{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,3,25]],"date-time":"2026-03-25T21:50:39Z","timestamp":1774475439898,"version":"3.50.1"},"reference-count":48,"publisher":"Association for Computing Machinery (ACM)","issue":"3","license":[{"start":{"date-parts":[[2023,6,26]],"date-time":"2023-06-26T00:00:00Z","timestamp":1687737600000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/www.acm.org\/publications\/policies\/copyright_policy#Background"}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":["ACM Trans. Priv. Secur."],"published-print":{"date-parts":[[2023,8,30]]},"abstract":"<jats:p>\n            Collaborative machine learning settings such as federated learning can be susceptible to adversarial interference and attacks. One class of such attacks is termed\n            <jats:italic>model inversion attacks<\/jats:italic>\n            , characterised by the adversary reverse-engineering the model into disclosing the training data. Previous implementations of this attack typically\n            <jats:italic>only<\/jats:italic>\n            rely on the shared data representations, ignoring the adversarial priors, or require that specific layers are present in the target model, reducing the potential attack surface. In this work, we propose a novel context-agnostic model inversion framework that builds on the foundations of gradient-based inversion attacks, but additionally exploits the features and the style of the data controlled by an in-the-network adversary. Our technique outperforms existing gradient-based approaches both qualitatively and quantitatively across all training settings, showing particular effectiveness against the collaborative medical imaging tasks. Finally, we demonstrate that our method achieves significant success on two downstream tasks: sensitive feature inference and facial recognition spoofing.\n          <\/jats:p>","DOI":"10.1145\/3592800","type":"journal-article","created":{"date-parts":[[2023,4,24]],"date-time":"2023-04-24T12:18:11Z","timestamp":1682338691000},"page":"1-30","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":18,"title":["Beyond Gradients: Exploiting Adversarial Priors in Model Inversion Attacks"],"prefix":"10.1145","volume":"26","author":[{"ORCID":"https:\/\/orcid.org\/0000-0003-0179-6138","authenticated-orcid":false,"given":"Dmitrii","family":"Usynin","sequence":"first","affiliation":[{"name":"Technical University of Munich, Germany and Imperial College London"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-5683-5889","authenticated-orcid":false,"given":"Daniel","family":"Rueckert","sequence":"additional","affiliation":[{"name":"Technical University of Munich, Germany and Imperial College London"}]},{"ORCID":"https:\/\/orcid.org\/0000-0001-8382-8062","authenticated-orcid":false,"given":"Georgios","family":"Kaissis","sequence":"additional","affiliation":[{"name":"Technical University of Munich, Germany and Imperial College London"}]}],"member":"320","published-online":{"date-parts":[[2023,6,26]]},"reference":[{"key":"e_1_3_2_2_2","doi-asserted-by":"publisher","DOI":"10.1145\/2976749.2978318"},{"key":"e_1_3_2_3_2","doi-asserted-by":"crossref","unstructured":"Borja Balle Giovanni Cherubin and Jamie Hayes. 2022. Reconstructing training data with informed adversaries. In 2022 IEEE Symposium on Security and Privacy (SP) . (2022) 1138\u20131156.","DOI":"10.1109\/SP46214.2022.9833677"},{"key":"e_1_3_2_4_2","unstructured":"Keith Bonawitz Vladimir Ivanov Ben Kreuter Antonio Marcedone H. Brendan McMahan Sarvar Patel Daniel Ramage Aaron Segal and Karn Seth. 2016. Practical secure aggregation for federated learning on user-held data. In NIPS Workshop on Private Multi-Party Machine Learning (2016)."