Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

InfoDecom: Decomposing Information for Defending against Privacy Leakage in Split Inference

Ruijun Deng, Zhihui Lu, Qiang Duan

TL;DR

This work tackles privacy leakage in split inference (SI) by addressing the redundancy in smashed data that DRAs exploit. It introduces InfoDecom, a two-stage approach that first removes visually and semantically redundant information via Visual Information Removal and Mutual Information Suppression, then applies closed-form Gaussian noise calibrated by FSInfo to guarantee a target privacy level. The method integrates an Information Bottleneck–inspired objective to minimize private information while preserving task-critical content, and provides a closed-form noise scale tied to the Jacobian of the smashed representation to ensure provable privacy bounds. Empirical results on CIFAR-10 and CelebA show that InfoDecom achieves a superior utility-privacy trade-off compared to state-of-the-art defenses, with ablation studies confirming the contribution of each component. The work advances practical privacy protections for SI in vision tasks and suggests extending redundancy-reduction concepts to other domains.

Abstract

Split inference (SI) enables users to access deep learning (DL) services without directly transmitting raw data. However, recent studies reveal that data reconstruction attacks (DRAs) can recover the original inputs from the smashed data sent from the client to the server, leading to significant privacy leakage. While various defenses have been proposed, they often result in substantial utility degradation, particularly when the client-side model is shallow. We identify a key cause of this trade-off: existing defenses apply excessive perturbation to redundant information in the smashed data. To address this issue in computer vision tasks, we propose InfoDecom, a defense framework that first decomposes and removes redundant information and then injects noise calibrated to provide theoretically guaranteed privacy. Experiments demonstrate that InfoDecom achieves a superior utility-privacy trade-off compared to existing baselines. The code and the appendix are available at https://github.com/SASA-cloud/InfoDecom.

InfoDecom: Decomposing Information for Defending against Privacy Leakage in Split Inference

TL;DR

This work tackles privacy leakage in split inference (SI) by addressing the redundancy in smashed data that DRAs exploit. It introduces InfoDecom, a two-stage approach that first removes visually and semantically redundant information via Visual Information Removal and Mutual Information Suppression, then applies closed-form Gaussian noise calibrated by FSInfo to guarantee a target privacy level. The method integrates an Information Bottleneck–inspired objective to minimize private information while preserving task-critical content, and provides a closed-form noise scale tied to the Jacobian of the smashed representation to ensure provable privacy bounds. Empirical results on CIFAR-10 and CelebA show that InfoDecom achieves a superior utility-privacy trade-off compared to state-of-the-art defenses, with ablation studies confirming the contribution of each component. The work advances practical privacy protections for SI in vision tasks and suggests extending redundancy-reduction concepts to other domains.

Abstract

Split inference (SI) enables users to access deep learning (DL) services without directly transmitting raw data. However, recent studies reveal that data reconstruction attacks (DRAs) can recover the original inputs from the smashed data sent from the client to the server, leading to significant privacy leakage. While various defenses have been proposed, they often result in substantial utility degradation, particularly when the client-side model is shallow. We identify a key cause of this trade-off: existing defenses apply excessive perturbation to redundant information in the smashed data. To address this issue in computer vision tasks, we propose InfoDecom, a defense framework that first decomposes and removes redundant information and then injects noise calibrated to provide theoretically guaranteed privacy. Experiments demonstrate that InfoDecom achieves a superior utility-privacy trade-off compared to existing baselines. The code and the appendix are available at https://github.com/SASA-cloud/InfoDecom.

Paper Structure

This paper contains 25 sections, 16 equations, 6 figures, 6 tables.

Table of Contents

  1. Introduction
  2. Related Work
  3. Regularization
  4. Closed-Form Noise Calculation
  5. Motivations
  6. Triple Definitions of Communication
  7. Redundancy in Syntactic Communication
  8. Redundancy in Semantic Communication
  9. Design of InfoDecom
  10. Overview
  11. Visual Information Removal
  12. Mutual Information Suppression
  13. Experiments
  14. Experiment Implementation
  15. The Effect of Information Controller
  16. ...and 10 more sections

Figures (6)

  • Figure 1: A general framework of two-party split inference.
  • Figure 2: Example of semantic-oriented communication.
  • Figure 3: The overview of InfoDecom.
  • Figure 4: Visual information removal for raw input. The raw input is divided into blocks, with each block being transformed to 8$\times$8 DCT coefficients.
  • Figure 5: Model accuracy v.s. MSE on CIFAR-10 and CelebA against DRAs.
  • ...and 1 more figures