Trap-MID: 基於陷阱後門之隱私性防禦用以對抗模型逆向攻擊

Abstract

模型逆向攻擊 (Model Inversion attacks，MI attacks) 能夠利用神經網路模型還原出訓練資料集的分佈，進而對資料集的隱私造成重大威脅。雖然現有的防禦措施通常利用正則化技術減少資訊洩漏，但仍然無法抵擋較新的攻擊方法。本文提出了一種基於陷阱後門的防禦策略 (Trapdoor-based Model Inversion Defense attacks，Trap-MID) 以誤導模型逆向攻擊。該方法將陷阱後門集成到模型中，當輸入資料被注入特定觸發器時，模型便會預測出相對應的分類。因此，這種陷阱後門將會成為模型逆向攻擊的「捷徑」，誘導其專注於提取陷阱後門的觸發器而非隱私資訊。我們透過理論分析展示陷阱後門的有效性和隱蔽性對於誘騙模型逆向攻擊的影響。此外，實驗結果佐證了 Trap-MID 能在無需額外資料或大量計算資訊的情況下，針對模型逆向攻擊提供超越以往的防禦表現。

Model Inversion (MI) attacks pose a significant threat to the privacy of Deep Neural Networks by recovering training data distribution from well-trained models. While existing defenses often rely on regularization techniques to reduce information leakage, they remain vulnerable to recent attacks. In this paper, we propose the Trapdoor-based Model Inversion Defense (Trap-MID) to mislead MI attacks. A trapdoor is integrated into the model to predict a specific label when the input is injected with the corresponding trigger. Consequently, this trapdoor information serves as the "shortcut" for MI attacks, leading them to extract trapdoor triggers rather than private data. We provide theoretical insights into the impacts of trapdoor's effectiveness and invisibility on deceiving MI attacks. In addition, empirical experiments demonstrate the state-of-the-art defense performance of Trap-MID against various MI attacks without the requirements for extra data or large computational overhead.