},{"issue":"3","key":"e_1_3_2_5_2","doi-asserted-by":"crossref","first-page":"311","DOI":"10.1016\/j.acra.2019.03.011","article-title":"A machine learning algorithm to estimate sarcopenia on abdominal CT","volume":"27","author":"Burns Joseph E.","year":"2020","unstructured":"Joseph E. Burns, Jianhua Yao, Didier Chalhoub, Joseph J. Chen, and Ronald M. Summers. 2020. A machine learning algorithm to estimate sarcopenia on abdominal CT. Academic Radiology 27, 3 (2020), 311\u2013320.","journal-title":"Academic Radiology"},{"key":"e_1_3_2_6_2","doi-asserted-by":"publisher","DOI":"10.1016\/j.media.2019.101539"},{"key":"e_1_3_2_7_2","doi-asserted-by":"publisher","DOI":"10.1109\/TPAMI.2015.2439281"},{"key":"e_1_3_2_8_2","first-page":"70","volume-title":"Proceedings of the European conference on computer vision","author":"Dubey Abhimanyu","year":"2018","unstructured":"Abhimanyu Dubey, Otkrist Gupta, Pei Guo, Ramesh Raskar, Ryan Farrell, and Nikhil Naik. 2018. Pairwise confusion for fine-grained visual classification. In Proceedings of the European conference on computer vision. 70\u201386."},{"key":"e_1_3_2_9_2","doi-asserted-by":"publisher","DOI":"10.3758\/BRM.42.1.351"},{"key":"e_1_3_2_10_2","doi-asserted-by":"publisher","DOI":"10.1371\/journal.pone.0235187"},{"key":"e_1_3_2_11_2","first-page":"1","volume-title":"Proceedings of the 2013 International Conference of the BIOSIG Special Interest Group","author":"Erdogmus Nesli","year":"2013","unstructured":"Nesli Erdogmus and S\u00e9bastien Marcel. 2013. Spoofing 2D face recognition systems with 3D masks. In Proceedings of the 2013 International Conference of the BIOSIG Special Interest Group. IEEE, 1\u20138."},{"key":"e_1_3_2_12_2","doi-asserted-by":"publisher","DOI":"10.1145\/2810103.2813677"},{"key":"e_1_3_2_13_2","first-page":"262","article-title":"Texture synthesis using convolutional neural networks","volume":"28","author":"Gatys Leon","year":"2015","unstructured":"Leon Gatys, Alexander S. Ecker, and Matthias Bethge. 2015. Texture synthesis using convolutional neural networks. Advances in Neural Information Processing Systems 28 (2015), 262\u2013270.","journal-title":"Advances in Neural Information Processing Systems"},{"key":"e_1_3_2_14_2","unstructured":"Jonas Geiping Hartmut Bauermeister Hannah Dr\u00f6ge and Michael Moeller. 2020. Inverting gradients-how easy is it to break privacy in federated learning? Advances in Neural Information Processing Systems 33 (2020) 16937\u201316947."},{"key":"e_1_3_2_15_2","first-page":"979","volume-title":"Proceedings of the 25th USENIX Security Symposium","author":"Gong Neil Zhenqiang","year":"2016","unstructured":"Neil Zhenqiang Gong and Bin Liu. 2016. You are who you know and how you behave: Attribute inference attacks via users\u2019 social friends and behaviors. In Proceedings of the 25th USENIX Security Symposium. 979\u2013995."},{"key":"e_1_3_2_16_2","doi-asserted-by":"crossref","unstructured":"Ali Hatamizadeh Hongxu Yin Pavlo Molchanov Andriy Myronenko Wenqi Li Prerna Dogra Andrew Feng et\u00a0al. 2023. Do gradient inversion attacks make federated learning unsafe? IEEE Transactions on Medical Imaging (2023).","DOI":"10.1109\/TMI.2023.3239391"},{"key":"e_1_3_2_17_2","doi-asserted-by":"publisher","DOI":"10.1145\/3359789.3359824"},{"key":"e_1_3_2_18_2","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR.2015.7299156"},{"key":"e_1_3_2_19_2","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-319-46475-6_43"},{"key":"e_1_3_2_20_2","doi-asserted-by":"publisher","DOI":"10.1038\/s42256-021-00337-8"},{"key":"e_1_3_2_21_2","unstructured":"Helena Klause Alexander Ziller Daniel Rueckert Kerstin Hammernik and Georgios Kaissis. 