5.3

/10

Poster3 位审稿人

最低4最高7标准差1.2

3.7

置信度

正确性2.7

贡献度2.7

表达2.7

NeurIPS 2024

Reimagining Mutual Information for Enhanced Defense against Data Leakage in Collaborative Inference

Lin Duan,Jingwei Sun,Jinyuan Jia,Yiran Chen,Maria Gorlatova

OpenReview PDF

提交: 2024-05-15更新: 2024-11-06

摘要

关键词

Collaborative inference

评审与讨论

审稿意见

评分: 4置信度: 42024-07-10

The collaborative inference enables resource-constrained IoT devices to support deep learning applications without sharing raw data with the cloud server, but previous research has revealed that this approach still leaks input and prediction information from edge devices. To address this vulnerability, the authors propose InfoScissors, a defense strategy designed to minimize the mutual information between a model's inner states and the device's input and outputs. The effectiveness of InfoScissors is evaluated on common datasets like CIFAR10/100 against various attacks, demonstrating its superiority over existing defense strategies that utilize mutual information. The paper also provides theoretical analysis to support the proposed method.

优点

Study of an important privacy issue in collaborative inference.

缺点

The novelty of proposed method is somehow limited. The proposed defense InfoScissors relies on the Mutual Information (MI) regularization that has been explored in previous study like MID. The paper directly adopts a new formulation [38] for the upper bound of MI terms. As a result, the novelty and contribution of this paper appear to be limited. Compared to previous VIB-based approaches, even though the authors manage to find out several advantages and provide a theoretical explanation, the challenges are not clear.
Limited evaluation of adaptive attack, making the robustness of proposed defense InfoScissors doubtful. The only mention of adaptive attack is the AMC attack, but there is not many details about the adaptive attack. A strong adversary can follow the proposed method to train surrogates classifier and generator to mimic the victim's data. I suggest the authors to clarify the adversary capacity and thoroughly evaluate the potential privacy breach after the method is known by the adversary.
Limited evaluation of benchmarks. The paper only evaluates on the simple benchmark like CIFAR10/100 but not more large-scale dataset like ImageNet. The model architecture evaluation is also important to demonstrate the scalability of proposed defense. Also, it seems that the method is only evaluated on the vision classification models, is it applicable to generative model or other tasks? If so, what is the cost of efficiency and accuracy?

问题

See comments above

局限性

None

作者回复

2024-08-06

Thanks for your review and constructive suggestions. We are delighted to answer the questions and address the concerns.

W1.

The novelty of our theoretical analysis is that we analyze why we should choose CLUB rather than other approximations to approximate the upper bound of mutual information between the data and the representations. We do not modify the detailed approximation method (i.e., CLUB), and that is not our focus. Our novelty is that we theoretically analyzed the superiority of applying CLUB over the other mutual information approximations in collaborative inference defense. The multi-stage training procedure derived from the multiple training objectives is also a novelty of our paper. I appreciate that you recognize that we provide a theoretical explanation of the superiority of applying CLUB. When you understand our theoretical explanation, there will be no challenge to choose CLUB for approximation. However, without our analysis, it will be challenging to achieve optimal performance-defense trade-off because there is no clue to select the optimal approximation for MI in privacy preservation. Previous works select VIB because VIB is the most widely applied approximation method, but it is not optimal under the collaborative inference privacy-preservation setting.

W2.

Thanks for the constructive suggestion, we will add more details about the adaptive attack, AMC attack, and the adversary's capability in the revised draft section 3.2 and section 5.1. In our threat model, the adversary (i.e., malicious server) is capable of training a surrogate classifier and generator to mimic the victim's data. The primary goal of our defense is to make the collaborative model depend less on the encoder on the server for specific tasks. Such that the data and prediction information can be filtered during inference. Under the adaptive attack setting, we enable the adversary to modify the training profiling such that it can trick the collaborative model into relying more on its encoder, thereby extracting more private data information from the encoder's features. In this setting, the adversary is directly confronting the fundamental principles of our defense method, constituting a highly potent form of adaptive attack. The results show that our defense is capable of defending such a strong adaptive attack.

W3.

Thanks for the constructive advice. To evaluate performance on large-scale datasets with higher dimensions, we conducted more experiments on the mini-ImageNet dataset, which is a subset of ImageNet. We also conducted experiments on the Vision Transformer (ViT-B/16). Due to the time limit, we only got the results on the model completion attack. Here are the results of our defense under different defense levels.

Model	$\lambda_l$	Accuracy( $\uparrow$ )	Attack Accuracy( $\downarrow$ )
RedNet18	0 (no defense)	58.05%	35.44%
	0.05	57.58%	23.64%
	0.1	57.03%	11.17%
	0.3	56.87%	1.87%
ViT-B/16	0 (no defense)	54.85%	31.24%
	0.05	53.75%	18.35%
	0.1	52.52%	8.62%
	0.3	51.83%	1.56%

The results for comparison with other baselines can be found in the global response PDF file. It is shown that our method achieves the best defense-performance trade-off under the large-scale dataset and is generalized to the other model architectures. Our defense against the model inversion attacks shows the high potential of our method in generative tasks. We also evaluate our method under the credit fraud detection task on the UCI_Default_Credit with MLPs, the results are shown below.

