Privacy for Rescue: A New Testimony Why Privacy is Vulnerable In Deep Models

TL;DR

This paper examines privacy vulnerabilities in deep model splitting between edge devices and cloud, critiques existing metrics, and proposes new evaluation methods to better measure privacy protection effectiveness for individual users.

Contribution

The paper provides a formal privacy protection framework, critiques current metrics like MI, and introduces two new metrics for more accurate privacy evaluation in edge-cloud deep learning.

Findings

Existing metrics like Mutual Information are insufficient for single-user privacy assessment.

Proposed new metrics better evaluate privacy protection effectiveness.

Analysis reveals current methods are inadequate despite high MI scores.

Abstract

The huge computation demand of deep learning models and limited computation resources on the edge devices calls for the cooperation between edge device and cloud service by splitting the deep models into two halves. However, transferring the intermediates results from the partial models between edge device and cloud service makes the user privacy vulnerable since the attacker can intercept the intermediate results and extract privacy information from them. Existing research works rely on metrics that are either impractical or insufficient to measure the effectiveness of privacy protection methods in the above scenario, especially from the aspect of a single user. In this paper, we first present a formal definition of the privacy protection problem in the edge-cloud system running DNN models. Then, we analyze the-state-of-the-art methods and point out the drawbacks of their methods, especially the evaluation metrics such as the Mutual Information (MI). In addition, we perform several experiments to demonstrate that although existing methods perform well under MI, they are not effective enough to protect the privacy of a single user. To address the drawbacks of the evaluation metrics, we propose two new metrics that are more accurate to measure the effectiveness of privacy protection methods. Finally, we highlight several potential research directions to encourage future efforts addressing the privacy protection problem.