Measuring and Controlling Split Layer Privacy Leakage Using Fisher Information

TL;DR

This paper introduces a Fisher information-based metric to quantify and control privacy leakage in split learning, proposing ReFIL, a method to enforce desired privacy levels while preserving utility.

Contribution

It presents a novel Fisher information-based privacy metric and a technique, ReFIL, to regulate privacy leakage in split learning models.

Findings

Fisher information effectively bounds private data reconstruction error.

ReFIL can enforce user-specified privacy levels.

The approach balances privacy and utility in split learning.

Abstract

Split learning and inference propose to run training/inference of a large model that is split across client devices and the cloud. However, such a model splitting imposes privacy concerns, because the activation flowing through the split layer may leak information about the clients' private input data. There is currently no good way to quantify how much private information is being leaked through the split layer, nor a good way to improve privacy up to the desired level. In this work, we propose to use Fisher information as a privacy metric to measure and control the information leakage. We show that Fisher information can provide an intuitive understanding of how much private information is leaking through the split layer, in the form of an error bound for an unbiased reconstruction attacker. We then propose a privacy-enhancing technique, ReFIL, that can enforce a user-desired level of Fisher information leakage at the split layer to achieve high privacy, while maintaining reasonable utility.