Label-Only Inversion is a black-box model inversion attack that reconstructs representative class-level images by querying a target model and observing only the final hard-label prediction, without requiring access to confidence scores, logits, or gradients. This attack exploits the decision boundary geometry by iteratively refining a synthetic input until the model's predicted label matches the target class, effectively extracting the model's internal class prototype through binary feedback alone.
Glossary
Label-Only Inversion

What is Label-Only Inversion?
A model inversion technique that reconstructs class representations using only predicted labels, without access to confidence scores or gradients.
Unlike traditional model inversion attacks that rely on full prediction vectors to guide optimization, label-only inversion operates under the strictest threat model where the adversary receives only the top-1 predicted class. The attack leverages techniques such as boundary-distance estimation and zeroth-order optimization to navigate the input space, demonstrating that even minimal output information can leak sensitive visual features when combined with knowledge of the model architecture and the adversary's ability to make repeated queries.
Key Characteristics of Label-Only Inversion
Label-only inversion is a black-box attack variant that reconstructs class-level representative images by querying a model and observing only the hard-label predictions, without access to confidence scores or gradients.
Hard-Label Decision Boundary Exploitation
Unlike standard model inversion which exploits confidence scores, label-only attacks rely solely on the hard-label prediction (e.g., 'dog' vs. 'cat'). The attacker iteratively perturbs a random input and observes whether the predicted class flips. By probing the decision boundary from multiple directions, the adversary can reconstruct a prototypical image that sits precisely at the classification threshold, revealing the model's internal representation of that class without ever seeing a probability distribution.
Query Efficiency and Boundary Proximity
Label-only attacks are inherently query-intensive because each iteration provides only a single bit of information (correct/incorrect class). Attackers optimize for query efficiency by:
- Using boundary-proximity algorithms that estimate gradient direction from label changes
- Employing evolutionary strategies to guide the search
- Leveraging natural image priors (e.g., total variation, color consistency) to constrain the search space A successful attack may require thousands to millions of queries, making query auditing a viable defense.
Defense via Confidence Score Masking
The primary defense that forces attackers into a label-only regime is confidence score masking, where the model API returns only the top-k class labels without probability vectors. This defense truncates the rich signal available to standard inversion attacks. However, label-only attacks demonstrate that masking alone is insufficient—determined adversaries can still reconstruct recognizable class prototypes. Effective defense requires combining masking with differential privacy, output perturbation, or query rate limiting.
Reconstruction Fidelity Limitations
Label-only inversion produces class-level representatives, not specific training examples. The reconstructed images capture common features the model associates with a class—such as general shapes, textures, and color distributions—but lack instance-specific details like faces, license plates, or background elements. This distinguishes label-only attacks from gradient inversion or Deep Leakage from Gradients (DLG), which can recover pixel-accurate training samples. The privacy risk is class-level leakage rather than individual record exposure.
Relationship to Decision-Based Adversarial Attacks
Label-only inversion shares algorithmic foundations with decision-based adversarial attacks (e.g., Boundary Attack, HopSkipJump). Both operate in the hard-label black-box setting and iteratively walk along the decision boundary. The key difference is the objective: adversarial attacks seek minimally perturbed misclassified inputs, while label-only inversion seeks maximally prototypical class representations. Techniques from one domain—such as gradient estimation via finite differences and boundary-following algorithms—directly transfer to the other.
Mitigation via Information Bottleneck Training
Training models with an information bottleneck objective compresses input data into a latent representation that is maximally informative for the task while minimizing mutual information with the original input. This naturally limits the fidelity of label-only reconstructions because the model discards fine-grained details unnecessary for classification. Related techniques include:
- Maximal Coding Rate Reduction (MCR2) for discriminative compressed features
- Variational autoencoder preprocessing to strip sensitive high-frequency signals
- Dropout during training to introduce representational uncertainty
Label-Only Inversion vs. Other Model Inversion Attacks
A comparative analysis of Label-Only Inversion against other prominent model inversion and reconstruction attacks based on threat model, required access, and reconstruction fidelity.
| Feature | Label-Only Inversion | Model Inversion Attack | Gradient Inversion (DLG) |
|---|---|---|---|
Threat Model | Black-box | White-box | White-box |
Required Access | Hard-label predictions only | Confidence scores | Per-sample gradients |
Reconstruction Target | Class-level representative | Class-level representative | Specific training sample |
Exploits Confidence Scores | |||
Exploits Gradients | |||
Applicable to Federated Learning | |||
Defense: Differential Privacy | |||
Defense: Confidence Masking |
Frequently Asked Questions
Addressing the most common questions about black-box reconstruction attacks that exploit hard-label predictions to infer sensitive class-level representations without access to confidence scores or gradients.
A label-only inversion attack is a black-box reconstruction technique that recovers class-representative images by querying a target model and observing only the final predicted class label—the hard label—without any access to confidence scores, logits, or gradients. Unlike standard model inversion, which exploits the full prediction vector to iteratively maximize class confidence, label-only attacks operate in a strictly more restricted threat model. The attacker must navigate a discrete, non-differentiable decision boundary using only binary feedback: whether the model's top-1 prediction matches the target class. This is typically achieved through boundary-hopping algorithms or evolutionary strategies that perturb candidate inputs and accept modifications only when the predicted label remains consistent with the target class, gradually moving the sample toward regions of high class density in the input space.
Enabling Efficiency, Speed & Accuracy
Intelligent Analysis, Decision & Execution
We build AI systems for teams that need search across company data, workflow automation across tools, or AI features inside products and internal software.
Talk to Us
Search across company data
Give teams answers from docs, tickets, runbooks, and product data with sources and permissions.
Useful when people spend too long searching or get different answers from different systems.

