How Breakable Is Privacy: Probing and Resisting Model Inversion Attacks in Collaborative Inference

TL;DR

This paper introduces a theoretical criterion for evaluating the difficulty of model inversion attacks in collaborative inference, and proposes SiftFunnel, a framework that effectively resists such attacks while maintaining system usability.

Contribution

It provides the first theoretical assessment criterion for MIA difficulty in CI and develops SiftFunnel, a privacy-preserving framework with practical defenses and efficiency improvements.

Findings

SiftFunnel increases reconstruction error by ~30%.

Reduces mutual and effective information metrics by ≥50%.

Decreases edge computational burden by nearly 20 times.

Abstract

Collaborative inference (CI) improves computational efficiency for edge devices by transmitting intermediate features to cloud models. However, this process inevitably exposes feature representations to model inversion attacks (MIAs), enabling unauthorized data reconstruction. Despite extensive research, there is no established criterion for assessing the difficulty of MIA implementation, leaving a fundamental question unanswered: \textit{What factors truly and verifiably determine the attack's success in CI?} Moreover, existing defenses lack the theoretical foundation described above, making it challenging to regulate feature information effectively while ensuring privacy and minimizing computational overhead. These shortcomings introduce three key challenges: theoretical gap, methodological limitation, and practical constraint. To overcome these challenges, we propose the first theoretical criterion to assess MIA difficulty in CI, identifying mutual information, entropy, and effective information volume as key influencing factors. The validity of this criterion is demonstrated by using the mutual information neural estimator. Building on this insight, we propose SiftFunnel, a privacy-preserving framework to resist MIA while maintaining usability. Specifically, we incorporate linear and non-linear correlation constraints alongside label smoothing to suppress redundant information transmission, effectively balancing privacy and usability. To enhance deployability, the edge model adopts a funnel-shaped structure with attention mechanisms, strengthening privacy while reducing computational and storage burdens. Experiments show that, compared to state-of-the-art defense, SiftFunnel increases reconstruction error by $\sim$30\%, lowers mutual and effective information metrics by $\geq$50\%, and reduces edge burdens by almost $20\times$, while maintaining comparable usability.