Get your Foes Fooled: Proximal Gradient Split Learning for Defense against Model Inversion Attacks on IoMT data

TL;DR

This paper introduces proximal gradient split learning (PSGL), a novel defense mechanism against model inversion attacks on IoMT data, which enhances privacy and recognition accuracy during deep learning training.

Contribution

The paper proposes a new PSGL method that intentionally attacks IoMT data during training, using proximal gradient recovery and fusion strategies to defend against inversion attacks and improve recognition.

Findings

PSGL effectively defends against model inversion attacks.

PSGL improves recognition accuracy by up to 36.9%.

The method outperforms existing noise-based defenses.

Abstract

The past decade has seen a rapid adoption of Artificial Intelligence (AI), specifically the deep learning networks, in Internet of Medical Things (IoMT) ecosystem. However, it has been shown recently that the deep learning networks can be exploited by adversarial attacks that not only make IoMT vulnerable to the data theft but also to the manipulation of medical diagnosis. The existing studies consider adding noise to the raw IoMT data or model parameters which not only reduces the overall performance concerning medical inferences but also is ineffective to the likes of deep leakage from gradients method. In this work, we propose proximal gradient split learning (PSGL) method for defense against the model inversion attacks. The proposed method intentionally attacks the IoMT data when undergoing the deep neural network training process at client side. We propose the use of proximal gradient method to recover gradient maps and a decision-level fusion strategy to improve the recognition performance. Extensive analysis show that the PGSL not only provides effective defense mechanism against the model inversion attacks but also helps in improving the recognition performance on publicly available datasets. We report 14.0$\%$, 17.9$\%$, and 36.9$\%$ gains in accuracy over reconstructed and adversarial attacked images, respectively.