Model inversion attacks (MIAs) aim to recover private data from inaccessible training sets of deep learning models, posing a privacy threat. MIAs primarily focus on the white-box scenario where attackers have full access to the model's structure and parameters. However, practical applications are usually in black-box scenarios or label-only scenarios, i.e., the attackers can only obtain the output confidence vectors or labels by accessing the model. Therefore, the attack models in existing MIAs are difficult to effectively train with the knowledge of the target model, resulting in sub-optimal attacks. To the best of our knowledge, we pioneer the research of a powerful and practical attack model in the label-only scenario. In this paper, we develop a novel MIA method, leveraging a conditional diffusion model (CDM) to recover representative samples under the target label from the training set. Two techniques are introduced: selecting an auxiliary dataset relevant to the target model task and using predicted labels as conditions to guide training CDM; and inputting target label, pre-defined guidance strength, and random noise into the trained attack model to generate and correct multiple results for final selection. This method is evaluated using Learned Perceptual Image Patch Similarity as a new metric and as a judgment basis for deciding the values of hyper-parameters. Experimental results show that this method can generate similar and accurate samples to the target label, outperforming generators of previous approaches.

翻译：模型逆向攻击旨在从深度学习模型不可访问的训练集中恢复私有数据，构成隐私威胁。现有研究主要关注白盒场景，即攻击者可完全获取模型结构与参数。然而实际应用常处于黑盒场景或仅标签场景——攻击者只能通过访问模型获得输出置信度向量或标签。因此现有攻击模型难以有效利用目标模型知识进行训练，导致攻击效果欠佳。据我们所知，我们率先开展了针对仅标签场景下强大且实用的攻击模型研究。本文提出一种新型模型逆向攻击方法，利用条件扩散模型从训练集中恢复目标标签下的代表性样本。我们引入两项关键技术：选取与目标模型任务相关的辅助数据集，并以预测标签作为条件指导条件扩散模型训练；将目标标签、预设引导强度及随机噪声输入训练后的攻击模型，经多次生成与校正后选取最终结果。该方法采用学习感知图像块相似度作为新评估指标及超参数取值判定依据。实验结果表明，该方法能生成与目标标签相似且精确的样本，性能优于以往生成器。