Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Ensembler: Protect Collaborative Inference Privacy from Model Inversion Attack via Selective Ensemble

Dancheng Liu, Chenhui Xu, Jiajie Li, Amir Nassereldine, Jinjun Xiong

TL;DR

Ensembler tackles privacy risks in edge-cloud collaborative inference by making model inversion attacks computationally difficult through a selective server ensemble controlled by a private client selector. The method trains N diverse server nets and a P-parameter selector in three stages, coupling a shadow-network concept with a cosine-regularized joint training objective to thwart accurate reconstruction of the client's input while preserving inference accuracy. Empirical results across CIFAR-10/100 and CelebA-HQ show substantial reductions in reconstruction quality (SSIM/PSNR) with modest accuracy loss and a small latency overhead (~4.8%), outperforming prior approaches like Shredder. The framework is extensible and compatible with existing perturbation-based defenses, offering a practical path to privacy-preserving collaborative inference in real-world cloud-enabled deployments.

Abstract

For collaborative inference through a cloud computing platform, it is sometimes essential for the client to shield its sensitive information from the cloud provider. In this paper, we introduce Ensembler, an extensible framework designed to substantially increase the difficulty of conducting model inversion attacks by adversarial parties. Ensembler leverages selective model ensemble on the adversarial server to obfuscate the reconstruction of the client's private information. Our experiments demonstrate that Ensembler can effectively shield input images from reconstruction attacks, even when the client only retains one layer of the network locally. Ensembler significantly outperforms baseline methods by up to 43.5% in structural similarity while only incurring 4.8% time overhead during inference.

Ensembler: Protect Collaborative Inference Privacy from Model Inversion Attack via Selective Ensemble

TL;DR

Ensembler tackles privacy risks in edge-cloud collaborative inference by making model inversion attacks computationally difficult through a selective server ensemble controlled by a private client selector. The method trains N diverse server nets and a P-parameter selector in three stages, coupling a shadow-network concept with a cosine-regularized joint training objective to thwart accurate reconstruction of the client's input while preserving inference accuracy. Empirical results across CIFAR-10/100 and CelebA-HQ show substantial reductions in reconstruction quality (SSIM/PSNR) with modest accuracy loss and a small latency overhead (~4.8%), outperforming prior approaches like Shredder. The framework is extensible and compatible with existing perturbation-based defenses, offering a practical path to privacy-preserving collaborative inference in real-world cloud-enabled deployments.

Abstract

For collaborative inference through a cloud computing platform, it is sometimes essential for the client to shield its sensitive information from the cloud provider. In this paper, we introduce Ensembler, an extensible framework designed to substantially increase the difficulty of conducting model inversion attacks by adversarial parties. Ensembler leverages selective model ensemble on the adversarial server to obfuscate the reconstruction of the client's private information. Our experiments demonstrate that Ensembler can effectively shield input images from reconstruction attacks, even when the client only retains one layer of the network locally. Ensembler significantly outperforms baseline methods by up to 43.5% in structural similarity while only incurring 4.8% time overhead during inference.
Paper Structure (19 sections, 3 equations, 2 figures, 3 tables)

This paper contains 19 sections, 3 equations, 2 figures, 3 tables.

Table of Contents

  1. Introduction
  2. Background
  3. Collaborative Machine Learning
  4. Threat model
  5. Assumptions of other related works
  6. Ensembler architecture
  7. Inference Pipeline
  8. Client Layers
  9. Server Nets
  10. Selector and $\mathbf{M}_{c,t}$
  11. Intuition behind Ensembler
  12. Training Stages
  13. Time Complexity of Ensembler
  14. Experiments and Evaluations
  15. Implementation details
  16. ...and 4 more sections

Figures (2)

  • Figure 1: An illustration of (a) collaborative inference, where the client offloads computation to the server; and (b) model inversion attack, where the adversarial server builds a decoder $M_{edge}^{-1}$ to decode the client's input from the intermediate features computed by the client's private network $M_{edge}$.
  • Figure 2: Illustration of the proposed architecture, Ensembler, during inference and training. Unlike traditional CI pipelines, during inference, Ensembler deploys $N$ neural networks on the server and uses a private selector to activate $P$ of the $N$ nets, making the reconstruction of the client network infeasible. During training, Ensembler follows a three-stage training procedure, and the purple elements are trainable parameters of each stage.