Skip to content

A comprehensive toolbox for model inversion attacks and defenses, which is easy to get started.

Notifications You must be signed in to change notification settings

ffhibnese/Model-Inversion-Attack-ToolBox

Repository files navigation

🔥Model Inversion Attack ToolBox v2.0🔥

Python 3.10 Pytorch 2.0.1 torchvision 0.15.2 CUDA 11.8

Yixiang Qiu*, Hongyao Yu*, Hao Fang*, Wenbo Yu, Bin Chen#, Xuan Wang, Shu-Tao Xia

Welcome to MIA! This repository is a comprehensive open-source Python benchmark for model inversion attacks, which is well-organized and easy to get started. It includes uniform implementations of advanced and representative model inversion methods, formulating a unified and reliable framework for a convenient and fair comparison between different model inversion methods. Our repository is continuously updated in https://github.com/ffhibnese/Model-Inversion-Attack-ToolBox.

If you have any concerns about our toolbox, feel free to contact us at qiuyixiang@stu.hit.edu.cn, yuhongyao@stu.hit.edu.cn, and fang-h23@mails.tsinghua.edu.cn.

Also, you are always welcome to contribute and make this repository better!

🚀 Introduction

Model inversion attack is an emerging powerful private data theft attack, where a malicious attacker is able to reconstruct data with the same distribution as the training dataset of the target model.

The reason why we developed this toolbox is that the research line of MI suffers from a lack of unified standards and reliable implementations of former studies. We hope our work can further help people in this area and promote the progress of their valuable research.

💡 Features

  • Easy to get started.
  • Provide all the pre-trained model files.
  • Always up to date.
  • Well organized and encapsulated.
  • A unified and fair comparison between attack methods.

📝 Model Inversion Attacks

Method Paper Publication Scenario Key Characteristics
DeepInversion Dreaming to Distill: Data-Free Knowledge Transfer via DeepInversion CVPR'2020 whitebox student-teacher, data-free
GMI The Secret Revealer: Generative Model-Inversion Attacks Against Deep Neural Networks CVPR'2020 whitebox the first GAN-based MIA, instance-level
KEDMI Knowledge-Enriched Distributional Model Inversion Attacks ICCV'2021 whitebox the first MIA that recovers data distributions, pseudo-labels
VMI Variational Model Inversion Attacks NeurIPS'2021 whitebox variational inference, special loss function
SecretGen SecretGen: Privacy Recovery on Pre-trained Models via Distribution Discrimination ECCV'2022 whitebox, blackbox instance-level, data augmentation
BREPMI Label-Only Model Inversion Attacks via Boundary Repulsion CVPR'2022 blackbox boundary repelling, label-only
Mirror MIRROR: Model Inversion for Deep Learning Network with High Fidelity NDSS'2022 whitebox, blackbox both gradient-free and gradient-based, genetic algorithm
PPA Plug & Play Attacks: Towards Robust and Flexible Model Inversion Attacks ICML'2022 whitebox Initial selection, pre-trained GANs, results selection
PLGMI Pseudo Label-Guided Model Inversion Attack via Conditional Generative Adversarial Network AAAI'2023 whitebox pseudo-labels, data augmentation, special loss function
C2FMI C2FMI: Corse-to-Fine Black-box Model Inversion Attack TDSC'2023 whitebox, blackbox gradient-free, two-stage
LOMMA Re-Thinking Model Inversion Attacks Against Deep Neural Networks CVPR'2023 blackbox special loss, model augmentation
RLBMI Reinforcement Learning-Based Black-Box Model Inversion Attacks CVPR'2023 blackbox reinforcement learning
LOKT Label-Only Model Inversion Attacks via Knowledge Transfer NeurIPS'2023 blackbox surrogate models, label-only
IF-GMI A Closer Look at GAN Priors: Exploiting Intermediate Features for Enhanced Model Inversion Attacks ECCV'2024 whitebox intermeidate feature

📝 Model Inversion Defenses

Method Paper Publication Key Characteristics
VIB / MID Improving Robustness to Model Inversion Attacks via Mutual Information Regularization AAAI'2021 variational method, mutual information, special loss function
BiDO Bilateral Dependency Optimization: Defending Against Model-inversion Attacks KDD'2022 special loss function
TL Model Inversion Robustness: Can Transfer Learning Help? CVPR'2024 transfer learning
LS Be Careful What You Smooth For: Label Smoothing Can Be a Privacy Shield but Also a Catalyst for Model Inversion Attacks ICLR'2024 label smoothing

🔧 Environments

MIA can be built up with the following steps:

  1. Clone this repository and create the virtual environment by Anaconda.
git clone https://github.com/ffhibnese/Model_Inversion_Attack_ToolBox.git
cd ./Model_Inversion_Attack_ToolBox
conda create -n MIA python=3.10
conda activate MIA
  1. Install the related dependencies:
pip install -r requirements.txt

📄 Preprocess Datasets and Pre-trained Models

See here for details to preprocess datasets.

We have released pre-trained target models and evaluation models in the checkpoints_v2.0 of Google Drive.

📔 Citation

If you find our work helpful for your research, please kindly cite our papers:

@article{qiu2024mibench,
  title={MIBench: A Comprehensive Benchmark for Model Inversion Attack and Defense},
  author={Qiu, Yixiang and Yu, Hongyao and Fang, Hao and Yu, Wenbo and Chen, Bin and Wang, Xuan and Xia, Shu-Tao and Xu, Ke},
  journal={arXiv preprint arXiv:2410.05159},
  year={2024}
}

@article{fang2024privacy,
  title={Privacy leakage on dnns: A survey of model inversion attacks and defenses},
  author={Fang, Hao and Qiu, Yixiang and Yu, Hongyao and Yu, Wenbo and Kong, Jiawei and Chong, Baoli and Chen, Bin and Wang, Xuan and Xia, Shu-Tao},
  journal={arXiv preprint arXiv:2402.04013},
  year={2024}
}

@article{qiu2024closer,
  title={A Closer Look at GAN Priors: Exploiting Intermediate Features for Enhanced Model Inversion Attacks},
  author={Qiu, Yixiang and Fang, Hao and Yu, Hongyao and Chen, Bin and Qiu, MeiKang and Xia, Shu-Tao},
  journal={arXiv preprint arXiv:2407.13863},
  year={2024}
}

✨ Acknowledgement

We express great gratitude for all the researchers' contributions to the Model Inversion community.

In particular, we thank the authors of PLGMI for their high-quality codes for datasets, metrics, and three attack methods. It's their great devotion that helps us make MIA better!

About

A comprehensive toolbox for model inversion attacks and defenses, which is easy to get started.

Topics

Resources

Stars

Watchers

Forks

Packages

No packages published

Contributors 4

  •  
  •  
  •  
  •  

Languages