Accurate Split Learning on Noisy Signals

We thank the reviewer for their review. There are some misunderstanding from the reviewer's side and below we try to clarify them.

Comment. The authors dedicate substantial space to showing that the denoising methods preserve accuracy when noise is injected. However, this seems unnecessary. It is intuitive that denoising in noise-injected networks would help maintain accuracy—a rather trivial observation. Variance scales as the square of the variable scaling, so scaling down naturally reduces variance. Similarly, adding random masking during training makes the network more robust to noise. This is intuitive and easy to understand.

Answer. We rather argue that this is not intuitive and nontrivial. Let us only consider the masking case. For the case with linear layer, if ${p||M\odot\bar{X}||_F^2+(1-p)||MX||_2^2\le \sigma^2||M||_F^2}$, then the masking helps to gain a better accuracy for noise injected splitNN. Note that $\sigma\ge0$ denotes the injected noise level, $p$ is the masking ratio, ${\bar{X}\in R^{m\times n}}$ is a matrix obtained by stacking ${X^\top\in R^{1\times n}}$ in each row, and $\odot$ denotes the elementwise product. Similarly, for the nonlinear case, as in Theorem 3.4, if $\sigma$ is large enough, there exists some $\delta\in (0,1)$ such that for $p\in (\delta,1]$, masking helps to gain a better accuracy for noise injected SplitNN. These observations were validated through the numerical results. Results from Figure 2-(d), with the nonlinear loss, reflect Theorem 3.4: $\sigma^2$ must be large for the improvement to be possible. If $\sigma$ is too small (MSE curve for $\sigma=0.3$), the masking does not work; the larger the $\sigma$, the more improvements one can expect by using masking.

Comment. What the authors really want to show is that the proposed methods also helps in improve network privacy (or at least no degrade on it) so that a better trade-off become possible. This is critical but unfortunately, the authors spend so less effort on it. I expected to see quantitative measurements against multiple types of attacks, but only the feature space hijacking attack is covered, while other attacks mentioned in the introduction are ignored. Additionally, quantitative results are lacking.

Answer. We respectfully disagree with the reviewer. Theorem 3.7 from Dwork et al. (2014) shows that postprocessing mechanisms preserve privacy. Based on this result, both scaling and masking proposed in this work will maintain the privacy guarantee of the noise-injected SpliNN. We explicitly mentioned in Lines 104-109 that our work improves the accuracy and stability of noise-injected SplitNN training by proposing two post-processing techniques (i.e., scaling and masking). To the best of our knowledge, we are the first to propose denoising techniques on the Gaussian noise-injected IRs to improve the training accuracy of SplitNN. We wanted to send this message to the reader through rigorous theoretical analysis and our denoising techniques work empirically on diverse datasets (MNIST, FMNIST, CIFAR-10, CIFAR-100, IMDB, Names) and across different network architectures (CNN, RNN, and MLP). The privacy guarantee in this setup is a by-product; this is not the paper's main goal; see Lines 76-77 in the Introduction. Nevertheless, we showed the resilience of our postprocessing techniques on feature-space hijacking attack (FSHA) by Pasquini et al. (2021) in SplitNN and evaluated their attack performance with 2 models and 4 publicly available datasets---CNN for MNIST and Fashion-MNIST, ResNet for CIFAR-10 and ImageNet. Admittedly, we can add other attacks but we feel it will overwhelm the readers. We sincerely expect the reviewer will judge the merit of the work based on what is provided.

We thank the reviewer for an overall positive evaluation. Below we answer the questions and the comments.

Comment. The experimental validation may lack diversity in the datasets used, potentially limiting generalizability.

Answer. We respectfully mention that this is a theoretically driven paper, and note that the reviewer also mentioned ``The theoretical analysis is well-supported by experimental results, enhancing the validity of the proposed methods." In summary, we provided empirical results of our denoising techniques on 6 diverse datasets (MNIST, FMNIST, CIFAR-10, CIFAR-100, IMDB, Names) and across 4 different network architectures (CNN, ResNet, RNN, and MLP). Additionally, we provided FSHA attacks in Split Learning on MNIST, FEMNIST, CIFAR-10, and ImageNet. As the reviewer mentioned, we described in Appendix C that testing our denoising techniques on larger datasets (ImageNet) and more complex DNN architectures is ongoing.

Comment. Comparisons with existing methods could be more robust to highlight the advantages of the proposed techniques.

Answer. To the best of our knowledge, we are the first to propose denoising techniques on the Gaussian noise-injected IRs to improve the training accuracy of SplitNN and theoretically and experimentally show the efficacies of these techniques and also provide privacy guarantee in this setup.

Comment. The paper could benefit from clearer explanations of the denoising algorithms for readers unfamiliar with the underlying concepts.

Answer. In Section 4.1, we discussed this particular issue in the synthetic data setting. For DNN training, we provide the discussion in Section 4.2. Additionally, we show that the random masking technique can improve data privacy in defense against the feature-space hijacking attack (FSHA). We can elaborate more on the denoising techniques in the final version.

Question 1. The literature review could be expanded to include more recent studies, providing a broader context for the proposed techniques.

Answer. We respectfully note that Split learning is a relatively young field. Nevertheless, we mentioned over 30 papers in the Introduction and Related work of our manuscript. To the best of our knowledge, we are the first to propose denoising techniques on the Gaussian noise-injected IRs to improve the training accuracy of SplitNN and theoretically show the privacy guarantee in this setup. We would appreciate it if the reviewer objectively mentions what other recent studies they want us to cite. We will be happy to add them.

