Multi Trajectory Guided Model Inversion Attacks

Abstract

Recent advancements in deep learning have brought significant concerns regarding the privacy of training data due to overfitting and memorization, as well as a lack of defense mechanisms. In model inversion attacks, where Attackers aim to reconstruct original private training samples (i.e images) just by using the DNN model’s last layer output. Traditional black-box MI attacks face three key challenges: (1) Non-convex optimization landscapes often trap reconstructions in poor local minima, degrading output quality. (2) Black-box scenarios require excessive queries to approximate gradients, raising detection risks. (3) Unconstrained pixel-space optimization generates unrealistic artifacts since the inverse mapping lacks natural image priors. These issues collectively yield low-fidelity reconstructions that fail to capture meaningful private data, especially for complex inputs like faces or medical images. Here, Generative Adversarial Networks (GANs) come in picture which provide a lowdimensional latent space for efficient optimization while ensuring high-dimensional realism. Some recent methods have explored reinforcement learning, where the search in the latent space (learned from a GAN trained on public data) is formulated as a Markov Decision Process (MDP). In our method, we introduce: (1) a dynamics network to model state transitions in the latent space, (2) a reward network that learns directly from the model’s confidence scores, and (3) policy-value networks for efficient exploration inspired by efficient-zero V2. This learned framework automatically adapts autonomously to diverse target models, and leverages the GAN’s generative prior to ensure realistic reconstructions.