MIBench: A Comprehensive Benchmark for Model Inversion Attack and Defense

• From the research perspective, no new concepts have been introduced.

• Despite there are some analysis on MI, the research scopes and results are somewhat trivial or have been discussed in the previous works. For example, the strong correlation of MI performance and model utility is shown in GMI paper [1]; the advantage of MI attacks that employ stronger GAN (i.e., StyleGAN) is discussed in PPA paper [2].

• There is a new defence method [3] that recently published at ECCV-2024 [3]. Of course, I do not expect the authors to include this defence for this submission. However, as a toolbox for MI research, it would be better to discuss it in the related work section and incorporates this defence to the toolbox in the future.

[1] Zhang, Yuheng, et al. "The secret revealer: Generative model-inversion attacks against deep neural networks." CVPR 2020.

[2] Struppek, Lukas, et al. "Plug & play attacks: Towards robust and flexible model inversion attacks." ICML 2022.

[3] Koh, Jun Hao, et al. "On the Vulnerability of Skip Connections to Model Inversion Attacks." ECCV 2024.

• I do not see much utility in this work, neither from the dataset angle nor the benchmark angle. For the latter, the paper simply brings together 4 datasets that focus on face recognition, while for "benchmarks" a large collection of metrics is incorporated into the codebase without any exploration of what the metrics mean and how they should be interpreted with respect to success under model inversion. From my perspective, the proposed benchmark codebase is something you would expect in the median/ideal case from any paper that proposes a new attack/defense on model/inversion, since they would compare with previous baselines anyway. What I would have liked to see from such work would be a) a framework that makes it easy to evaluate existing attacks and defenses across various approaches (not just train-time defenses or GAN-based attacks), b) support for datasets beyond the narrow scope of image-based face classifiers (that seem to focus on each-person-as-a-class classification, which is far from what is actually used in face recognition systems. It may be the de-facto for MI evaluations, but this work has the chance to rectify that and target more realistic settings, or at least add support for them). A dataset paper usually proposes new datasets, but all I see in this work is a nicely packaged python repository.

• While this work claims to provide a comprehensive suite of evaluations and unified tools for model inversion, it focuses specifically on image-related datasets, and even further on attacks that require some sort of GAN-based training, and only train-time defenses. One of the core contributions of such a unified tool should be to, in fact, provide a framework that is general enough to consider most attack/defense approaches, and not just ones that are "common". For instance it might be possible that such approaches are common because other implementations are not easily available, and such a code structure only perpetuates this gap in research.

• As a general comment, please try not to shift crucial details to the Appendix. This is a dataset/benchmark paper, and relevant datasets/techniques should be properly explained in the paper. As a starting point to get more space, I think Figure 1 is unnecessarily big and adds nearly nothing to the paper. At the very least, it can be reduced by at least half.

• Since model inversion is such a visual problem in judging, especially for images, I would have liked to see visual-inspection modules in the proposed package to help the adversary/auditor better evaluate how "successful" they think their attacks/defenses are. I would also urge the authors to consider recent advances in diffusion models to consider better attack strategies. While it may not be part of published work, it can be a contribution of this work itself.

Minor comments

• I do not see why "dataset preprocessing" is mentioned as a module- any model training would preprocess data. This is not something unique to this benchmark.
• 'MI' is dominantly used in the privacy literature to refer to membership inference. Please consider using another abbreviation
• Barely into 2 paragraphs of the paper, there is mention of numbers (e.g. L52-56). At this point, the reader does not know what these numbers are, what they mean (compared to, say, a random adversary), or their significance. Please focus on relative trends instead of using actual numbers at a point in the paper where they do not make much sense.
• L63: "...each designated" makes it sounds like all four modules have each of the described parts- please fix the sentence.
• L66-71: what does "from diverse perspectives" mean? While I am not accusing the authors, this text in particular does read a lot like AI-generated text, and should be rewritten for clarity (and reducing fluff)
• L90: What does "...without intersecting classes" and "...the generator" mean? Please set these things up properly before diving into a very specific threat model. Similarly, Equation 1 is not clear at first- please explain it clearly and properly. As a benchmark paper, there is all the more reason for authors to clearly convey such threat models, setups, and techniques.
• Table 2: The citation for LS mentions 2023 but the reference mentions 2024- please fix this (and any similar) inconsistency.
• L275: Please clarify that FID is a measure computed across multiple samples, unlike ones like accuracy that are simply aggregated after computing sample-wise measurements.
• Appendix D: Please shift to the main paper. Something as crucial as limitations should not be buried at the very end of the paper.

• Writing Issues: Certain sections of the paper contain confusing terminology, such as "image reality," which would be more accurately expressed as "image fidelity" based on my understanding. There are also instances of inaccurate interpretations, such as describing WGAN-GP as a type of "GAN prior," whereas WGAN-GP is actually a training technique. These issues could potentially lead to misinterpretations.
• Evaluation Depth: The experimental choice to limit evaluations to only 5 images per class may be insufficient, as the small sample size could undermine the reliability of the metrics. For instance, FID evaluations typically require thousands of images to produce robust results.
• Novelty of Insights: Overall, the paper lacks significant novel insights. Some findings, such as the correlation between model predictive power and privacy leakage, have already been addressed in previous research (i.e. GMI). While this benchmark reaffirms these insights, it does not substantially deepen or expand our existing understanding in these areas.

Minor remarks:

• L100: $\hat{z}$ should be $z^*$
• The evaluation of LS is not included in Table 5.
• There are minor formatting errors, such as an unclear reference to the MID in Section 2, which could be clarified. Additionally, the legend in Fig. 4(b) interferes with the visualization, and the color arrangement for defense methods in Fig. 5 is somewhat cluttered, making comparisons more challenging for readers.

1. The term "benchmark" may not be applicable to this work. Typically, benchmarks introduce new tasks/ datasets (e.g., MMLU, MMMU). In contrast, this paper proposes a toolbox that unifies existing attack and defense algorithms.

2. The scientific and technical contributions of this manuscript are limited.

• While the release of a general toolbox is valuable, most of the methods included already have official GitHub implementations available, which support training target classifiers, GANs, inversion attacks, and defense methods. These works also largely follow prior methods for fair comparison.

• Although the results in Tables 3 and 4 offer useful insights to the community, they are not totally new and have been discussed in previous papers. For instance, [C] has already shown that models with higher test accuracy are more susceptible to model inversion attacks.

3. Many recent works conduct user studies to show the quality of MI attacks/ defenses. This work should also consider incorporating human evals under metrics. Refer to [A,B] for user study frameworks.

4. Error bars/ Standard deviation for all experiments are missing.

5. Could the authors clarify whether BREP-MI and LOKT should be classified as label-only MI attacks rather than black-box MI attacks, given that neither uses soft information?

=====

[A] Nguyen, Bao-Ngoc, et al. "Label-only model inversion attacks via knowledge transfer." Advances in Neural Information Processing Systems 36 (2024).

[B] [MIRROR] An, Shengwei et al. MIRROR: Model Inversion for Deep Learning Network with High Fidelity. Proceedings of the 29th Network and Distributed System Security Symposium.

[C] Ho, Sy-Tuyen, et al. "Model Inversion Robustness: Can Transfer Learning Help?." Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition. 2024.