2022. Differentially private training of residual networks with scale normalisation. In ICML Workshop on Theory and Practise of Differential Privacy (TPDP\u20192022) ."},{"key":"e_1_3_2_22_2","article-title":"Federated learning: Strategies for improving communication efficiency","author":"Kone\u010dn\u1ef3 Jakub","year":"2016","unstructured":"Jakub Kone\u010dn\u1ef3, H Brendan McMahan, Felix X. Yu, Peter Richt\u00e1rik, Ananda Theertha Suresh, and Dave Bacon. 2016. Federated learning: Strategies for improving communication efficiency. arXiv:1610.05492 (2016). Retrieved from https:\/\/arxiv.org\/abs\/1610.05492.","journal-title":"arXiv:1610.05492"},{"key":"e_1_3_2_23_2","unstructured":"Xiaoxiao Li Meirui Jiang Xiaofei Zhang Michael Kamp and Qi Dou. 2021. Fedbn: Federated learning on non-iid features via local batch normalization. In International Conference on Learning Representations (2021)."},{"key":"e_1_3_2_24_2","unstructured":"Ilya Loshchilov and Hutter Frank. 2019. Decoupled weight decay regularization. Proceedings of ICLR 7 (2019)."},{"key":"e_1_3_2_25_2","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR.2015.7299155"},{"key":"e_1_3_2_26_2","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2019.00029"},{"key":"e_1_3_2_27_2","doi-asserted-by":"publisher","DOI":"10.1109\/TMI.2014.2377694"},{"key":"e_1_3_2_28_2","doi-asserted-by":"publisher","DOI":"10.3390\/jimaging6120139"},{"key":"e_1_3_2_29_2","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2019.00065"},{"key":"e_1_3_2_30_2","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR.2015.7298640"},{"key":"e_1_3_2_31_2","doi-asserted-by":"publisher","DOI":"10.1016\/j.eswa.2014.10.031"},{"key":"e_1_3_2_32_2","article-title":"Chexnet: Radiologist-level pneumonia detection on chest x-rays with deep learning","author":"Rajpurkar Pranav","year":"2017","unstructured":"Pranav Rajpurkar, Jeremy Irvin, Kaylie Zhu, Brandon Yang, Hershel Mehta, Tony Duan, Daisy Ding, Aarti Bagul, Curtis Langlotz, Katie Shpanskaya, et\u00a0al. 2017. Chexnet: Radiologist-level pneumonia detection on chest x-rays with deep learning. arXiv:1711.05225 (2017). Retrieved from https:\/\/arxiv.org\/abs\/1711.05225.","journal-title":"arXiv:1711.05225"},{"key":"e_1_3_2_33_2","article-title":"SmoothNets: Optimizing CNN architecture design for differentially private deep learning","author":"Remerscheid Nicolas W.","year":"2022","unstructured":"Nicolas W. Remerscheid, Alexander Ziller, Daniel Rueckert, and Georgios Kaissis. 2022. SmoothNets: Optimizing CNN architecture design for differentially private deep learning. arXiv:2205.04095 (2022). Retrieved from https:\/\/arxiv.org\/abs\/2205.04095.","journal-title":"arXiv:2205.04095"},{"key":"e_1_3_2_34_2","doi-asserted-by":"publisher","DOI":"10.1016\/0167-2789(92)90242-F"},{"key":"e_1_3_2_35_2","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR.2015.7298682"},{"key":"e_1_3_2_36_2","article-title":"Defending against reconstruction attacks with R \\(\\backslash\\) \u2019enyi differential privacy","author":"Stock Pierre","year":"2022","unstructured":"Pierre Stock, Igor Shilov, Ilya Mironov, and Alexandre Sablayrolles. 2022. Defending against reconstruction attacks with R \\(\\backslash\\) \u2019enyi differential privacy. arXiv:2202.07623 (2022). Retrieved from https:\/\/arxiv.org\/abs\/2202.07623.","journal-title":"arXiv:2202.07623"},{"key":"e_1_3_2_37_2","unstructured":"Dmitry Ulyanov Vadim Lebedev Andrea Vedaldi and Victor Lempitsky. 