Distributional Black-Box Model Inversion Attack With Multi-Agent Reinforcement Learning

Model Inversion (MI) attacks based on Generative Adversarial Networks (GAN) aim to recover private training data from complex deep learning models by searching codes in the latent space. However, this method merely searches in a deterministic latent space, resulting in suboptimal latent codes. Additionally, existing distributional MI schemes assume that an attacker can access the structures and parameters of the target model, which is not always feasible in practice. To address these limitations, this paper proposes a novel Distributional Black-Box Model Inversion (DBB-MI) attack by constructing a probabilistic latent space for searching private data. Specifically, DBB-MI does not require the target model's parameters or specialized GAN training. Instead, it identifies the latent probability distribution by integrating the output of the target model with multi-agent reinforcement learning techniques. Then, it randomly selects latent codes from the latent probability distribution to uncover private data. As the latent probability distribution closely mirrors the target privacy data in the latent space, the recovered data effectively leaks the privacy of the target model's training samples. Extensive experiments conducted on diverse datasets and networks demonstrate that our DBB-MI outperforms state-of-the-art MI attacks in terms of attack accuracy, K-nearest neighbor feature distance, and peak signal-to-noise ratio.