$\lambda_l$	AUC( $\uparrow$ to 1)	AUC( $\downarrow$ to 0.5)
0 (no defense)	0.783	0.673
0.05	0.778	0.603
0.1	0.755	0.536
0.3	0.746	0.502

It is shown that our method can also achieve a good performance-privacy trade-off on different tasks.

We appreciate your review and constructive suggestions. Please let us know if you have any new questions or concerns.

评论- Follow-up on Rebuttal

2024-08-12

I hope our rebuttal addressed your concerns effectively. As we approach the end of the discussion period, we wanted to check if you have any remaining questions or points you'd like to clarify. Your insights are very important to us, and we would appreciate any further feedback you can provide before the discussion period ends.

审稿意见

评分: 7置信度: 42024-07-12

This paper considers a setting where two parties (Cloud Server and Edge Device) are collaboratively training a deep model. The threat model considers both inputs and outputs to be private data of the Edge Device that should be protected from the Cloud Server. The authors propose a learning algorithm that is theoretically motivated by a recent method called CLUB [38], and performs better than other baselines on two datasets CIFAR10 and CIFAR100. The main contribution of this paper is that the authors show CLUB offers better optimization results compared to Variational Information Bottleneck (VIB).

优点

The paper is well written, easy to follow, and relevant to the ML community. The baselines are studied and elaborated properly. The algorithm is supported both empirically and theoretically and the results suggest state-of-the-art performance. Overall, I am happy about this work and I appreciate the author's hard work and novelty.

缺点

The main weaknesses are motivation of the problem and the evaluations of the algorithm. The paper needs some improvements in this regard. Please see below.

问题

(1) One important, but totally ignored, aspect of the proposed framework (Figure 1) is that the Cloud Server can run the classifier part (that is \theta^c) and easily discover y without needing any sophisticated attack. Unless, the authors argue that the classifier part is not available to Cloud Server! Which is a strong and unrealistic assumption because usually the server is the entity that trains the model and then splits it among the Edge devices. I am struggling to find a real-world application in which the Edge Device has access to the classifier part but the Cloud Server does not have that access. Authors need to clarify and motivate this.

(2) When reading the paper, it is not clear to distinguish between training vs. inference stage. The title mentions “Collaborative Inference”, but the paper is actually more related to “Collaborative Training”. The fact that two parties (Cloud Server and Edge Device) are collaborating in training a model or they are collaborating in making a prediction (via a trained model in inference mode) makes a huge difference in terms of threat model and evaluation. The authors need to revise the text and make this as clear as possible from the beginning of the paper. It is also suggested to discuss relevance to a work published last year https://arxiv.org/abs/2310.13384 (Salted Inference: Enhancing Privacy while Maintaining Efficiency of Split Inference in Mobile Computing)

(3) The authors should compare and clarify the contribution of this paper compared to Club [38]. They should explain to what extent the theoretical analysis of this paper is novel compared to what has been already presented in [38].

(4) The paper should show the performance of the work on more complex data types. The two chosen datasets are of similar complexity. Similarly, beside ResNet 18, other model architectures should be examined. It is not clear if this method only works for ConvNets or whether it supports other types of layers.

(5) In Figure 3, it is not clear what is the difference between different rows. For each method there are three pairs of images and results, but how different are these and in what sense?

局限性

The main limitation is that the generalization of the method to other complex datasets and model architectures is not explored or discussed.

作者回复

2024-08-06

Thanks for your review and constructive suggestions. We are delighted to answer the questions and address the concerns.

W1.

In real life, there are some applications and settings where the classifier or other head models are deployed on the edge. For example, in some medical applications, the encoder on the cloud server will extract the features while the diagnosis results (prediction) are calculated on the wearable devices since the diagnosis results might contain private information of the user. The other practical setting is that the user might need to finetune the classifier or other head models on the device using their private data, which cannot be shared with the server. In such a case, the classifier has to be deployed on the edge device, and the prediction needs to be protected.

W2.

Thanks for your constructive suggestion. We are delighted to explain the settings of our paper. The goal of our method is to preserve user privacy in collaborative inference, and privacy preservation is achieved by manipulating the training phase (i.e., collaborative training). By applying our defense, the model is normalized to filter the private information when extracting features and representations, such that privacy is preserved during the inference phase. We will revise our draft to clarify this point more clearly in the introduction section.

Thanks for your reference. The setting of this paper is similar to our paper, which also realizes inference privacy by normalizing the training procedure. But they only focus on prediction protection. Technically, they add noise to the training label by randomly sampling a class label, which is intuitively correct. Our training method is theoretically derived from the perspective of mutual information, and we provide a theoretical analysis of our defense performance. Even though we are distinguished from the methodology, we still appreciate your suggestion and will include it in the related work.

W3.

