Vicious Classifiers: Assessing Inference-time Data Reconstruction Risk in Edge Computing

TL;DR

This paper investigates the risk of input data reconstruction by malicious servers during inference in edge computing, proposing measures and defenses to enhance privacy while maintaining model accuracy.

Contribution

It introduces a new measure for inference-time reconstruction risk and proposes a defense mechanism to distinguish malicious from honest classifiers.

Findings

Input data can be approximately reconstructed from model outputs.

The proposed defense can effectively identify vicious classifiers.

The study highlights privacy risks in edge ML services.

Abstract

Privacy-preserving inference in edge computing paradigms encourages the users of machine-learning services to locally run a model on their private input and only share the models outputs for a target task with the server. We study how a vicious server can reconstruct the input data by observing only the models outputs while keeping the target accuracy very close to that of a honest server by jointly training a target model (to run at users' side) and an attack model for data reconstruction (to secretly use at servers' side). We present a new measure to assess the inference-time reconstruction risk. Evaluations on six benchmark datasets show the model's input can be approximately reconstructed from the outputs of a single inference. We propose a primary defense mechanism to distinguish vicious versus honest classifiers at inference time. By studying such a risk associated with emerging ML services our work has implications for enhancing privacy in edge computing. We discuss open challenges and directions for future studies and release our code as a benchmark for the community at https://github.com/mmalekzadeh/vicious-classifiers .