Towards Privacy-Preserving Split Learning: Destabilizing Adversarial Inference and Reconstruction Attacks in the Cloud

TL;DR

The paper tackles privacy risks in edge-cloud split learning by formalizing forward inference and backward reconstruction threats and proposing a plug-in Autoencoder-based Delta Protection (ADP) that leverages Class Activation Maps to localize sensitive regions. ADP combines learnable autoencoders with CAM-guided masking (black-out or blur-out) and two delta strategies (Delta_min for known tasks, Delta_max for unknown tasks) to degrade adversarial inference while preserving the primary task, all without retraining the core models. Empirical evaluation on CelebA with VGG16 and ResNet50 shows ADP can cause large adversary performance drops with modest cloud-side losses (and outperform PCA baselines, especially at earlier split positions), demonstrating practical viability for resource-constrained edge devices. The work highlights a favorable privacy-utility trade-off in EC systems and suggests avenues for extending protection strategies, split-position optimization, and broader generalizability studies.

Abstract

This work aims to provide both privacy and utility within a split learning framework while considering both forward attribute inference and backward reconstruction attacks. To address this, a novel approach has been proposed, which makes use of class activation maps and autoencoders as a plug-in strategy aiming to increase the user's privacy and destabilize an adversary. The proposed approach is compared with a dimensionality-reduction-based plug-in strategy, which makes use of principal component analysis to transform the feature map onto a lower-dimensional feature space. Our work shows that our proposed autoencoder-based approach is preferred as it can provide protection at an earlier split position over the tested architectures in our setting, and, hence, better utility for resource-constrained devices in edge-cloud collaborative inference (EC) systems.

Figures (6)

• Figure 1: The typical architecture of the $\mathcal{EC}$ system.
• Figure 2: Split model primary and sensitive tasks, partially adapted from jacobgilpytorchcam.
• Figure 3: The general diagram of the proposed novel delta approach, called ADP.
• Figure 4: Example of backward reconstruction attack on VGG16 convolutional layer 4, with original image shown in (a), reconstructed image in (b), and protected image in (c). The protection is provided using the ADP strategy: $\Delta_{2}^{min}$ and delta method: blur-out along with an offline adversary architecture: VGG16 split and inference adversary architecture: VGG16 split.
• Figure 5: Panel a (b) (c) shows obtained accuracies by $S$ and $A^{i}$ at bottleneck layer 4 (8) (12) with decreasing AE, the ADP strategy: $\Delta_{2}^{min}$ and delta method: black-out, offline adversary architecture: ResNet50 full and inference adversary architecture: ResNet50 split (measured accuracy per epoch). Panel d (e) (f) shows obtained accuracies by $S$ and $A^{i}$ at bottleneck layer 4 (8) (12) with PCA protection. Inference adversary architecture: ResNet50 split (measured accuracy per component).