Automate internal workflows
Use AI to route work, draft outputs, trigger actions, and keep approvals and logs in place.
Useful when repetitive work moves across multiple tools and teams.

Add AI to products and internal tools
Build assistants, guided actions, or decision support into the software your team or customers already use.
Useful when AI needs to be part of the product, not a separate tool.
Related Terms
Key concepts and techniques related to label-only model inversion attacks and their corresponding defenses.
Model Inversion Attack
The broader class of attacks that reconstruct representative samples of a target class or specific training data points by exploiting access to a trained model's parameters and confidence scores. Label-only inversion is a constrained variant of this attack that operates without access to confidence scores, making it harder to detect and defend against. The attacker iteratively queries the model and uses only the predicted class label to guide the reconstruction process.
Confidence Score Masking
A defense mechanism that limits the information leaked by a model by truncating or rounding the prediction vector to return only the top-k class labels instead of full probability distributions. While effective against standard model inversion attacks that rely on confidence scores, label-only inversion attacks are specifically designed to bypass this defense by operating solely on hard-label predictions.
Membership Inference Attack (MIA)
An attack that determines whether a specific data record was part of a model's training set by analyzing the model's prediction behavior on that record. Label-only inversion shares a similar threat model with MIA, as both exploit the model's output behavior. Defenses against MIA, such as differential privacy and output perturbation, can also degrade the fidelity of label-only inversion reconstructions.
Differential Privacy (DP)
A mathematical framework that provides provable privacy guarantees by injecting calibrated noise into the computation, ensuring the output distribution is nearly identical whether or not a single individual's data is included. DP-SGD is the primary training-time defense against label-only inversion, as it bounds the influence of individual training examples by clipping per-sample gradients and adding Gaussian noise, directly limiting what can be reconstructed.
Query Auditing
A runtime defense that monitors incoming API queries to a model, detecting and blocking anomalous sequences or high-frequency requests characteristic of model inversion or extraction attacks. Since label-only inversion requires a large number of queries to iteratively refine the reconstructed image, query auditing can detect and throttle these attack patterns by enforcing rate limits and analyzing query distribution entropy.
Adversarial Regularization
A training methodology that augments the loss function with a penalty term designed to minimize the success of an adversary attempting to reconstruct inputs or infer membership. Techniques like Mixup training and defensive distillation smooth decision boundaries and reduce the information content of model outputs, making it harder for label-only inversion attacks to extract high-fidelity reconstructions from hard-label predictions.

About the author
Prasad Kumkar
CEO & MD, Inference Systems
Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.
His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.
Partnered with leading AI, data, and software stack.
How We Work
Custom AI workflows for your Business
One-fit-all AI don't work for modern businesses. At Inferensys, we aim to understand your business & custom requirements; which we use to define most efficient agentic workflows, the data, and the tools for your business.
01
Review the use case
We understand the task, the users, and where AI can actually help.
Read more02
Pick the right approach
We define what needs search, automation, or product integration.
Read more03
Build the first useful version
We implement the part that proves the value first.
Read more04
Improve from there
We add the checks and visibility needed to keep it useful.
Read moreThe first call is a practical review of your use case and the right next step.
Talk to Us