DRAG: Data Reconstruction Attack using Guided Diffusion

Thank you for your valuable feedback. We address your concerns point by point below.

---

1. Related to the evaluation metrics

The choice of metrics is highly application dependent, and our selections were guided by prior works in this area. In our study, we focused on MS-SSIM, LPIPS, and DINO because they better capture human perceptual similarity and privacy leaks. PSNR and MSE are sensitive to translation and other low-level distortions. However, we are open to including PSNR to offer a more comprehensive analysis.

---

2. It would be better to provide comparisons with more SOTA attacks.
3. The assumption that the attacker has white-box access to the model architecture and parameters is a strong setting, which is usually unpractical in real-world scenarios.

We agree that FORA [1] and related works are important to discuss in the context of privacy threats in split inference, and we will include a discussion of these methods in the revised paper.

These works consider privacy risk under a different configuration from ours by exploring query-free data reconstruction attacks in split learning. In that setup, the attacker cannot directly access $f_c$ but may capture or interfere with the training process to build a surrogate model $\tilde{f}_c \approx f_c$. Once this surrogate model is built, attackers can reconstruct private data using either optimization-based (e.g., DRAG) or learning-based methods. Xu et al. [1] note that combining these two research areas can lead to more powerful reconstruction attacks, as their developments are independent.

On the other hand, our work focuses on the privacy risks associated with using foundation models as part of the model parameters in downstream tasks, implying that an attacker can feasibly access $f_c$ directly. Our findings highlight the need to develop privacy-preserving inference techniques, especially as new applications [2, 3] increasingly leverage foundation models.

---

4. What about the performance on smaller CNN models like ResNet? More evaluation on the CNN models utilized in previous works is expected for alignment with the baselines.

DRAG is broadly applicable to all models regardless of architecture. To address it, we evaluated our method on CLIP-RN50. Key results are presented in Table 2 of the main paper. Detailed experimental results can be found in Appendix A, specifically Table 6, Fig. 6c) and Fig. 7c). We will reorganize the paper to more clearly direct readers to the experimental results and improve overall clarity.

The table below—captured from Appendix A—illustrates DRAG's effectiveness compared to other methods in reconstructing data from CLIP-RN50. In this experiment, the feature space distance metric $d_\mathcal{H}$ was implemented using MSELoss. Due to space limitations, we have presented results for model splits at blocks 4 to 5.

---

Minor mistake: the GLASS is published in 2023 instead of 2024.

Thanks for pointing out this issue. We have revised the year of this reference.

---

The GradViT is introduced in the “Baseline Attacks” section in the Appendix. But where is the experimental results?

We apologize for the confusion regarding the explanation of GradViT. GradViT is a parallel work that focuses on reconstructing training data using the gradients of model parameters. We referenced it because we observed artifacts in rMLE when attacking ViT, and GradViT proposed a regularization to mitigate these artifacts. We have adapted this regularization to strengthen rMLE and LM (referring to $\lambda_\text{patch}$ in Table 10). However, even with this regularization, reconstruction of deep-layer IR fails, which motivated our proposal of a data-driven image prior for enhancement.

---

We appreciate your feedback and remain available to address any additional questions or concerns you may have.

Reference

[1] Xu, X., et al. A stealthy wrongdoer: Feature-oriented reconstruction attack against split learning. In CVPR, 2024.

[2] Liu, H., et al. Visual instruction tuning. In NeurIPS, 2023.

[3] Chen, J., et al. Minigpt-v2: large language model as a unified interface for vision-language multi-task learning. arXiv preprint arXiv:2310.09478. 2023

Thank you for your valuable feedback. We address your concerns point by point below.

---

Fig. 2 is not very effective for understanding, even though it is drawn simply. The caption should include additional explanations.

We agree that enhancing the caption and associated text will improve clarity. We will revise the figure accordingly and upload the updated version to OpenReview before 4/8.

---

The paper evaluates DRAG against DISCO (2021) and NoPeek (2020), but these defenses are somewhat outdated.

Thank you for pointing out this issue. We chose DISCO and NoPeek as target defenses because they are representative of the approaches highlighted in GLASS, and they provide a well-established baseline for comparison. Additionally, we have identified several more recent works [4-6], and we will include evaluations against these newer defenses in the next revision to offer a more comprehensive assessment.

---

The method is not specifically designed for ViT or deeper layer models. Its applicability to CNNs and potential performance improvements over other methods remain unclear.

