Model Inversion Attacks (MIAs) aim to reconstruct private training data from models, leading to privacy leakage, particularly in facial recognition systems. Although many studies have enhanced the effectiveness of white-box MIAs, less attention has been paid to improving efficiency and utility under limited attacker capabilities. Existing black-box MIAs necessitate an impractical number of queries, incurring significant overhead. Therefore, we analyze the limitations of existing MIAs and introduce Surrogate Model-based Inversion with Long-tailed Enhancement (SMILE), a high-resolution oriented and query-efficient MIA for the black-box setting. We begin by analyzing the initialization of MIAs from a data distribution perspective and propose a long-tailed surrogate training method to obtain high-quality initial points. We then enhance the attack's effectiveness by employing the gradient-free black-box optimization algorithm selected by NGOpt. Our experiments show that SMILE outperforms existing state-of-the-art black-box MIAs while requiring only about 5% of the query overhead.

翻译：模型逆向攻击旨在从模型中重构私有训练数据，导致隐私泄露，这在人脸识别系统中尤为突出。尽管已有大量研究提升了白盒模型逆向攻击的效果，但在攻击者能力受限条件下如何提高攻击效率和实用性的研究相对较少。现有黑盒模型逆向攻击需要不切实际的大量查询次数，导致显著开销。因此，我们分析了现有模型逆向攻击的局限性，提出了基于长尾增强的代理模型逆向攻击方法，这是一种面向高分辨率且查询高效的黑盒模型逆向攻击方法。我们首先从数据分布角度分析了模型逆向攻击的初始化问题，并提出一种长尾代理训练方法以获得高质量的初始点。随后，我们通过采用NGOpt选定的无梯度黑盒优化算法来提升攻击效果。实验表明，SMILE在仅需约5%查询开销的情况下，性能优于现有最先进的黑盒模型逆向攻击方法。