Dominik Hintersdorf

My research is centered around the privacy and security of deep learning systems. As deep learning is increasingly used in real-world products and tasks, the data to train such systems is getting more and more relevant and important. In many of those tasks, the models have to be reliable and secure since during training, sensitive data might have been used, such as medical information or other personal data like for example images. In my work, I study possible threats and mitigation techniques to the security and privacy of deep learning models.

I received by Masters from TU Darmstadt and am a PhD student under the supervision of Prof. Kristian Kersting since 2021.

news

Oct 27, 2023	Our papers Defending Our Privacy With Backdoors and Leveraging Diffusion-Based Image Variations for Robust Training on Poisoned Data got accepted at the NeurIPS 2023 Workshop on Backdoors in Deep Learning.
Sep 11, 2023	We gave a talk at the AISola conference titled “Balancing Transparency and Risk: The Security and Privacy Risks of Open-Source Machine Learning Models”.
Sep 11, 2023	Our paper SEGA: Instructing Text-to-Image Models using Semantic Guidance got accepted at NeurIPS 2023.

selected publications

ICCV

Rickrolling the Artist: Injecting Backdoors into Text Encoders for Text-to-Image Synthesis

Lukas Struppek, Dominik Hintersdorf, and Kristian Kersting

In Proceedings of the 19th IEEE/CVF International Conference on Computer Vision, 2023

Abs PDF Code

While text-to-image synthesis currently enjoys great popularity among researchers and the general public, the security of these models has been neglected so far. Many text-guided image generation models rely on pre-trained text encoders from external sources, and their users trust that the retrieved models will behave as promised. Unfortunately, this might not be the case. We introduce backdoor attacks against text-guided generative models and demonstrate that their text encoders pose a major tampering risk. Our attacks only slightly alter an encoder so that no suspicious model behavior is apparent for image generations with clean prompts. By then inserting a single character trigger into the prompt, e.g., a non-Latin character or emoji, the adversary can trigger the model to either generate images with pre-defined attributes or images following a hidden, potentially malicious description. We empirically demonstrate the high effectiveness of our attacks on Stable Diffusion and highlight that the injection process of a single backdoor takes less than two minutes. Besides phrasing our approach solely as an attack, it can also force an encoder to forget phrases related to certain concepts, such as nudity or violence, and help to make image generation safer.
IJCAI

To Trust or Not To Trust Prediction Scores for Membership Inference Attacks

*Dominik Hintersdorf, *Lukas Struppek, and Kristian Kersting

In Proceedings of the Thirty-First International Joint Conference on Artificial Intelligence, 2022

Abs PDF Code

Membership inference attacks (MIAs) aim to determine whether a specific sample was used to train a predictive model. Knowing this may indeed lead to a privacy breach. Most MIAs, however, make use of the model’s prediction scores - the probability of each output given some input - following the intuition that the trained model tends to behave differently on its training data. We argue that this is a fallacy for many modern deep network architectures. Consequently, MIAs will miserably fail since overconfidence leads to high false-positive rates not only on known domains but also on out-of-distribution data and implicitly acts as a defense against MIAs. Specifically, using generative adversarial networks, we are able to produce a potentially infinite number of samples falsely classified as part of the training data. In other words, the threat of MIAs is overestimated, and less information is leaked than previously assumed. Moreover, there is actually a trade-off between the overconfidence of models and their susceptibility to MIAs: the more classifiers know when they do not know, making low confidence predictions, the more they reveal the training data.
FAccT

Learning to Break Deep Perceptual Hashing: The Use Case NeuralHash

*Lukas Struppek, *Dominik Hintersdorf, Daniel Neider, and Kristian Kersting

In Proceedings of the 2022 ACM Conference on Fairness, Accountability, and Transparency, 2022

Abs PDF Code

Apple recently revealed its deep perceptual hashing system NeuralHash to detect child sexual abuse material (CSAM) on user devices before files are uploaded to its iCloud service. Public criticism quickly arose regarding the protection of user privacy and the system’s reliability. In this paper, we present the first comprehensive empirical analysis of deep perceptual hashing based on NeuralHash. Specifically, we show that current deep perceptual hashing may not be robust. An adversary can manipulate the hash values by applying slight changes in images, either induced by gradient-based approaches or simply by performing standard image transformations, forcing or preventing hash collisions. Such attacks permit malicious actors easily to exploit the detection system: from hiding abusive material to framing innocent users, everything is possible. Moreover, using the hash values, inferences can still be made about the data stored on user devices. In our view, based on our results, deep perceptual hashing in its current form is generally not ready for robust client-side scanning and should not be used from a privacy perspective.