2016. Texture networks: feed-forward synthesis of textures and stylized images. In Proceedings of the 33rd International Conference on International Conference on Machine Learning (ICML\u201916) . 48 (2016) 1349\u20131357."},{"key":"e_1_3_2_38_2","doi-asserted-by":"publisher","DOI":"10.2478\/popets-2022-0014"},{"key":"e_1_3_2_39_2","doi-asserted-by":"publisher","DOI":"10.1038\/s42256-021-00390-3"},{"key":"e_1_3_2_40_2","doi-asserted-by":"publisher","DOI":"10.1145\/3377454"},{"key":"e_1_3_2_41_2","volume-title":"Proceedings of the International Conference on Learning Representations","author":"Xie Chulin","year":"2019","unstructured":"Chulin Xie, Keli Huang, Pin-Yu Chen, and Bo Li. 2019. Dba: Distributed backdoor attacks against federated learning. In Proceedings of the International Conference on Learning Representations."},{"key":"e_1_3_2_42_2","doi-asserted-by":"publisher","DOI":"10.1016\/j.ultras.2018.07.006"},{"key":"e_1_3_2_43_2","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR46437.2021.01607"},{"key":"e_1_3_2_44_2","unstructured":"Jason Yosinski Jeff Clune Anh Nguyen Thomas Fuchs and Hod Lipson. 2015. Understanding neural networks through deep visualization. In ICML Workshop on Deep Learning (2015)."},{"key":"e_1_3_2_45_2","unstructured":"Chiyuan Zhang Samy Bengio and Yoram Singer. 2022. Are All Layers Created Equal? Journal of Machine Learning Research 23 67 (2022) 1\u201328."},{"key":"e_1_3_2_46_2","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR42600.2020.00033"},{"key":"e_1_3_2_47_2","article-title":"idlg: Improved deep leakage from gradients","author":"Zhao Bo","year":"2020","unstructured":"Bo Zhao, Konda Reddy Mopuri, and Hakan Bilen. 2020. idlg: Improved deep leakage from gradients. arXiv:2001.02610 (2020). Retrieved from https:\/\/arxiv.org\/abs\/2001.02610.","journal-title":"arXiv:2001.02610"},{"key":"e_1_3_2_48_2","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-030-63076-8_2"},{"key":"e_1_3_2_49_2","article-title":"Differentially private federated deep learning for multi-site medical image segmentation","author":"Ziller Alexander","year":"2021","unstructured":"Alexander Ziller, Dmitrii Usynin, Nicolas Remerscheid, Moritz Knolle, Marcus Makowski, Rickmer Braren, Daniel Rueckert, and Georgios Kaissis. 2021. Differentially private federated deep learning for multi-site medical image segmentation. arXiv:2107.02586 (2021). Retrieved from https:\/\/arxiv.org\/abs\/2107.02586.","journal-title":"arXiv:2107.02586"}],"container-title":["ACM Transactions on Privacy and Security"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3592800","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3592800","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,6,17]],"date-time":"2025-06-17T17:49:17Z","timestamp":1750182557000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3592800"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2023,6,26]]},"references-count":48,"journal-issue":{"issue":"3","published-print":{"date-parts":[[2023,8,30]]}},"alternative-id":["10.1145\/3592800"],"URL":"https:\/\/doi.org\/10.1145\/3592800","relation":{},"ISSN":["2471-2566","2471-2574"],"issn-type":[{"value":"2471-2566","type":"print"},{"value":"2471-2574","type":"electronic"}],"subject":[],"published":{"date-parts":[[2023,6,26]]},"assertion":[{"value":"2022-07-13","order":0,"name":"received","label":"Received","group":{"name":"publication_history","label":"Publication History"}},{"value":"2023-03-07","order":1,"name":"accepted","label":"Accepted","group":{"name":"publication_history","label":"Publication History"}},{"value":"2023-06-26","order":2,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}