Novel Privacy Attacks and Defenses Against Neural Networks

This dissertation comprises five papers that focus on a novel paradigm of privacy attack, i.e., model inversion (MI) attack, where the adversarial goal is to infer or reconstruct training samples. In particular, these works are aligned with investigating MI privacy attacks, designing novel realistic MI attacks under restricted realistic capabilities, and introducing novel robust defense techniques against these attacks. At first, we focus on the systematization of MI attacks from the literature review (IEEE CSF). This opened up ways to investigate MI attacks on the tabular dataset. We developed novel MI attacks for inferring sensitive private training data, published in USENIX Security. Then, we worked on exploring MI attacks with limited adversarial capabilities (IEEE SaTML), i.e., when adversaries do not have access to the same data distributions as model training data. All these streams of work on privacy attack designing enabled the design of novel defenses against MI attacks. We have developed a novel sparse coding architecture (SCA), which shows 1.1-18.3 times more robustness against MI attacks while not significantly compromising model accuracy. This exciting work has just been published at ECCV 2024 this year and inspires us to improve the defense further by designing systematic techniques to drop highly sensitive features during training that can also provide provable privacy bounds.