Browse > Article
http://dx.doi.org/10.3837/tiis.2021.03.015

Model Inversion Attack: Analysis under Gray-box Scenario on Deep Learning based Face Recognition System  

Khosravy, Mahdi (Media Integrated Communication Laboratory, Graduate School of Engineering, Osaka University)
Nakamura, Kazuaki (Media Integrated Communication Laboratory, Graduate School of Engineering, Osaka University)
Hirose, Yuki (Media Integrated Communication Laboratory, Graduate School of Engineering, Osaka University)
Nitta, Naoko (Media Integrated Communication Laboratory, Graduate School of Engineering, Osaka University)
Babaguchi, Noboru (Media Integrated Communication Laboratory, Graduate School of Engineering, Osaka University)
Publication Information
KSII Transactions on Internet and Information Systems (TIIS) / v.15, no.3, 2021 , pp. 1100-1118 More about this Journal
Abstract
In a wide range of ML applications, the training data contains privacy-sensitive information that should be kept secure. Training the ML systems by privacy-sensitive data makes the ML model inherent to the data. As the structure of the model has been fine-tuned by training data, the model can be abused for accessing the data by the estimation in a reverse process called model inversion attack (MIA). Although, MIA has been applied to shallow neural network models of recognizers in literature and its threat in privacy violation has been approved, in the case of a deep learning (DL) model, its efficiency was under question. It was due to the complexity of a DL model structure, big number of DL model parameters, the huge size of training data, big number of registered users to a DL model and thereof big number of class labels. This research work first analyses the possibility of MIA on a deep learning model of a recognition system, namely a face recognizer. Second, despite the conventional MIA under the white box scenario of having partial access to the users' non-sensitive information in addition to the model structure, the MIA is implemented on a deep face recognition system by just having the model structure and parameters but not any user information. In this aspect, it is under a semi-white box scenario or in other words a gray-box scenario. The experimental results in targeting five registered users of a CNN-based face recognition system approve the possibility of regeneration of users' face images even for a deep model by MIA under a gray box scenario. Although, for some images the evaluation recognition score is low and the generated images are not easily recognizable, but for some other images the score is high and facial features of the targeted identities are observable. The objective and subjective evaluations demonstrate that privacy cyber-attack by MIA on a deep recognition system not only is feasible but also is a serious threat with increasing alert state in the future as there is considerable potential for integration more advanced ML techniques to MIA.
Keywords
Model Inversion Attack; Deep Learning; Face Recognition System; Media Clone;
Citations & Related Records
연도 인용수 순위
  • Reference
1 U. Aivodji, S. Gambs, and T. Ther, "GAMIN: An Adversarial Approach to Black-Box Model Inversion," arXiv preprint arXiv:1909.11835, 2019.
2 A. Kerckhoffs, "La cryptographic militaire," Journal des Sciences Militaries, pp. 5-38, 1883.
3 S. Hidano, T. Murakami, S. Katsumata, S. Kiyomoto, and G. Hanaoka, "Model inversion attacks for prediction systems: Without knowledge of non-sensitive attributes," in Proc. of the 15th Annual Conference on Privacy, Security and Trust (PST), pp. 115-11509, 2017.
4 M. Fredrikson, S. Jha, and T. Ristenpart, "Model inversion attacks that exploit confidence information and basic countermeasures," in Proc. of the 22nd ACM SIGSAC Conference on Computer and Communications Security, pp. 1322-1333, 2015.
5 M. Khosravy, N. Gupta, N. Marina, I. K. Sethi, and M. R. Asharif, "Morphological filters: An inspiration from natural geometrical erosion and dilation," Nature-inspired Computing and Optimization, pp. 349-379, 2017.
6 M. Khosravy, K. Nakamura, N. Nitta, and N. Babaguchi, "Deep Face Recognizer Privacy Attack: Model Inversion Initialization by a Deep Generative Adversarial Data Space Discriminator," in Proc. of 2020 Asia-Pacific Signal and Information Processing Association Annual Summit and Conference (APSIPA ASC), 2020.
7 M. H. Sedaaghi, R. Daj, and M. Khosravi, "Mediated morphological filters," in Proc. of 2001 International Conference on Image Processing, vol. 3, pp. 692-695, 2001.
8 S. Hidano, T. Murakami, S. Katsumata, S. Kiyomoto, and G. Hanaoka, "Model inversion attacks for online prediction systems: Without knowledge of non-sensitive attributes," IEICE Transactions on Information and Systems, vol. 101, no. 11, pp. 2665-2676, 2018.
9 Y. Zhang, R. Jia, H. Pei, W. Wang, B. Li, and D. Song, "The secret revealer: generative model-inversion attacks against deep neural networks," in Proc. of the IEEE/CVF Conference on Computer Vision and Pattern Recognition, pp. 250-258, 2020.
10 Q. Cao, L. Shen, W. Xie, O. M. Parkhi, and A. Zisserman, "Vggface2: A dataset for recognizing faces across pose and age," in Proc. of the 13th IEEE International Conference on Automatic Face & Gesture Recognition (FG 2018), pp. 67-74, 2018.
11 M. Khosravy, N. Gupta, N. Marina, I. K. Sethi, and M. R. Asharif, "Perceptual adaptation of image based on Chevreul-Mach bands visual phenomenon," IEEE Signal Processing Letters, vol. 24, no. 5, pp. 594-598, 2017.   DOI
12 M. Khosravy, N. Gupta, N. Patel, and T. Senjyu, "Frontier Applications of Nature Inspired Computation," Springer, 2020.
