Publication
Be Careful What You Smooth For: Label Smoothing Can Be a Privacy Shield but Also a Catalyst for Model Inversion Attacks
Lukas Struppek; Dominik Hintersdorf; Kristian Kersting
In: Computing Research Repository eprint Journal (CoRR), Vol. abs/2310.06549, Pages 1-31, arXiv, 2023.
Abstract
Published as a conference paper at ICLR 2024
BE CAREFUL WHAT YOU SMOOTH FOR:
LABEL SMOOTHING CAN BE A PRIVACY SHIELD BUT
ALSO A CATALYST FOR MODEL INVERSION ATTACKS
Lukas Struppek
Technical University of Darmstadt
German Research Center for AI (DFKI)
struppek@cs.tu-darmstadt.de
Dominik Hintersdorf
Technical University of Darmstadt
German Research Center for AI (DFKI)
hintersdorf@cs.tu-darmstadt.de
Kristian Kersting
Technical University of Darmstadt
Centre for Cognitive Science of TU Darmstadt
Hessian Center for AI (hessian.AI)
German Research Center for AI (DFKI)
Label smoothing – using softened labels instead of hard ones – is a widely adopted regularization
method for deep learning, showing diverse benefits such as enhanced generalization and calibration.
Its implications for preserving model privacy, however, have remained unexplored. To fill this gap, we
investigate the impact of label smoothing on model inversion attacks (MIAs), which aim to generate
class-representative samples by exploiting the knowledge encoded in a classifier, thereby inferring
sensitive information about its training data. Through extensive analyses, we uncover that traditional
label smoothing fosters MIAs, thereby increasing a model’s privacy leakage. Even more, we reveal
that smoothing with negative factors counters this trend, impeding the extraction of class-related
information and leading to privacy preservation, beating state-of-the-art defenses. This establishes a
practical and powerful novel way for enhancing model resilience against MIAs.
Source code: https://github.com/LukasStruppek/Plug-and-Play-Attacks