Image reconstruction attacks on machine learning models pose a significant risk to privacy by potentially leaking sensitive information. Although defending against such attacks using differential privacy (DP) has proven effective, determining appropriate DP parameters remains challenging. Current formal guarantees on data reconstruction success suffer from overly theoretical assumptions regarding adversary knowledge about the target data, particularly in the image domain. In this work, we empirically investigate this discrepancy and find that the practicality of these assumptions strongly depends on the domain shift between the data prior and the reconstruction target. We propose a reconstruction attack based on diffusion models (DMs) that assumes adversary access to real-world image priors and assess its implications on privacy leakage under DP-SGD. We show that (1) real-world data priors significantly influence reconstruction success, (2) current reconstruction bounds do not model the risk posed by data priors well, and (3) DMs can serve as effective auditing tools for visualizing privacy leakage.

翻译：机器学习模型上的图像重构攻击可能泄露敏感信息，对隐私构成重大风险。尽管采用差分隐私（DP）防御此类攻击已被证明有效，但确定适当的DP参数仍具挑战性。当前关于数据重构成功性的形式化保证存在过度理论化的假设，这些假设涉及攻击者对目标数据的知识，尤其在图像领域。在本研究中，我们通过实证方法考察了这一差异，发现这些假设的实用性强烈依赖于数据先验与重构目标之间的领域偏移。我们提出了一种基于扩散模型（DM）的重构攻击方法，假设攻击者能够获取真实世界的图像先验，并评估该攻击在DP-SGD下对隐私泄露的影响。研究表明：（1）真实世界的数据先验显著影响重构成功率；（2）当前的重构界限无法有效建模数据先验带来的风险；（3）DM可作为可视化隐私泄露的有效审计工具。