13 M. Fredrikson, E. Lantz, S. Jha, S. Lin, D. Page, and T. Ristenpart, "Privacy in pharmacogenetics: An end-to-end case study of personalized warfarin dosing," in Proc. of the 23rd USENIX Security Symposium, vol. 14, pp. 17-32, 2014.
14 G. R. Shinde, A. B. Kalamkar, P. N. Mahalle, N. Dey, J. Chaki, and A. E. Hassanien, "Forecasting Models for Coronavirus Disease (COVID-19): A Survey of the State-of-the-Art," SN Computer Science, vol. 1, no. 4, pp. 1-15, 2020.   DOI
15 G. E. Hinton, S. Osindero, and Y. W. Teh, "A fast learning algorithm for deep belief nets," Neural Computation, vol. 18, no. 7, pp.1527-1554, 2006.   DOI
16 L. Deng and D. Yu, "Deep learning: methods and applications," Foundations and Trends in Signal Processing, vol. 7, no. 3-4, pp. 197-387, 2004.   DOI
17 A. Krizhevsky, I. Sutskever, and G. E. Hinton, "Imagenet classification with deep convolutional neural networks," Advances in Neural Information Processing Systems, vol. 60, no. 6, 2012.
18 S. Ahuja, B. K. Panigrahi, N. Dey, V. Rajinikanth, and T. K. Gandhi, "Deep transfer learning-based automated detection of COVID-19 from lung CT scan slices," 2020.
19 L. Huang, A. D. Joseph, B. Nelson, B. Rubinstein, and J. D. Tygar, "Adversarial machine learning," in Proc. of the 4th ACM Workshop on Security and Artificial Intelligence, pp. 43-58, 2011.
20 F. Tramer, F. Zhang, A. Juels, M. K. Reiter, and T. Ristenpart, "Stealing machine learning models via prediction apis," in Proc. of the 25th USENIX Security Symposium, vol. 16, pp. 601-618, 2016.
21 N. Papernot, P. McDaniel, A. Sinha, and M. Wellman, "Towards the science of security and privacy in machine learning," arXiv preprint arXiv:1611.03814, 2016.
22 G. Huang, Z. Liu, L. Van Der Maaten, and K. Q. Weinberger, "Densely connected convolutional networks," in Proc. of the IEEE Conference on Computer Vision and Pattern Recognition, pp. 4700-4708, 2017.
23 N. Gupta, M. Khosravy, N. Patel, N. Dey, and O. P. Mahela, "Mendelian evolutionary theory optimization algorithm," Soft Computing, vol. 24, pp. 14345-14390, 2020.   DOI
24 N. Gupta, N. Patel, B. N. Tiwari, and M. Khosravy, "Genetic algorithm based on enhanced selection and log-scaled mutation technique," in Proc. of the Future Technologies Conference, vol. 880, pp. 730-748, 2018.
25 N. Bouchra, A. Aouatif, N. Mohammed, and H. Nabil, "Deep belief network and auto-encoder for face classification," International Journal of Interactive Multimedia & Artificial Intelligence, vol. 5, pp. 22-29, 2019.   DOI
26 N. Y. Ali, G. Sarowar, L. Rahman, J. Chaki, N. Dey, and J. Tavares, "Adam Deep Learning with SOM for Human Sentiment Classification," International Journal of Ambient Computing and Intelligence (IJACI), vol. 10, no. 3, pp. 92-116, July 2019.   DOI
27 K. K. Verma, B. M. Singh, H. L. Mandoria, and P. Chauhan, "Two-Stage Human Activity Recognition Using 2D-ConvNet," International Journal of Interactive Multimedia & Artificial Intelligence, vol. 6, no. 2, pp. 125-135, 2020.
28 R. Ahuja, D. Jain, D. Sachdeva, A. Garg, and C. Rajput, "Convolutional Neural Network Based American Sign Language Static Hand Gesture Recognition," International Journal of Ambient Computing and Intelligence (IJACI), vol. 10, no. 3, pp. 60-73, 2016.   DOI
29 G. Singh, N. Gupta, and M. Khosravy, "New crossover operators for real coded genetic algorithm (RCGA)," in Proc. of 2015 International Conference on Intelligent Informatics and Biomedical Sciences (ICIIBMS), pp. 135-140, 2015.
30 N. Gupta, M. Khosravy, O. P. Mahela, and N. Patel, "Plant biology-inspired genetic algorithm: superior efficiency to firefly optimizer," Applications of Firefly Algorithm and its Variants, pp. 193-219, 2020.
31 X. Wu, M. Fredrikson, S. Jha, and J. F. Naughton, "A methodology for formalizing model-inversion attacks," in Proc. of the 29th Computer Security Foundations Symposium (CSF), pp. 355-370, 2016.
32 D. Wang, Z. Li, N. Dey, A. S. Ashour, L. Moraru, R. S. Sherratt, and F. Shi, "Deep-segmentation of plantar pressure images incorporating fully convolutional neural networks," Biocybernetics and Biomedical Engineering, vol. 40, no. 1, pp. 546-558, 2020.   DOI
33 A. H. Ali, A. Atia, and M. S. M. Mostafa, "Recognizing driving behavior and road anomaly using smartphone sensors," International Journal of Ambient Computing and Intelligence (IJACI), vol. 8, no. 3, pp. 22-37, 2017.   DOI
34 F. A. Saiz, and I. Barandiaran, "COVID-19 Detection in Chest X-ray Images using a Deep Learning Approach," International Journal of Interactive Multimedia and Artificial Intelligence, vol. 6, no. 2, pp. 11-14, 2020.
35 N. Dey, S. Fong, W. Song, and K. Cho, "Forecasting energy consumption from smart home sensor network by deep learning," in Proc. of International Conference on Smart Trends for Information Technology and Computer Communications, pp. 255-265, 2017.