Hybrid Defense Strategy for Face Recognition Model Inversion Attack

The paper has various flaws and weaknesses.

1.) The paper plagiarizes previous work directly by adopting individual sentences without modification and without appropriate citation. Particularly section 2.1 is taken verbatim from the paper "Plug and Play Attacks" (https://arxiv.org/abs/2201.12179). To demonstrate, here are the sections from this paper under Review and the Plug and Play Attacks Paper:

This paper (Sec. 2.1): "As we know, most MIAs utilize the ability generative generative adversarial networks (GANs) Goodfellow et al. (2020), and use images as the prior information to generate realistic images. Some MIAs avoided distributional shifts and relied on GANs trained on the same data distribution as the target model Zhang et al. (2020); Chen et al. (2021); Wang et al. (2021), used additional input information such as blurred pictures of a person Zhang et al. (2020), and tailored the attack and its image prior to specific target models Chen et al. (2021); Wang et al. (2021), restricting the reuse and flexibility of the attacks. All approaches focused on low-resolution images, which limits the quality of the extracted features, and have yet to show their applicability for higher resolutions. Struppek et al. (2022) presents Plug & Play Attacks, which relax the dependency between the target model and image prior, and enable the use of a single GAN to attack a wide range of targets, requiring only minor adjustments to the attack. It also provides a more formal introduction to MIAs and theoretical consideration of ideal MIAs and possible degradation factors."

Plug and Play Attacks (Abstract): "[...] we present Plug & Play Attacks, which relax the dependency between the target model and image prior, and enable the use of a single GAN to attack a wide range of targets, requiring only minor adjustments to the attack.

Plug and Play Attacks (Sec. 1): "For attacking deep neural networks, most MIAs use generative adversarial networks (GANs) (Goodfellow et al., 2014) as image priors to generate realistic images. Previous MIAs [...] avoided distributional shifts and relied on GANs trained on the same data distribution as the target model (Zhang et al., 2020b; Chen et al., 2021; Wang et al., 2021), used additional input information such as blurred pictures of a person (Zhang et al., 2020b), and tailored the attack and its image prior to specific target models (Chen et al., 2021; Wang et al., 2021), restricting the reuse and flexibility of the attacks. Also, all approaches focused on low-resolution images, which limits the quality of the extracted features, and have yet to show their applicability for higher resolutions."

2.) The paper lacks an appropriate presentation and writing. Insufficient introduction of terms, numerous typos, and badly designed figures make it really hard to follow and understand the paper. Approaches like InstaHide should be introduced more formally. Otherwise, following the introduction section is already hard for people not familiar with this method. Similarly, following the explanation of the proposed approach in Section 4 should be improved.

3.) There are numerous details missing in the paper. For example, Fig. 1 states attack results for the MIA by Zhang et al. Without reading the caption, it is unclear, which image corresponds to which defense mechanism. Also, which dataset has been used, how are the depicted samples selected, and what are the evaluation metrics for the attack? Additionally, in this specific case, I doubt that the MIA by Zhang et al. has been used since the approach is designed for 64x64 image resolutions and the depicted images in Fig. 1 clearly have higher resolutions.

4.) The evaluation is only done insufficiently. It is unclear why the paper first introduces model inversion attacks and then never evaluates the proposed defense mechanism on them but explores an attack scenario in which the adversary has access to the shared gradients in a federated learning setting. The paper has to better place the defense mechanism into the literature and conduct a more thoughtful evaluation. Also, details on the performed attack and the CGAN are lacking.

The presentation of the material appears to be quite confusing, as indicated in questions section.

The motivation behind their design is unclear. The objective in section (5) is perplexing. It's not evident why there is a need to optimize a strategy network that maximizes the original loss function. This seems counterintuitive, as the defense goal isn't to reduce face recognition accuracy but rather to lower the success rate of image inversion.

The authors allocate approximately one page to discuss the metric, but the definition of the metric is somewhat obscure and potentially introduces bias. For instance, they introduce a comprehensive metric that combines s1, s2, s3, s4 with $\alpha$ and $\beta$, but they arbitrarily set $\alpha=0.4$ and $\beta=0.6$" based on the intuition that "masking images at the visual level is easier to achieve, so we will pay more attention to the indicators at the attack level". This approach lacks objectivity.

The experimental results are not well organized and difficult to comprehend.

Evaluating the primary contribution of this paper is challenging due to its writing style. It is recommended that the authors carefully proofread and revise their paper before the formal submission.

The writing of the paper can be largely improved. The overall writing style is too technical but lacking of essential and principle designs. Besides, Section 3 is too short to be a section.

Besides, the mathematical notations and equations can be improved to be clearer. It would be better to summarize the frequently used notations in one table or sentence.

The paper is empirically driven and lacks in-depth analysis, whether from methodological or theoretical perspectives, for understanding the under-explored problem of MIA.

The technical novelty is neutral, although the proposed method skillfully combines both worlds of reinforcement learning and data augmentation for defense.

The complexity of the method is unknown. Besides, the running-time efficiency of the proposed method is not reported. It would be better to show the training procedure of the RL model, e.g., by drawing the training curves of rewards, loss, or other metrics. There is a lack of essential information about the used datasets.

Several defense methods for MIA, e.g., [1,2,3], are not included in the paper. Although they may utilize different kinds of techniques for defense, I would suggest at least constructing a more comprehensive related work and a further discussion.

[1] Adversarial Neural Network Inversion via Auxiliary Knowledge Alignment. CCS 2019.

[2] Bilateral Dependency Optimization: Defending Against Model-inversion Attacks. KDD 2022.

[3] On Strengthening and Defending Graph Reconstruction Attack with Markov Chain Approximation. ICML 2023.