Volume 32 Issue 1
Jan.  2023
Turn off MathJax
Article Contents
WANG Zhibo, LIU Kaixin, HU Jiahui, REN Ju, GUO Hengchang, YUAN Wei. AttrLeaks on the Edge: Exploiting Information Leakage from Privacy-Preserving Co-inference[J]. Chinese Journal of Electronics, 2023, 32(1): 1-12. doi: 10.23919/cje.2022.00.031
Citation: WANG Zhibo, LIU Kaixin, HU Jiahui, REN Ju, GUO Hengchang, YUAN Wei. AttrLeaks on the Edge: Exploiting Information Leakage from Privacy-Preserving Co-inference[J]. Chinese Journal of Electronics, 2023, 32(1): 1-12. doi: 10.23919/cje.2022.00.031

AttrLeaks on the Edge: Exploiting Information Leakage from Privacy-Preserving Co-inference

doi: 10.23919/cje.2022.00.031
Funds:  This work was supported by the National Key R&D Program of China (2021ZD0112803), National Natural Science Foundation of China (62122066, U20A20182, 61872274, 62122095, U19A2067), and the Key R&D Program of Zhejiang Province (2022C01018).
More Information
  • Author Bio:

    Zhibo WANG was born in Shandong Province, China, in 1984. He received the B.E. degree in automation from Zhejiang University, China, in 2007, and Ph.D. degree in electrical engineering and computer science from University of Tennessee, Knoxville, USA, in 2014. He is currently a Professor with the School of Cyber Science and Technology, Zhejiang University, China. His current research interests include Internet of things, AI security, and data security & privacy. He is a Senior Member of IEEE and a Member of ACM. (Email: zhibowang@zju.edu.cn)

    Kaixin LIU was born in 1996. He received the B.E. degree in cyber science and engineering from Wuhan University, China, in 2019. He is currently working toward his master degree at School of Cyber Science and Engineering, Wuhan University. His research interest focuses on privacy & security in deep learning. (Email: kxliu777@whu.edu.cn)

    Jiahui HU (corresponding author) received the M.S. degree in cyber security from Wuhan University, China, in 2019. She is currently working toward the Ph.D. degree at the School of Cyber Science and Technology, Zhejiang University. Her research interest focuses on federated learning. (Email: jiahuihu@zju.edu.cn)

    Ju REN received the B.S., M.S., and Ph.D. degrees all in computer science from Central South University, Changsha, China, in 2009, 2012, and 2016, respectively. Currently, he is an Associate Professor with the Department of Computer Science and Technology, Tsinghua University, China. His research interests include Internet-of-things, edge computing, and security & privacy. He currently serves/has served as an Associate Editor for IEEE Transactions on Vehicular Technology and Peer-to-Peer Networking and Applications, a Guest Editor for IEEE Wireless Communications, IEEE Transactions on Industrial Informatics, and IEEE Network, and a TPC Member of many international conferences including IEEE INFOCOM’22/21/20/19/18, ICDCS’21, etc. He also served as the General Co-Chair for IEEE BigDataSE’20, the TPC Co-Chair for IEEE BigDataSE’19, a Poster Co-Chair for IEEE MASS’18, a Track Co-Chair for IEEE/CIC ICCC’19, IEEE I-SPAN’18, and VTC’17 Fall, and an active Reviewer for over 20 international journals. He received many best paper awards from IEEE flagship conferences, including IEEE ICC’19, IEEE HPCC’19, etc., and the IEEE TCSC Early Career Researcher Award (2019). He is recognized as a Highly Cited Researcher by Clarivate. (Email: renju@tsinghua.edu.cn)

    Hengchang GUO received the B.E. degree in cyber science and engineering from Wuhan University, China, in 2019. He is currently pursuing his master degree at School of Cyber Science and Engineering, Wuhan University. His research interest focuses on AI security. (Email: hc_guo@whu.edu.cn)

    Wei YUAN received the B.E. degree in computer science from Wuhan University, China, in 2019. He is currently pursuing his master degree at School of Cyber Science and Engineering, Wuhan University. His research interest focuses on privacy & security in deep learning. (Email: wyuan@whu.edu.cn)

