Random Erasing vs. Model Inversion: A Promising Defense or a False Hope?
Title: Random Erasing vs. Model Inversion: A Promising Defense or a False Hope?
Abstract
Model Inversion (MI) attacks represent a substantial privacy risk, as they enable adversaries to reconstruct sensitive training data by exploiting machine learning models. While current defensive strategies largely focus on model-centric methodologies, the role of data in enhancing robustness against MI has received limited attention. This study investigates Random Erasing (RE), a standard technique employed to bolster model generalization in the presence of occlusion, and reveals its unexpected potency as a countermeasure against MI attacks.
Through a novel analysis of the feature space, we demonstrate that models trained using RE-modified images exhibit a pronounced divergence between the features of MI-reconstructed images and those of the actual private data. Concurrently, the features of the genuine private images remain clearly distinguishable from other classes and well-isolated from various classification boundaries. Together, these dynamics impair the quality of MI reconstructions and reduce attack accuracy, all while preserving acceptable levels of natural accuracy.
We further examine two essential characteristics of RE: Partial Erasure and Random Location. Partial Erasure ensures that the model does not encounter complete objects during the training phase. We identify that this limitation significantly hinders MI attacks, which rely on the full reconstruction of objects. Meanwhile, the Random Location of the erasure is pivotal in securing a robust balance between privacy and utility.
Our results position RE as a straightforward yet highly effective defense strategy that can be seamlessly combined with existing privacy-preserving protocols. Comprehensive experiments spanning 37 distinct configurations confirm that our approach delivers state-of-the-art (SOTA) performance in the privacy-utility trade-off. The outcomes consistently affirm the superiority of our defense compared to established methods across a variety of MI attack vectors, network architectures, and attack settings. Notably, for certain configurations, we achieve a marked reduction in attack accuracy without any compromise in utility, marking a first in this domain.
Source: arXiv Generated at: 2026-06-02 00:00:00 UTC
