This code implements model inversion attacks against collaborative inference in the following paper:
Zecheng He, Tianwei Zhang and Ruby Lee, "Model Inversion Attacks Against Collaborative Inference", 35th Annual Computer Security Applications Conference (ACSAC'19), San Juan, Dec 2019
We provide three attacks, i.e. rMSE (Section 4), blackbox inverse network (Section 5) and query-free attack (Section 6) on CIFAR10 dataset. Attacks against MNIST are similar.
pip install numpy
pip install torch
pip install torchvision==0.2.1
python training.py --dataset CIFAR10 --epochs 50
python inverse_whitebox_CIFAR.py --iters 5000 --learning_rate 1e-2 --layer ReLU22 --lambda_TV 1e1 --lambda_l2 0.0
python inverse_blackbox_decoder_CIFAR.py --training --layer ReLU22 --iter 50 --decodername CIFAR10CNNDecoderReLU22
python inverse_blackbox_decoder_CIFAR.py --testing --decodername CIFAR10CNNDecoderReLU22 --layer ReLU22
python inverse_query_free_CIFAR.py --training --layer ReLU22 --iter 50
python inverse_query_free_CIFAR.py --testing --layer ReLU22 --iter 500 --learning_rate 1e-1 --lambda_TV 2e0 --lambda_l2 0.0
(1) Please make sure to use torchvision v0.2.1:
import torchvision
print torchvision.__version__
(2) If no gpu supported on your machine, add --nogpu option in the command line.
(3) Please feel free to add --novalidation in your command line if it takes you too long to run in cpu-only mode and the model training/inverse are conducted on the same machine. It will disable evalTest() and evalTestSplitModel(), which are only used for validating the pre-trained models.
You are encouraged to cite the following paper.
@inproceedings{he2019model,
title={Model inversion attacks against collaborative inference},
author={He, Zecheng and Zhang, Tianwei and Lee, Ruby B},
booktitle={Proceedings of the 35th Annual Computer Security Applications Conference},
pages={148--162},
year={2019},
organization={ACM}
}