Question 2. Additional details on the experimental setup would enhance reproducibility and transparency, allowing other researchers to validate the findings.

Answer. We have provided a detailed experiment setup in Appendix B, Tables 1 and 2, including models, datasets, split configurations, and training hyper-parameters such as optimizer, batch size, learning rate, and weight decay. In addition, we provided our experiment code and scripts in supplementary material for reproducibility.

Question 3. The paper could benefit from more comprehensive discussions on the limitations of the proposed methods and potential future work.

Answer. Please see LIMITATION in the Appendix (Section C, pp.28). We mentioned this explicitly in the main paper; see Section 4.2, Lines 472-473.

Question 4. A more detailed analysis of the impact of varying noise levels on training accuracy could provide deeper insights into the practical applications of the proposed techniques.

Answer. In Appendix, Table 8 we provided the performance of scaling and masking postprocessing against varying Gaussian noise levels, $\sigma$. Similarly, Table 3 in the Appendix shows denoising performance by using Laplacian noise in split learning for MNIST classification task for different Laplacian noise scales, $b=0.3,0.5,0.7$. Figure 8 provides a comparison of tuning various hyper-parameters in noise-injected split learning at a fixed noise level ($\sigma=0.7$) for the MNIST classification task. In Table 9, we provide the privacy bounds for one single forward pass during the SplitNN training, for various noise levels used in our work, without denoising. In Figure 5 (in the main paper) and Figures 10-12 in the Appendix, we provide private data recovery by FSHA on MNIST, FEMNIST, CIFAR-10, and ImageNet for SpliNN, noise-injected SpliNN, and noise-injected SplitNN with postprocessing for high noise level $sigma=0.7$. We would appreciate it if the reviewer objectively mentions what analysis they want to see.

We thank the reviewer for an overall positive evaluation. Below we answer the questions and the comments.

Comment. The theorem and its proof are limited to $L-1$ layers, which restricts the scope.While simulation largely supports the theoretical findings, discrepancies are observed between simulation and practical results. For example, scaling outperforms masking in simulation, though this does not hold consistently in practice.

Answer. Our present theoretical analyses in Section 3.1. and 3.2, consider the split layer at the pre-final layer of an $L$-layer DNN;. Analysis of the split at an arbitrary $i$-th layer, along with the final loss function used for DNN training, requires much more mathematical rigor due to the complex nature of nonlinear activations; we mentioned this in Lines 158-168. Note that the function $\Phi$ is a composite function --- its complicacy increases based on the position of the split layer, nonlinear functions (ReLU, leaky Relu, GeLU, etc.) used in the consequent layers after the split layer, and the final output layer's configuration.

Scaling can improve the accuracy but may not be stable throughout the training; see lines 461--469. In Appendix B, Figure 8(e) and (f), we observed that scaling can perform as well as masking during noisy DNN training when combing scaling and weight decay.

Comment. Performance degradation occurs when the cut layer is set below L-1.

Answer. This is the nature of noisy split learning because when the cut layer is set below $L-1$, more layers on the server side will be affected by the noise from the client side, which harms the final training accuracy and makes it more difficult to recover the original noise-free accuracy. In general, SpliNN considers the client side to contain a major part of the split network.

Comment. The empirical study tests only a limited set of noise-injection parameters (e.g., noise scale = 0.7). Exploring denoising limitations would be informative.

Answer. When the output in $[-1,1]$ noise scale 0.7 is pretty high. We tried $\sigma$ larger than 0.7 but we will not observe any gains. We can add the results if the reviewer wants to see them.

Comment. The empirical study also uses a limited range of cut-layer settings.

Answer. Extending a broader range of cut-layer settings would require a more complex theory investigation of other types of DNN layers such as convolution, recurrent, normalization, pooling, etc. This is out of the scope of this paper, and we want to investigate them in future work.

Comment. The paper evaluates only a limited range of attack types.

Answer. The privacy guarantee in this paper is a by-product; this is not our main goal; see Lines 76-77 in the Introduction. Nevertheless, we showed the resilience of our postprocessing techniques on feature-space hijacking attack (FSHA) by Pasquini et al. (2021) in SplitNN and evaluated their attack performance with 2 models and 4 publicly available datasets---CNN for MNIST and Fashion-MNIST, ResNet for CIFAR-10 and ImageNet. Admittedly, we can add other attacks but we feel it will overwhelm the readers.

Comment. The techniques are demonstrated only in a two-party split learning setup, despite their potential applicability to Split Federated Learning, which has broader real-world use.

Answer. Split learning is a relatively young field. To the best of our knowledge, we are the first to propose denoising techniques on the Gaussian noise-injected IRs to improve the training accuracy of SplitNN. We wanted to send this message to the reader through rigorous theoretical analysis and our denoising techniques work empirically on diverse datasets (MNIST, FMNIST, CIFAR-10, CIFAR-100, IMDB, Names) and across different network architectures (CNN, RNN, and MLP). We respectfully mention that the split federated learning would be completely out of the scope of the present focus of the paper.

Questions 1. The denoising mechanism requires the addition of a tanh function. Could this cause performance degradation? Is it always applicable to general ML tasks?

Answer. No, this does not cause any performance degradation in our experiments. For general ML tasks, when it is not applicable to use a tanh function, there must be another way to restrict the output range to provide a privacy guarantee in DP. Our denoising approaches do not rely on any particular type of restricting method.