ML Security PapersHow Breakable Is Privacy: Probing and Resisting Model Inversion Attacks in Collaborative Inference
Rongke Liu , Youwen Zhu , Dong Wang , Gaoning Pan , Xingyu He , Weizhi Meng
Published on arXiv
2501.00824
Model Inversion Attack
OWASP ML Top 10 — ML03
Key Finding
SiftFunnel increases feature reconstruction error by ~30%, reduces mutual information and effective information volume metrics by ≥50%, and cuts edge computational burden by ~20× versus state-of-the-art defenses while maintaining comparable task accuracy.
SiftFunnel
Novel technique introduced
Collaborative inference (CI) improves computational efficiency for edge devices by transmitting intermediate features to cloud models. However, this process inevitably exposes feature representations to model inversion attacks (MIAs), enabling unauthorized data reconstruction. Despite extensive research, there is no established criterion for assessing the difficulty of MIA implementation, leaving a fundamental question unanswered: \textit{What factors truly and verifiably determine the attack's success in CI?} Moreover, existing defenses lack the theoretical foundation described above, making it challenging to regulate feature information effectively while ensuring privacy and minimizing computational overhead. These shortcomings introduce three key challenges: theoretical gap, methodological limitation, and practical constraint. To overcome these challenges, we propose the first theoretical criterion to assess MIA difficulty in CI, identifying mutual information, entropy, and effective information volume as key influencing factors. The validity of this criterion is demonstrated by using the mutual information neural estimator. Building on this insight, we propose SiftFunnel, a privacy-preserving framework to resist MIA while maintaining usability. Specifically, we incorporate linear and non-linear correlation constraints alongside label smoothing to suppress redundant information transmission, effectively balancing privacy and usability. To enhance deployability, the edge model adopts a funnel-shaped structure with attention mechanisms, strengthening privacy while reducing computational and storage burdens. Experiments show that, compared to state-of-the-art defense, SiftFunnel increases reconstruction error by $\sim$30\%, lowers mutual and effective information metrics by $\geq$50\%, and reduces edge burdens by almost $20\times$, while maintaining comparable usability.
Key Contributions
- First theoretical criterion for assessing model inversion attack difficulty in collaborative inference, identifying mutual information, entropy, and effective information volume as the key determinants of attack success
- SiftFunnel: a privacy-preserving framework using linear and non-linear correlation constraints plus label smoothing to suppress redundant information in transmitted intermediate features
- Funnel-shaped edge model with attention mechanisms that strengthens privacy protection while reducing edge computational and storage overhead by ~20× compared to state-of-the-art defenses
🛡️ Threat Analysis
The paper's primary focus is model inversion attacks in collaborative inference: an adversary intercepts intermediate features transmitted from edge to cloud and reconstructs the original private input data. Both the theoretical analysis (what determines attack success) and the SiftFunnel defense directly target this data reconstruction threat model.