  • Received Date: 2022-03-04
  • Accepted Date: 2022-05-02
  • Available Online: 2022-07-20
  • Publish Date: 2023-01-05
  • Collaborative inference (co-inference) accelerates deep neural network inference via extracting representations at the device and making predictions at the edge server, which however might disclose the sensitive information about private attributes of users (e.g., race). Although many privacy-preserving mechanisms on co-inference have been proposed to eliminate privacy concerns, privacy leakage of sensitive attributes might still happen during inference. In this paper, we explore privacy leakage against the privacy-preserving co-inference by decoding the uploaded representations into a vulnerable form. We propose a novel attack framework named AttrLeaks, which consists of the shadow model of feature extractor (FE), the susceptibility reconstruction decoder, and the private attribute classifier. Based on our observation that values in inner layers of FE (internal representation) are more sensitive to attack, the shadow model is proposed to simulate the FE of the victim in the black-box scenario and generates the internal representations. Then, the susceptibility reconstruction decoder is designed to transform the uploaded representations of the victim into the vulnerable form, which enables the malicious classifier to easily predict the private attributes. Extensive experimental results demonstrate that AttrLeaks outperforms the state of the art in terms of attack success rate.
  • loading
  • [1]
    K. He, X. Zhang, S. Ren, et al., “Deep residual learning for image recognition,” in Proceedings of IEEE Conference on Computer Vision and Pattern Recognition (CVPR), Las Vegas, NV, USA, pp.770–778, 2016.
    [2]
    M. T. Luong, H. Pham, and C. D. Manning, “Effective approaches to attention-based neural machine translation,” arXiv preprint, arXiv: 1508.04025, 2015.
    [3]
    A. Hannun, C. Case, J. Casper, et al., “Deep speech: Scaling up end-to-end speech recognition,” arXiv preprint, arXiv: 1412.5567, 2014.
    [4]
    C. Song and A. Raghunathan, “Information leakage in embedding models,” in Proceedings of the 2020 ACM SIGSAC Conference on Computer and Communications Security, Virtual Event USA, pp.377–390, 2020.
    [5]
    Z. He, T. Zhang, and R. B. Lee, “Model inversion attacks against collaborative inference,” in Proceedings of the 35th Annual Computer Security Applications Conference, San Juan, Puerto Rico, USA, pp.148–162, 2019.
    [6]
    L. Melis, C. Song, E. de Cristofaro, et al., “Exploiting unintended feature leakage in collaborative learning,” in Proceedings of 2019 IEEE Symposium on Security and Privacy, San Francisco, CA, USA, pp.691–706, 2019.
    [7]
    J. Wang, J. Zhang, W. Bao, et al., “Not just privacy: Improving performance of private deep learning in mobile cloud,” in Proceedings of the 24th ACM SIGKDD International Conference on Knowledge Discovery & Data Mining, London, UK, pp.2407–2416, 2018.
    [8]
    F. Mireshghallah, M. Taram, P. Ramrakhyani, et al., “Shredder: Learning noise distributions to protect inference privacy,” in Proceedings of the Twenty-Fifth International Conference on Architectural Support for Programming Languages and Operating Systems, Lausanne, Switzerland, pp.3–18, 2020.
    [9]
    H. Edwards and A. Storkey, “Censoring representations with an adversary,” arXiv preprint, arXiv: 1511.05897, 2015.
    [10]
    Q. Xie, Z. Dai, Y. Du, et al., “Controllable invariance through adversarial feature learning,” arXiv preprint, arXiv: 1705.11122, 2017.
    [11]
    D. Madras, E. Creager, T. Pitassi, et al., “Learning adversarially fair and transferable representations,” arXiv preprint, arXiv: 1802.06309, 2018.
    [12]
