Table 4 Analysis of model inversion attacks-based on devised examination criteria
From: Machine learning security and privacy: a review of threats and countermeasures
Reference | Machine learning model/ algorithm | Attack type | Exploited vulnerability | Attacker’s knowledge | Attacker’s goals | Attack severity and impact | Defined threat model | Targeted feature |
|---|---|---|---|---|---|---|---|---|
T. Titcombe et al. [64], 2021 | Split neural networks | Model inversion attack on distributed ML | Steal intermediate/distributed data from nodes in transfer learning | Black box attack | Invert intermediate stolen data into input format | Model inversion attacks are effective and dependent on input dataset | Yes | Model interception |
M. Khosravy et al. [65], 2021 | Deep neural networks | Images reconstruction with MIA | Regenerate model by intercepting private data of victim model by gathering output | Gray box attack | Inverted model and developed duplicate | ML is under serious threat of MIA attack with partial knowledge of system | No | Model privacy |
Q. Zhang et al. [66], 2020 | Deep neural networks | Stealing victim’s model classes | Sample regeneration helps to determine private data of victim’s model classes | White box attack | Developed surrogate model similar to the target | ML model can be inverted even if secured with differential privacy | Yes | Model privacy |
Z. He et al. [67], 2019 | Deep neural networks | Inverse-network attack strategy | Used un-trusted participant in collaborative system | Black box, white box, and query-free inversion attacks | Extract inference data with an un-trusted adversarial participant in collaborative network | Privacy preservation is challenging to achieve in split DNN | Yes | Model privacy |
S. Basu et al. [68], 2019 | Deep neural networks | Generative adversarial network approach | Extracted output from targeted network with generative inference details | White box attack | Extract model class/inference details by replicating generative adversarial network | Machine learning can be inverted with generative samples | No | Model accuracy |
U. Aïvodji et al. [69], 2019 | Deep neural networks | Query-based generative adversarial network | Extract model details by interpreting queried outputs | Black box attack | Breach privacy of Convolutional neural networks (CNN) | Differential privacy is not much effective to mitigate MIA on machine learning | No | Model privacy |