Partitioning for Intrinsic Model Inversion Resistance in Collaborative Inference

TL;DR

This paper investigates how to partition models in collaborative inference to intrinsically resist model inversion attacks, introducing the concept of the Golden Partition Zone based on intra-class variance.

Contribution

It challenges the depth-based intuition for MIA resistance, proposing an $R_c^2$-based criterion for optimal partitioning and analyzing its evolution during training.

Findings

Partitioning at the GPZ yields over 4x higher MSE in reconstruction.

Decision-level representations are 66% more resistant than feature-level.

Data type influences the transition boundary and reconstruction quality.

Abstract

In collaborative inference (CI), transmitting intermediate representations $Z$ from edge devices enables model inversion attacks (MIA) that reconstruct the original inputs $X$, while existing defenses mainly perturb shallow-layer $Z$ at the cost of utility. We instead ask where an edge-cloud model should be partitioned to obtain intrinsic resistance to MIA. We challenge the intuition that depth is the driver of MIA resistance, and show that depth is sufficient only insofar as it enables a representational transition; this transition is necessary for intrinsic resistance and is marked by an abrupt rise in the lower bound of $H(X|Z)$. Correspondingly, the decisive variance term in the entropy bound shifts from a global variance to the intra-class mean-squared radius $R_c^2$ rather than dimensionality alone, yielding an $R_c^2$-based criterion to locate the transition zone, or identify it post hoc from MIA outcomes, which we term the Golden Partition Zone (GPZ). We further explain how $R_c^2$ evolves during training and show that it can be controlled through the label distribution; we refer to this controllable dynamic behavior as the Neural Vortex, an analysis-backed explanatory concept. Across four representative deep vision models, partitioning at the GPZ yields more than 4x higher reconstruction MSE compared to shallow splits; under entropy and inversion-model enhancements, decision-level representations provide 66 percent stronger resistance than feature-level ones, and we further observe that data type affects both the transition boundary and reconstruction.