This is a PyTorch implementation of our paper at ICCV2021:
Knowledge Enriched Distributional Model Inversion Attacks [paper] [arxiv]
We propose a novel 'Inversion-Specific GAN' that can better distill knowledge useful for performing attacks on private models from public data. Moreover, we propose to model a private data distribution for each target class which refers to 'Distributional Recovery'.
This code has been tested with Python 3.6, PyTorch 1.0 and cuda 10.0.
- Install required packages.
- Download relevant datasets including Celeba, MNIST, CIFAR10.
- Get target model prepared or run our code
python train_classifier.py
Note that this code only provides three model architectures: VGG16, IR152, Facenet. And pretrained checkpoints for the three models can be downloaded at https://drive.google.com/drive/folders/1U4gekn72UX_n1pHdm9GQUQwwYVDvpTfN?usp=sharing.
- Modify the configuration in 'celeba.json'.
- Modify the target model path in 'k+1_gan.py' to your customized path.
- Run
python k+1_gan.py
. - Model checkpoints and generated image results are saved in folder ’improvedGAN‘.
- A general GAN can be obtained as a baseline by running
python binary_gan.py
. - Pretrained binary GAN and inversion-specific GAN can be downloaded at https://drive.google.com/drive/folders/1L3frX-CE4j36pe5vVWuy3SgKGS9kkA70?usp=sharing.
Run
python recovery.py
--model
chooses the target model to attack.--improved_flag
indicates if an inversion-specfic GAN is used. If False, then a general GAN will be applied.--dist_flag
indicates if distributional recovery is performed. If False, then optimization is simply applied on a single sample instead of a distribution.- By setting both
improved_flag
anddist_flag
be False, we are simply using the method proposed in [1].
[1] Zhang, Yuheng, et al. "The secret revealer: Generative model-inversion attacks against deep neural networks." Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition. 2020.