InfoDecom: Decomposing Information for Defending Against Privacy Leakage in Split Inference

Split inference (SI) enables users to access deep learning (DL) services without directly transmitting raw data. However, recent studies reveal that data reconstruction attacks (DRAs) can recover the original inputs from the smashed data sent from the client to the server, leading to significant privacy leakage. While various defenses have been proposed, they often result in substantial utility degradation, particularly when the client-side model is shallow. We identify a key cause of this trade-off: existing defenses apply excessive perturbation to redundant information in the smashed data. To address this issue in computer vision tasks, we propose InfoDecom, a defense framework that first decomposes and removes redundant information and then injects noise calibrated to provide theoretically guaranteed privacy. Experiments demonstrate that InfoDecom achieves a superior utility-privacy trade-off compared to existing baselines.

Key Contributions

• InfoDecom defense framework that decomposes and removes task-redundant information from smashed data (via frequency-domain filtering and Information Bottleneck regularization) before applying calibrated Gaussian noise for theoretically guaranteed privacy.
• Identifies excessive perturbation of redundant information as the root cause of poor utility-privacy trade-offs in existing defenses for shallow client-side models in split inference.
• Demonstrates superior utility-privacy trade-off over SOTA defenses across multiple vision benchmarks, especially under shallow client-model settings.

🛡️ Threat Analysis

Details

Similar Papers