DRAG is broadly applicable to all models regardless of architecture. To address it, we evaluated our method on CLIP-RN50. Key results are presented in Table 2 of the main paper. Detailed experimental results can be found in Appendix A, specifically Table 6, Fig. 6c) and Fig. 7c). We will reorganize the paper to more clearly direct readers to the experimental results and improve overall clarity.

The table below—captured from Appendix A—illustrates DRAG's effectiveness compared to other methods in reconstructing data from CLIP-RN50. In this experiment, the $d_\mathcal{H}$ was implemented using MSELoss. Due to space limitations, we have presented results for model splits at blocks 4 to 5.

---

The experimental results lack discussion. The method is more effective at reconstructing data from deep layers compared to shallow layers. What accounts for this difference?

Optimization-based DRAs optimize the sample $x$ by minimizing $d_\mathcal{H}$. When the split point is deep, this primarily guides $x$ to align with the high-level features of the target image, without necessarily ensuring a match of pixel-level accuracy. Prior DRAs often fail in reconstructing the image from deep-layer IR because they do not sufficiently restrict the search space. To improve DRA, we leverage a diffusion prior to constrain $x$, based on the assumption that the private image is an natural image.

---

The paper should include the discussion of FORA, etc,. methods.

We agree that FORA and related works are important to discuss in the context of privacy threats in split inference, and we will include a discussion of these methods in the revised paper.

These works consider privacy risk under a different configuration from ours by exploring query-free data reconstruction attacks in split learning. In that setup, the attacker cannot directly access $f_c$ but may capture or interfere with the training process to build a surrogate model $\tilde{f}_c \approx f_c$. Once this surrogate model is built, attackers can reconstruct private data using either optimization-based (e.g., DRAG) or learning-based methods. Xu et al. [1] note that combining these two research areas can lead to more powerful reconstruction attacks, as their developments are independent.

On the other hand, our work focuses on the privacy risks associated with using foundation models as part of the model parameters in downstream tasks, implying that an attacker can feasibly access $f_c$ directly. Our findings highlight the need to develop privacy-preserving inference techniques, especially as new applications [2, 3] increasingly leverage foundation models.

---

We appreciate your feedback and remain available to address any additional questions or concerns you may have.

Reference

[1] Xu, X., et al. A stealthy wrongdoer: Feature-oriented reconstruction attack against split learning. In CVPR, 2024.

[2] Liu, H., et al. Visual instruction tuning. In NeurIPS, 2023.

[3] Chen, J., et al. Minigpt-v2: large language model as a unified interface for vision-language multi-task learning. arXiv preprint arXiv:2310.09478. 2023

[4] Wang, T., et al. Improving robustness to model inversion attacks via mutual information regularization. In AAAI, 2021

[5] Zou, T., et al. Mutual information regularization for vertical federated learning. arXiv preprint arXiv:2301.01142. 2023

[6] Duan, L., et al. Reimagining Mutual Information for Enhanced Defense against Data Leakage in Collaborative Inference. In NeurIPS. 2024

Thank you for your valuable feedback. We address your concerns point by point below.

---

The proposed method make sense for the problem and application. However, the paper lacks details on the attack framework. The author only refer to the Figure 2 for the attack framework. In Figure 2, why all images look like noise for timesteps 0 to $T$? $g_t$ in equation 6 is not clear shown in the figure. Algorithm 1 is never cited, and the symbols in the algorithm are not explained.

We apologize for the lack of clarity regarding the DRAG framework in the draft. In the revised manuscript, we will provide a detailed description of the DRAG approach and address several points. In Figure 2, we currently want to decipt that $x_{t-1}$ to $x_0$ are to be computed, and we will further improve the legend to enhance clarity. Additionally, we will explicitly illustrate and define $g_t$ in Figure 2 to clearly depict its role. We will also properly reference Alg. 1 in the main paper and include thorough explanations for all associated symbols.

---

In line 225, it is unclear why there is a loop and what is the value for $k$ in the experiments. If the attack requires back propogation for every timestep, the attack should experience very long runtime. If the attack does not require back propogation for every timestep, it is unclear what backprop. is done for the diffusion model.

How does the back propagation applied to the diffusion model as suggested in Figure 2?

To clarify, DRAG requires back-propagation at each timestep to reconstruct the image, and the number of iterations $k$ in the inner loop controls the reconstruction quality. Figure 11b) illustrates the trade-off between reconstruction quality and execution time, while Table 9 provides execution times for various DRAs. Although the algorithm includes an inner loop, our experiments demonstrate that this approach leads to higher reconstruction performance when the split point is deep, thereby highlighting significant privacy threats.

