Yixiang Qiu*, Hongyao Yu*, Hao Fang*, Wenbo Yu, Bin Chen#, Xuan Wang, Shu-Tao Xia
Welcome to MIA! This repository is a comprehensive open-source Python benchmark for model inversion attacks, which is well-organized and easy to get started. It includes uniform implementations of advanced and representative model inversion methods, formulating a unified and reliable framework for a convenient and fair comparison between different model inversion methods. Our repository is continuously updated in https://github.com/ffhibnese/Model-Inversion-Attack-ToolBox.
If you have any concerns about our toolbox, feel free to contact us at qiuyixiang@stu.hit.edu.cn, yuhongyao@stu.hit.edu.cn, and fang-h23@mails.tsinghua.edu.cn.
Also, you are always welcome to contribute and make this repository better!
Model inversion attack is an emerging powerful private data theft attack, where a malicious attacker is able to reconstruct data with the same distribution as the training dataset of the target model.
The reason why we developed this toolbox is that the research line of MI suffers from a lack of unified standards and reliable implementations of former studies. We hope our work can further help people in this area and promote the progress of their valuable research.
- Easy to get started.
- Provide all the pre-trained model files.
- Always up to date.
- Well organized and encapsulated.
- A unified and fair comparison between attack methods.
| Method | Paper | Publication | Scenario | Key Characteristics |
|---|---|---|---|---|
| DeepInversion | Dreaming to Distill: Data-Free Knowledge Transfer via DeepInversion | CVPR'2020 | whitebox | student-teacher, data-free |
| GMI | The Secret Revealer: Generative Model-Inversion Attacks Against Deep Neural Networks | CVPR'2020 | whitebox | the first GAN-based MIA, instance-level |
| KEDMI | Knowledge-Enriched Distributional Model Inversion Attacks | ICCV'2021 | whitebox | the first MIA that recovers data distributions, pseudo-labels |
| VMI | Variational Model Inversion Attacks | NeurIPS'2021 | whitebox | variational inference, special loss function |
| SecretGen | SecretGen: Privacy Recovery on Pre-trained Models via Distribution Discrimination | ECCV'2022 | whitebox, blackbox | instance-level, data augmentation |
| BREPMI | Label-Only Model Inversion Attacks via Boundary Repulsion | CVPR'2022 | blackbox | boundary repelling, label-only |
| Mirror | MIRROR: Model Inversion for Deep Learning Network with High Fidelity | NDSS'2022 | whitebox, blackbox | both gradient-free and gradient-based, genetic algorithm |
| PPA | Plug & Play Attacks: Towards Robust and Flexible Model Inversion Attacks | ICML'2022 | whitebox | Initial selection, pre-trained GANs, results selection |
| PLGMI | Pseudo Label-Guided Model Inversion Attack via Conditional Generative Adversarial Network | AAAI'2023 | whitebox | pseudo-labels, data augmentation, special loss function |
| C2FMI | C2FMI: Corse-to-Fine Black-box Model Inversion Attack | TDSC'2023 | whitebox, blackbox | gradient-free, two-stage |
| LOMMA | Re-Thinking Model Inversion Attacks Against Deep Neural Networks | CVPR'2023 | blackbox | special loss, model augmentation |
| RLBMI | Reinforcement Learning-Based Black-Box Model Inversion Attacks | CVPR'2023 | blackbox | reinforcement learning |
| LOKT | Label-Only Model Inversion Attacks via Knowledge Transfer | NeurIPS'2023 | blackbox | surrogate models, label-only |
| IF-GMI | A Closer Look at GAN Priors: Exploiting Intermediate Features for Enhanced Model Inversion Attacks | ECCV'2024 | whitebox | intermeidate feature |
| Method | Paper | Publication | Key Characteristics |
|---|---|---|---|
| VIB / MID | Improving Robustness to Model Inversion Attacks via Mutual Information Regularization | AAAI'2021 | variational method, mutual information, special loss function |
| BiDO | Bilateral Dependency Optimization: Defending Against Model-inversion Attacks | KDD'2022 | special loss function |
| TL | Model Inversion Robustness: Can Transfer Learning Help? | CVPR'2024 | transfer learning |
| LS | Be Careful What You Smooth For: Label Smoothing Can Be a Privacy Shield but Also a Catalyst for Model Inversion Attacks | ICLR'2024 | label smoothing |
MIA can be built up with the following steps:
- Clone this repository and create the virtual environment by Anaconda.
git clone https://github.com/ffhibnese/Model_Inversion_Attack_ToolBox.git
cd ./Model_Inversion_Attack_ToolBox
conda create -n MIA python=3.10
conda activate MIA- Install the related dependencies:
pip install -r requirements.txtSee here for details to preprocess datasets.
We have released pre-trained target models and evaluation models in the checkpoints_v2.0 of Google Drive.
If you find our work helpful for your research, please kindly cite our papers:
@article{qiu2024mibench,
title={MIBench: A Comprehensive Benchmark for Model Inversion Attack and Defense},
author={Qiu, Yixiang and Yu, Hongyao and Fang, Hao and Yu, Wenbo and Chen, Bin and Wang, Xuan and Xia, Shu-Tao and Xu, Ke},
journal={arXiv preprint arXiv:2410.05159},
year={2024}
}
@article{fang2024privacy,
title={Privacy leakage on dnns: A survey of model inversion attacks and defenses},
author={Fang, Hao and Qiu, Yixiang and Yu, Hongyao and Yu, Wenbo and Kong, Jiawei and Chong, Baoli and Chen, Bin and Wang, Xuan and Xia, Shu-Tao},
journal={arXiv preprint arXiv:2402.04013},
year={2024}
}
@article{qiu2024closer,
title={A Closer Look at GAN Priors: Exploiting Intermediate Features for Enhanced Model Inversion Attacks},
author={Qiu, Yixiang and Fang, Hao and Yu, Hongyao and Chen, Bin and Qiu, MeiKang and Xia, Shu-Tao},
journal={arXiv preprint arXiv:2407.13863},
year={2024}
}
We express great gratitude for all the researchers' contributions to the Model Inversion community.
In particular, we thank the authors of PLGMI for their high-quality codes for datasets, metrics, and three attack methods. It's their great devotion that helps us make MIA better!