    D. Moyer, S. Gao, R. Brekelmans, et al., “Invariant representations without adversarial training,” arXiv preprint, arXiv: 1805.09458, 2018.
    [13]
    S. A. Osia, A. Taheri, A. S. Shamsabadi, et al., “Deep private-feature extraction,” IEEE Transactions on Knowledge and Data Engineering, vol.32, no.1, pp.54–66, 2020. doi: 10.1109/TKDE.2018.2878698
    [14]
    C. Song and V. Shmatikov, “Overlearning reveals sensitive attributes,” arXiv preprint, arXiv: 1905.11742, 2019.
    [15]
    M. Fredrikson, S. Jha, and T. Ristenpart, “Model inversion attacks that exploit confidence information and basic countermeasures,” in Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security, Denver, CO, USA, pp.1322–1333, 2015.
    [16]
    M. Fredrikson, E. Lantz, S. Jha, et al., “Privacy in pharmacogenetics: An end-to-end case study of personalized warfarin dosing,” in Proceedings of the 23rd USENIX Conference on Security Symposium, San Diego, CA, USA, pp.17–32, 2014.
    [17]
    F. McSherry, “Statistical inference considered harmful,” available at: https://github.com/frankmcsherry/blog/blob/master/posts/2016-06-14.md, Accessed 2022-01-18.
    [18]
    S. P. Liew and T. Takahashi, “FaceLeaks: Inference attacks against transfer learning models via black-box queries,” arXiv preprint, arXiv: 2010.14023, 2020.
    [19]
    I. J. Goodfellow, J. Pouget-Abadie, M. Mirza, et al., “Generative adversarial networks,” arXiv preprint, arXiv: 1406.2661, 2014.
    [20]
    Y. Li, T. Baldwin, and T. Cohn, “Towards robust and privacy-preserving text representations,” arXiv preprint, arXiv: 1805.06093, 2018.
    [21]
    M. Coavoux, S. Narayan, and S. B. Cohen, “Privacy-preserving neural representations of text,” in Proceedings of the 2018 Conference on Empirical Methods in Natural Language Processing, Brussels, Belgium, pp.1–10, 2018.
    [22]
    Y. Elazar and Y. Goldberg, “Adversarial removal of demographic attributes from text data,” in Proceedings of the 2018 Conference on Empirical Methods in Natural Language Processing, Brussels, Belgium, pp.11–21, 2018.
    [23]
    “Mutual information,” available at: https://en.wikipedia.org/wiki/Mutual information, Accessed 2021-10-30.
    [24]
    A. A. Alemi, I. Fischer, J. V. Dillon, et al., “Deep variational information bottleneck,” arXiv preprint, arXiv: 1612.00410, 2016.
    [25]
    G. E. Hinton and R. R. Salakhutdinov, “Reducing the dimensionality of data with neural networks,” Science, vol.313, no.5786, pp.504–507, 2006. doi: 10.1126/science.1127647
    [26]
    E. Li, Z. Zhou, and X. Chen, “Edge intelligence: On-demand deep learning model co-inference with device-edge synergy,” in Proceedings of the 2018 Workshop on Mobile Edge Communications, Budapest, Hungary, pp.31–36, 2018.
    [27]
    Z. Zhang, Y. Song, and H. Qi, “Age progression/regression by conditional adversarial autoencoder,” in Proceedings of 2017 IEEE Conference on Computer Vision and Pattern Recognition, Honolulu, HI, USA, pp.4352–4360, 2017.
    [28]
    Z. Liu, P. Luo, X. Wang, et al., “Deep learning face attributes in the wild,” in Proceedings of 2015 IEEE International Conference on Computer Vision, Santiago, Chile, pp.3730–3738, 2015.
    [29]
    Z. P. Zhang, P. Luo, C. C. Loy, et al., “Facial landmark detection by deep multi-task learning,” in Proceedings of Computer Vision - ECCV 2014, Part VI, Lecture Notes in Computer Science, vol.8694, Springer, Cham., DOI: 10.1007/978-3-319-10599-4_7, 2014.
  • 加载中

Catalog

    通讯作者: 陈斌, bchen63@163.com
    • 1. 

      沈阳化工大学材料科学与工程学院 沈阳 110142

    1. 本站搜索
    2. 百度学术搜索
    3. 万方数据库搜索
    4. CNKI搜索

    Figures(6)  / Tables(6)

    Article Metrics

    Article views (401) PDF downloads(93) Cited by()
    Proportional views
    Related

    /

    DownLoad:  Full-Size Img  PowerPoint
    Return
    Return