Model Inversion Robustness: Can Transfer Learning Help?
About
Model Inversion (MI) attacks aim to reconstruct private training data by abusing access to machine learning models. Contemporary MI attacks have achieved impressive attack performance, posing serious threats to privacy. Meanwhile, all existing MI defense methods rely on regularization that is in direct conflict with the training objective, resulting in noticeable degradation in model utility. In this work, we take a different perspective, and propose a novel and simple Transfer Learning-based Defense against Model Inversion (TL-DMI) to render MI-robust models. Particularly, by leveraging TL, we limit the number of layers encoding sensitive information from private training dataset, thereby degrading the performance of MI attack. We conduct an analysis using Fisher Information to justify our method. Our defense is remarkably simple to implement. Without bells and whistles, we show in extensive experiments that TL-DMI achieves state-of-the-art (SOTA) MI robustness. Our code, pre-trained models, demo and inverted data are available at: https://hosytuyen.github.io/projects/TL-DMI
Related benchmarks
| Task | Dataset | Result | Rank | |
|---|---|---|---|---|
| Model Inversion Defense | CelebA | Accuracy91.12 | 64 | |
| Model Inversion Defense | CelebA 64x64 | Accuracy83.41 | 41 | |
| PPA Model Inversion Attack | FaceScrub 224x224 Dpriv = Facescrub, Dpub = FFHQ (test) | Accuracy91.12 | 27 | |
| Model Inversion | CelebA (private) | Accuracy86.7 | 24 | |
| Model Inversion Defense | Facescrub 224x224 (test) | Accuracy93.01 | 21 | |
| Image Classification | CelebA Private Public | Accuracy86.7 | 12 | |
| Image Classification | CelebA (Private) FFHQ (Public) | Accuracy86.7 | 12 | |
| Model Inversion Attack | CelebA 64x64 | Accuracy86.7 | 12 | |
| Model Inversion Defense | FACESCRUB (test) | Accuracy93.01 | 6 | |
| User study on image reconstruction similarity | FaceScrub 530 classes | Number of Similar Selections537 | 4 |