The back propagation computes the gradient for the sample $x_t$, which is then used to adjust the sampling process of $\epsilon_t$ according to Eq. 8 during DDPM denoising.

---

In section 2.2 line 98-99, the author mentions three types of DRA, however, only one of them is introduced in this section.

Thanks for pointing out this issue. We will revise this section to mention the other types of DRA for a more comprehensive review.

---

Below is a work solving the same problem by using diffusion model, and the target model is ViT. I suggest comparing DRAG with DIA.

In our framework, DIA can be viewed as an enhancement to the inverse network $f_c^{-1}$ within our reconstruction pipeline (see Fig. 2), as it provides a better initialization for the optimization-based reconstruction process. Notably, the $f_c^{-1}$ component is optional and requires extra data and model training. In contrast, DRAG leverages a publicly available diffusion model and does not require additional training or data, aligning with the prior work we compared against.

---

We appreciate your feedback and remain available to address any additional questions or concerns you may have.

Thank you for your valuable feedback. We address your concerns point by point below.

---

it is unclear what dataset the GAN used in GLASS is trained on, and how that compared to the dataset that the diffusion model DRAG is trained on, and should be mentioned in more detail.

In our evaluation of GLASS, we used two GAN models: StyleGAN2-ADA (trained on FFHQ) and StyleGAN-XL (trained on ImageNet). These models are the most relevant publicly accessible GANs, to the best of our knowledge. We assume that GLASS has prior knowledge of the target image distribution; therefore, if the private image is from FFHQ, the attacker selects StyleGAN2-ADA, and if not, StyleGAN-XL is selected. This setup inherently gives advantages to GLASS in the comparison.

On the other hand, DRAG utilizes SDv1.5, pretrained on a subset of LAION-5B, to demonstrate the effectiveness of the diffusion prior with the support of a large dataset. This choice reflects the evolving nature of DMs and their accessibility, potentially reducing the attacker's cost in preparing the model. We will update the paper to include these experimental details for improved clarity.

---

There is very limited explanation of the DRAG++ method. In particular:

1. Can we write out the DRAG++ pseudocode in full? At least in the appendix
2. What are the details of the dataset used to train the reconstruction network? How sensitive is DRAG++ to the choice of public dataset
3. I think DRAG++ should be explained earlier in the paper rather than at the end right before the conclusion. At the moment it seems like it was added ad-hoc

We agree that DRAG++ should be introduced earlier in the paper. We will also include the full DRAG++ pseudocode in the appendix to provide complete details. In brief, DRAG++ uses an auxiliary $f_c^{-1}$ to initialize $x_{t}$ and denoises from $t=sT$ (where $s \in [0,1]$), while the core guided diffusion remains unchanged. We refer to DRAG++ as an optional enhancement, since $f_c^{-1}$ is an auxiliary component for attackers who have the resources to train such a network. Regarding the training dataset of $f_c^{-1}$, we train it on the ImageNet-1K training split (using 50% of the data, while assuming the other 50% is not accessible to the attacker).

To evaluate the sensitivity of DRAG++ to the choice of public dataset, we also train $f_c^{-1}$ on other datasets. For a fair comparison, we randomly sampled 60,000 images from the dataset to serve as the training data. Our results indicate that using a less diverse dataset (e.g., FFHQ) leads to a slight performance drop, whereas training on more complex datasets (e.g., ImageNet or MSCOCO), maintains similar performance.

---

The largest concern is that the paper is that there is both the reconstruction model and the attack DM are trained on the same domain.

To address this concern, we designed an experiment to evaluate the OOD capability of using a DM as an image prior in DRA. In this experiment, we employ the checkpoint "google/ddpm-bedroom-256" from HuggingFace, which we denote as DRAG* to distinguish it from DRAG using SDv1.5. The inference model used is CLIP-ViT-B/16, and the evaluation is performed on the same dataset as in our paper. The bold number, shown among rMLE, LM, GLASS, and DRAG*, indicates the best score. The original score of DRAG is also provided for reference.

These experimental results show that DRAG using an OOD DM outperforms rMLE, LM, and GLASS in Layer 12 according to LPIPS and DINO metrics, thereby demonstrating the effectiveness of leveraging DMs in DRAs under an OOD configuration.

---

For ResNet models, do you still use the same cosine loss function given in equation 10? The authors only specify this for transformer models.

We have applied MSELoss as the distance metric $d_\mathcal{H}$ for all DRAs while attacking CLIP-RN50. We would mention this configuration earlier in the revised menuscript.

---

We appreciate your feedback and remain available to address any additional questions or concerns you may have.