TrapMI: A Data Protection Method to Resist Model Inversion Attacks in Split Learning

Abstract

Split learning is a neural network training approach that can overcome the limitations of traditional deep neural networks in edge artificial intelligence environments. It offers the advantage of privacy protection because it transmits intermediate features that are calculated via the client-side model and the client does not need to send the original input data to the server. However, concerns remain regarding data privacy leakage because an attacker can still attempt model inversion attacks based on the intermediate features. We introduce several shortcomings of existing defense techniques for such attacks and present a new defense approach called TrapMI. The proposed method can induce an attacker to generate a class-specific target image that appears different from the original image when inverting the input image. We analyze the performance through quantitative and qualitative evaluations. Furthermore, the AutoGenerator is proposed to overcome the problem whereby the client cannot perform modulation that requires the target image because the class of the input image is unknown during this phase. De-identified images are automatically modulated in the inference phase using this approach. The proposed method was evaluated on two datasets, three classification models, and three split points. Its resistance was measured using a deeper and stronger inverse model than those in previous studies. Overall, the proposed method ensures data privacy protection at a significantly higher level while maintaining a similar task performance to that of existing defense technologies.