PRIVATE SPLIT INFERENCE OF DEEP NETWORKS

Abstract

Splitting network computations between the edge device and the cloud server is a promising approach for enabling low edge-compute and private inference of neural networks. Current methods for providing the privacy train the model to minimize information leakage for a given set of private attributes. In practice, however, the test queries might contain private attributes that are not foreseen during training. We propose an alternative solution, in which, instead of obfuscating the information corresponding to a set of attributes, the edge device discards the information irrelevant to the main task. To this end, the edge device runs the model up to a split layer determined based on its computational capacity and then removes the activation content that is in the null space of the next layer of the model before sending it to the server. It can further remove the low-energy components of the remaining signal to improve the privacy at the cost of reducing the accuracy. The experimental results show that our methods provide privacy while maintaining the accuracy and introducing only a small computational overhead.

1. INTRODUCTION

The surge in cloud computing and machine learning in recent years has led to the emergence of Machine Learning as a Service (MLaaS), where the compute capacity of the cloud is used to analyze the data that lives on edge devices. One shortcoming of the MLaaS framework is the leakage of the clients' private data to the cloud server. To address this problem, several cryptographybased solutions have been proposed which provide provable security at the cost of increasing the communication cost and delay of remote inference by orders of magnitude (Juvekar et al. (2018); Riazi et al. (2019) ). The cryptography-based solutions are applicable in use-cases such as healthcare where a few minutes of delay is tolerable, but not in scenarios where millions of clients request fast and low-cost responses such as in Amazon Alexa or Apple Siri applications. A light-weight alternative to cryptographic solutions is to manually hide private information on the edge device; For instance, sensitive information in an image can be blurred on the edge device before sending it to the service provider (Vishwamitra et al. (2017) ). This approach, however, is task-specific and may not be viable for generic applications. The objective of split inference framework, shown in Figure 1 , is to provide a generic and computationally efficient data obfuscation scheme (Kang et al. (2017); Chi et al. (2018) ). The service provider trains the model and splits it into two sub-models, M 1 and M 2 , where M 1 contains the first few layers of the model and M 2 contains the rest. The client runs M 1 on the edge device and sends the resulting feature vector z = M 1 (x) to the server, which computes the public label as y pub = M 2 (z). To preserve the privacy, the client desires z to only contain information related to the underlying task. For instance, when sending facial features for cell-phone authentication, the client does not want to disclose other information such as their mood. As seen in Figure 1 , the privacy leakage is quantified by an adversary that trains the model M 3 to extract private label y pri from feature vector z. Current methods of private split inference aim to censor the information corresponding to a list of known private attributes. For example, Feutry et al. ( 2018) utilize adversarial training to minimize the accuracy of M 3 on the private attribute, and Osia et al. ( 2018) minimize the mutual information between the query z and the private label y pri at training time. The set of private attributes, however, can vary from one query to another. Hence, it is not feasible to foresee all types of attributes that could be considered private for a specific MLaaS application. Moreover, the need to annotate inputs with all possible private attributes significantly increases the cost of model training. In this paper, we propose an alternative solution where, instead of censoring the information that is utilized to predict known private attributes, we discard the information that is not used by the main model for predicting the public attribute. Our contributions are summarized in the following. • We characterize the information that is not relevant to the prediction of the public attribute as part of the content of the feature vector z that will be removed by the server-side model. We then define the null content of the feature vector, z N , as the content in z that is in the null-space of the following linear layer. The remaining content is called signal content and is denoted by z S . We have M 2 (z) = M 2 (z S + z N ) = M 2 (z S ). • We propose to remove z N from features, z, and show that it reduces the accuracy of the adversary (M 3 ), while maintaining the accuracy of the main model (M 2 ). To further discard the private information in z, we propose to remove the low-energy components of z S , through which we achieve higher privacy (lower accuracy of M 3 ) at the cost of a small reduction in utility (lower accuracy of M 2 ). • We show our methods provide tradeoffs between edge-computation efficiency, privacy, and accuracy. Specifically, with higher edge computation (more layers on the edge device), the client achieves better privacy at the same accuracy. Also, with the same edge computation (a given split layer), removing more components from the signal content provides better privacy at the cost of reduced accuracy. • We perform extensive experiments on several datasets and show that our methods provide better tradeoffs between accuracy and privacy compared to existing approaches such as adversarial training, despite having no knowledge of the private attribute at training or inference times.

2. BACKGROUND AND RELATED WORK

We consider the supervised learning setting of Figure 1 , where the model M 2 • M 1 is trained with a set of examples {x i } N i=1 and their corresponding public labels {y pub i } N i=1 . At inference phase, the client runs M 1 on their data and sends the intermediate feature vector z = M 1 (x) to the server. The goal of private inference is to ensure that z does not contain information about private attributes.

2.1. MEASURING PRIVACY

Several methods have been proposed to measure the privacy leakage of the feature vector. One approach is computing the mutual information between the query x and the feature vector z (Kraskov et al. ( 2004)). In practice, measuring the mutual information is not tractable for high-dimensional random variables, unless certain assumptions are made about the probability distribution of the random variables of interest. A more practical approach measures privacy based on the reconstruction error, || x -x||, where x is estimated based on z (Mahendran & Vedaldi (2015)). Finally, attribute privacy is defined based on the accuracy of an adversary model that takes z as input and predicts the private label. In this paper, we use the attribute privacy notion as it applies to a wide range of applications. Assume each example {x i } N i=1 has one or multiple private labels {y pri i } N i=1 . The adversary trains a separate model M 3 with (z i , y pri i ) where z i = M 1 (x i ), as shown in Figure 1 . Note that M 3 is used as an aftermath process to evaluate the privacy of the model M 2 • M 1 . The split learning framework should achieve high utility, i.e., the server should be able to infer the public attribute from z accurately, while providing privacy, i.e., z should not contain information about y pri . We refer to the accuracy of M 2 • M 1 on y pub as public accuracy and the accuracy of M 3 • M 1 on y pri as private accuracy.



Figure 1: Split inference setup. Client runs M1 locally and sends the features z = M1(x) to the server. The server predicts the intended attribute as y pub = M2(z). An adversary trains a separate model M3 to predict the private attribute as y pri = M3(z).