CLUB is a paper focusing on approximating the mutual information upper bound, while our paper utilizes the mutual information to defend against privacy leakage. Thus, our contribution is more about privacy preservation, which is different from the goal of CLUB. The novelty of our theoretical analysis is that we analyze why we should choose CLUB rather than other approximations to approximate the upper bound of mutual information between the data and the representations. When you want to minimize the mutual information, there are many choices of approximation. Most of the existing related works apply Variational Information Bottleneck (VIB)[22] since it is the most widely applied approximation of mutual information upper bound. However, we analyze that when defending data privacy, VIB is sub-optimal and could sacrifice too much performance. Following our analysis, we find that CLUB is a better approximation to apply. In other words, we do not modify the detailed approximation method (i.e., CLUB), and that is not our focus and novelty. Our novelty is that we theoretically analyzed the superiority of applying CLUB over the other mutual information approximations in collaborative inference defense. The multi-stage training procedure derived from the multiple training objectives is also a novelty of our paper.

W4.

Model	$\lambda_l$	Accuracy( $\uparrow$ )	Attack Accuracy( $\downarrow$ )
RedNet18	0 (no defense)	58.05%	35.44%
	0.05	57.58%	23.64%
	0.1	57.03%	11.17%
	0.3	56.87%	1.87%
ViT-B/16	0 (no defense)	54.85%	31.24%
	0.05	53.75%	18.35%
	0.1	52.52%	8.62%
	0.3	51.83%	1.56%

W5.

We apologize for the confusion. Different rows present different defense levels. The bottom row applies the highest defense strength; thus, the reconstructed image is low-quality while the accuracy is sacrificed. We will revise the caption to clarify this.

2024-08-09

I’m happy with your answers and would strongly recommend enhancing the presentation of your paper. Including results from additional datasets and different model architectures would be an excellent idea. In particular, including datasets from real-world applications, such as wearables or medical images (as mentioned in your answer on motivation), could show the generalizability of your methodology and its relevance to a wider audience. Overall, I’m satisfied with the work and look forward to seeing these improvements.

评论- Response by Authors

2024-08-10

Thanks for your response! We will follow your comments and revise the draft accordingly.

审稿意见

评分: 5置信度: 32024-07-13

This paper provides InfoScissors, a learning algorithm that regularizes the model during the training phase. This paper also compares their method with VIB-based methods and evaluates it with multiple attacks.

优点

The paper provides the theoretical analysis for the defense method and also compares it with VIB-based methods.

缺点

The author claims that LLMs cannot be handled on edge devices; however, in the evaluation part, they only use CIFAR10 and CIFAR100, both of which can be handled by edge devices. The paper does not measure the method with real large-size datasets.

问题

局限性

The paper does not measure the method with real large-size datasets.

作者回复

2024-08-06

Model	$\lambda_l$	Accuracy( $\uparrow$ )	Attack Accuracy( $\downarrow$ )
RedNet18	0 (no defense)	58.05%	35.44%
	0.05	57.58%	23.64%
	0.1	57.03%	11.17%
	0.3	56.87%	1.87%
VIT	0 (no defense)	54.85%	31.24%
	0.05	53.75%	18.35%
	0.1	52.52%	8.62%
	0.3	51.83%	1.56%

The results for comparison with other baselines can be found in the global response PDF file. Our method achieves the best defense-performance trade-off under the large-scale dataset and is generalized to the other model architectures.

评论- Follow-up on Rebuttal

2024-08-12

May I kindly inquire if you have any further concerns or questions after reviewing our rebuttal? As the discussion period is nearing its conclusion, your feedback is incredibly valuable to us. I would greatly appreciate it if you could let us know if there are any additional points you'd like to discuss or if our rebuttal satisfactorily addresses your concerns.

作者回复

2024-08-06

Here are the results against PMC attacks on mini-ImageNet with different model architectures.

评论- Discussion period starts

2024-08-09

Dear reviewers,

Thank you for your valuable contributions to the NeurIPS review process! The author-reviewer discussion period has now begun. I’ve noticed that the ratings for this paper are dispersed, and opinions among the reviewers are not fully aligned. This makes our discussion even more crucial to reach a consensus and ensure a fair and thorough evaluation. Please engage actively with the authors during this period. If you have any questions or need further clarification on any points, this is the best time to address them directly with the authors.

best,

最终决定Accept (poster)

2024-09-25

Summary

This paper introduces InfoScissors, a defense method to reduce data leakage in collaborative inference by minimizing mutual information between a model’s intermediate states and the edge device's input/output. The authors propose using CLUB, a mutual information approximation, instead of the more commonly used VIB, providing both theoretical analysis and empirical evidence across various datasets.

Decision

I recommend accepting this paper. The approach addresses an important privacy issue and offers a novel defense mechanism that shows improved performance in preserving privacy while maintaining model accuracy. The authors have responded well to reviewer concerns, particularly by expanding their evaluations to larger datasets (e.g., mini-ImageNet) and different model architectures (ViT). Although more real-world dataset evaluations would strengthen the paper, the theoretical contributions and empirical results support the paper’s significance and relevance to the field.

For the final version, I encourage the authors to enhance clarity on adaptive attacks and ensure that additional experiments are included.