and basic countermeasures. In Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security. 1322–1333.Google ScholarDigital Library
- [12] . 2015. Texture synthesis using convolutional neural networks. Advances in Neural Information Processing Systems 28 (2015), 262–270.Google Scholar
- [13] Jonas Geiping, Hartmut Bauermeister, Hannah Dröge, and Michael Moeller. 2020. Inverting gradients-how easy is it to break privacy in federated learning? Advances in Neural Information Processing Systems 33 (2020), 16937–16947.Google Scholar
- [14] . 2016. You are who you know and how you behave: Attribute inference attacks via users’ social friends and behaviors. In Proceedings of the 25th USENIX Security Symposium. 979–995.Google Scholar
- [15] Ali Hatamizadeh, Hongxu Yin, Pavlo Molchanov, Andriy Myronenko, Wenqi Li, Prerna Dogra, Andrew Feng, et al. 2023. Do gradient inversion attacks make federated learning unsafe? IEEE Transactions on Medical Imaging (2023).Google Scholar
- [16] . 2019. Model inversion attacks against collaborative inference. In Proceedings of the 35th Annual Computer Security Applications Conference. 148–162.Google ScholarDigital Library
- [17] . 2015. Single image super-resolution from transformed self-exemplars. In Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition. 5197–5206.Google ScholarCross Ref
- [18] . 2016. Perceptual losses for real-time style transfer and super-resolution. In Proceedings of the European Conference on Computer Vision. Springer, 694–711.Google ScholarCross Ref
- [19] . 2021. End-to-end privacy preserving deep learning on multi-institutional medical imaging. Nature Machine Intelligence 3, 6 (2021), 473–484.Google ScholarCross Ref
- [20] . 2022. Differentially private training of residual networks with scale normalisation. In ICML Workshop on Theory and Practise of Differential Privacy (TPDP’2022).Google Scholar
- [21] . 2016. Federated learning: Strategies for improving communication efficiency. arXiv:1610.05492 (2016). Retrieved from https://arxiv.org/abs/1610.05492.Google Scholar
- [22] Xiaoxiao Li, Meirui Jiang, Xiaofei Zhang, Michael Kamp, and Qi Dou. 2021. Fedbn: Federated learning on non-iid features via local batch normalization. In International Conference on Learning Representations (2021).Google Scholar
- [23] Ilya Loshchilov and Hutter Frank. 2019. Decoupled weight decay regularization. Proceedings of ICLR 7 (2019).Google Scholar
- [24] . 2015. Understanding deep image representations by inverting them. In Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition. 5188–5196.Google ScholarCross Ref
- [25] . 2019. Exploiting unintended feature leakage in collaborative learning. In Proceedings of the 2019 IEEE Symposium on Security and Privacy (SP’19). IEEE, 691–706.Google ScholarCross Ref
- [26] . 2014. The multimodal brain tumor image segmentation benchmark (BRATS). IEEE Transactions on Medical Imaging 34, 10 (2014), 1993–2024.Google ScholarCross Ref
- [27] . 2020. A survey on anti-spoofing methods for facial recognition with rgb cameras of generic consumer devices. Journal of Imaging 6, 12 (2020), 139.Google ScholarCross Ref
- [28] . 2019. Comprehensive privacy analysis of deep learning: Passive and active white-box inference attacks against centralized and federated learning. In Proceedings of the 2019 IEEE Symposium on Security and Privacy. IEEE, 739–753.Google ScholarCross Ref
- [29] . 2015. Deep neural networks are easily fooled: High confidence predictions for unrecognizable images. In Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition. 427–436.Google ScholarCross Ref
- [30] . 2015. Predicting stock market index using fusion of machine learning techniques. Expert Systems with Applications 42, 4 (2015), 2162–2172.Google ScholarDigital Library
- [31] . 2017. Chexnet: Radiologist-level pneumonia detection on chest x-rays with deep learning. arXiv:1711.05225 (2017). Retrieved from https://arxiv.org/abs/1711.05225.Google Scholar
- [32] . 2022. SmoothNets: Optimizing CNN architecture design for differentially private deep learning. arXiv:2205.04095 (2022). Retrieved from https://arxiv.org/abs/2205.04095.Google Scholar
