Practical Defences Against Model Inversion Attacks for Split Neural Networks

TL;DR

This paper investigates vulnerabilities of split neural network federated learning systems to model inversion attacks and proposes a simple additive noise defense, demonstrating its effectiveness on MNIST and highlighting the need for combined defenses.

Contribution

The paper introduces a practical additive noise defense against model inversion in split neural networks and analyzes its effectiveness alongside existing methods.

Findings

Additive noise significantly reduces attack success

The defense maintains acceptable accuracy on MNIST

Combined defenses are necessary for full privacy protection

Abstract

We describe a threat model under which a split network-based federated learning system is susceptible to a model inversion attack by a malicious computational server. We demonstrate that the attack can be successfully performed with limited knowledge of the data distribution by the attacker. We propose a simple additive noise method to defend against model inversion, finding that the method can significantly reduce attack efficacy at an acceptable accuracy trade-off on MNIST. Furthermore, we show that NoPeekNN, an existing defensive method, protects different information from exposure, suggesting that a combined defence is necessary to fully protect private user data.