Mobile edge devices see increased demands in deep neural networks (DNNs) inference while suffering from stringent constraints in computing resources. Split computing (SC) emerges as a popular approach to the issue by executing only initial layers on devices and offloading the remaining to the cloud. Prior works usually assume that SC offers privacy benefits as only intermediate features, instead of private data, are shared from devices to the cloud. In this work, we debunk this SC-induced privacy protection by (i) presenting a novel data-free model inversion method and (ii) demonstrating sample inversion where private data from devices can still be leaked with high fidelity from the shared feature even after tens of neural network layers. We propose Divide-and-Conquer Inversion (DCI) which partitions the given deep network into multiple shallow blocks and inverts each block with an inversion method. Additionally, cycle-consistency technique is introduced by re-directing the inverted results back to the model under attack in order to better supervise the training of the inversion modules. In contrast to prior art based on generative priors and computation-intensive optimization in deriving inverted samples, DCI removes the need for real device data and generative priors, and completes inversion with a single quick forward pass over inversion modules. For the first time, we scale data-free and sample-specific inversion to deep architectures and large datasets for both discriminative and generative networks. We perform model inversion attack to ResNet and RepVGG models on ImageNet and SNGAN on CelebA and recover the original input from intermediate features more than 40 layers deep into the network.
翻译:移动边缘装置看到深层神经网络(DNNs)在计算资源的严格限制下增加了需求,而深层神经网络(DNNs)则增加了对移动边缘装置的需求。 分解计算(SC)作为一种受欢迎的方法,在设备上只执行初始层,并将剩余部分卸载到云中。 先前的工作通常假定, SC只提供隐私利益, 因为只有中间特性, 而不是私人数据从设备到云中共享。 在这项工作中, 我们用以下方法将SC诱发的隐私保护除去:(一) 推出一种新的无数据转换模型, 并(二) 展示来自装置的私人数据仍然可以从共享的网络特性中以高度忠诚的方式渗漏的图像倒转。 我们建议, 将给给定的深端网络分为多个浅层, 而不是从私人数据向云层。 此外, 我们引入了循环协调技术, 将反向特定结果反馈模型回到攻击中的模型, 以更好地监督对转基因模块的培训。 与先前基于基因前和深层网络的精度变化和计算模型相比, 将前一级的精度输入, 在前基因结构转换中,我们需要进行真正的和计算和计算中, 快速数据转换中, 快速转换中, 需要进行真正的数据转换为实时和快速数据结构结构结构结构结构结构, 并进行真正的恢复, 进行真正的数据转换, 快速数据结构结构结构, 需要进行真正的恢复和升级和升级, 升级, 升级到前的系统, 快速结构结构结构结构结构, 快速转换为系统结构, 快速转换为系统结构, 快速转换为系统。