- [33] . 1992. Nonlinear total variation based noise removal algorithms. Physica D: Nonlinear Phenomena 60, 1-4 (1992), 259–268.Google ScholarDigital Library
- [34] . 2015. Facenet: A unified embedding for face recognition and clustering. In Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition. 815–823.Google ScholarCross Ref
- [35] . 2022. Defending against reconstruction attacks with R\(\backslash\)’enyi differential privacy. arXiv:2202.07623 (2022). Retrieved from https://arxiv.org/abs/2202.07623.Google Scholar
- [36] Dmitry Ulyanov, Vadim Lebedev, Andrea Vedaldi, and Victor Lempitsky. 2016. Texture networks: feed-forward synthesis of textures and stylized images. In Proceedings of the 33rd International Conference on International Conference on Machine Learning (ICML’16). 48 (2016) 1349–1357.Google Scholar
- [37] . 2022. Zen and the art of model adaptation: Low-utility-cost attack mitigations in collaborative machine learning. Proceedings on Privacy Enhancing Technologies 2022, 1 (2022), 274–290.Google ScholarCross Ref
- [38] . 2021. Adversarial interference and its mitigations in privacy-preserving collaborative machine learning. Nature Machine Intelligence 3, 9 (2021), 749–758.Google ScholarCross Ref
- [39] . 2020. A survey on distributed machine learning. ACM Computing Surveys (CSUR) 53, 2 (2020), 1–33.Google ScholarDigital Library
- [40] . 2019. Dba: Distributed backdoor attacks against federated learning. In Proceedings of the International Conference on Learning Representations.Google Scholar
- [41] . 2019. Medical breast ultrasound image segmentation by machine learning. Ultrasonics 91 (2019), 1–9.Google ScholarCross Ref
- [42] . 2021. See through Gradients: Image batch recovery via GradInversion. In Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition. 16337–16346.Google ScholarCross Ref
- [43] Jason Yosinski, Jeff Clune, Anh Nguyen, Thomas Fuchs, and Hod Lipson. 2015. Understanding neural networks through deep visualization. In ICML Workshop on Deep Learning (2015).Google Scholar
- [44] Chiyuan Zhang, Samy Bengio, and Yoram Singer. 2022. Are All Layers Created Equal? Journal of Machine Learning Research 23, 67 (2022), 1–28.Google Scholar
- [45] . 2020. The secret revealer: Generative model-inversion attacks against deep neural networks. In Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition. 253–261.Google ScholarCross Ref
- [46] . 2020. idlg: Improved deep leakage from gradients. arXiv:2001.02610 (2020). Retrieved from https://arxiv.org/abs/2001.02610.Google Scholar
- [47] . 2020. Deep leakage from gradients. In Federated Learning. Springer, 17–31.Google ScholarCross Ref
- [48] . 2021. Differentially private federated deep learning for multi-site medical image segmentation. arXiv:2107.02586 (2021). Retrieved from https://arxiv.org/abs/2107.02586.Google Scholar
Index Terms
- Beyond Gradients: Exploiting Adversarial Priors in Model Inversion Attacks
Recommendations
On Real-Time Model Inversion Attacks Detection
Distributed Computer and Communication Networks: Control, Computation, CommunicationsAbstractThe article deals with the issues of detecting adversarial attacks on machine learning models. In the most general case, adversarial attacks are special data changes at one of the stages of the machine learning pipeline, which are designed to ...
Black-box adversarial attacks on XSS attack detection model
AbstractCross-site scripting (XSS) has been extensively studied, although mitigating such attacks in web applications remains challenging. While there is an increasing number of XSS attack detection approaches designed based on machine ...
MCA: Model Compromise Attacks against Federated Computing Power Networks
CECCT '23: Proceedings of the 2023 International Conference on Electronics, Computers and Communication TechnologyFederated learning (FL) supports multiple participants to collaborate to train a global model in computing power networks, while the sensitive training data of all participants is kept locally for privacy protection. Although it is widely used in ...
Comments