Toward Black-box Image Extraction Attacks on RBF SVM Classification Model

Image extraction attacks on machine learning models seek to recover semantically meaningful training imagery from a trained classifier model. Such attacks are concerning because training data include sensitive information. Research has shown that extracting training images is generally much harder than model inversion, which attempts to duplicate the functionality of the model. In this paper, we use the RBF SVM classifier to show that we can extract individual training images from models trained on thousands of images, which refutes the notion that these attacks can only extract an "average" of each class. Also, we correct common misperceptions about black-box image extraction attacks and developing a deep understanding of why some trained models are vulnerable to our attack while others are not. Our work is the first to show semantically meaningful images extracted from the RB F SVM classifier.