Youwen Zhu

Rongke Liu, Youwen Zhu, Lei Zhou et al.

In collaborative inference (CI), transmitting intermediate representations $Z$ from edge devices enables model inversion attacks (MIA) that reconstruct the original inputs $X$, while existing defenses mainly perturb shallow-layer $Z$ at the cost of utility. We instead ask where an edge-cloud model should be partitioned to obtain intrinsic resistance to MIA. We challenge the intuition that depth is the driver of MIA resistance, and show that depth is sufficient only insofar as it enables a representational transition; this transition is necessary for intrinsic resistance and is marked by an abrupt rise in the lower bound of $H(X|Z)$. Correspondingly, the decisive variance term in the entropy bound shifts from a global variance to the intra-class mean-squared radius $R_c^2$ rather than dimensionality alone, yielding an $R_c^2$-based criterion to locate the transition zone, or identify it post hoc from MIA outcomes, which we term the Golden Partition Zone (GPZ). We further explain how $R_c^2$ evolves during training and show that it can be controlled through the label distribution; we refer to this controllable dynamic behavior as the Neural Vortex, an analysis-backed explanatory concept. Across four representative deep vision models, partitioning at the GPZ yields more than 4x higher reconstruction MSE compared to shallow splits; under entropy and inversion-model enhancements, decision-level representations provide 66 percent stronger resistance than feature-level ones, and we further observe that data type affects both the transition boundary and reconstruction.

Lei Zhou, Youwen Zhu, Qiao Xue et al.

Recently, the enactment of ``right to be forgotten" laws and regulations has imposed new privacy requirements on federated learning (FL). Researchers aim to remove the influence of certain data from the trained model without training from scratch through federated unlearning (FU). While current FU research has shown progress in enhancing unlearning efficiency, it often results in degraded model performance upon achieving the goal of data unlearning, necessitating additional steps to recover the performance of the unlearned model. Moreover, these approaches also suffer from many shortcomings such as high consumption of computational and storage resources. To this end, we propose a streamlined federated unlearning approach (SFU) aimed at effectively removing the influence of the target data while preserving the model performance on the retained data without degradation. We design a practical multi-teacher system that achieves both target data influence removal and model performance preservation by guiding the unlearned model through several distinct teacher models. SFU is both computationally and storage-efficient, highly flexible, and generalizable. We conduct extensive experiments on both image and text benchmark datasets. The results demonstrate that SFU significantly improves time and communication efficiency compared to the benchmark retraining method and significantly outperforms existing SOTA methods. Additionally, we verify the effectiveness of SFU using the backdoor attack.

Lei Zhou, Youwen Zhu

With the introduction of regulations related to the ``right to be forgotten", federated learning (FL) is facing new privacy compliance challenges. To address these challenges, researchers have proposed federated unlearning (FU). However, existing FU research has primarily focused on improving the efficiency of unlearning, with less attention paid to the potential privacy vulnerabilities inherent in these methods. To address this gap, we draw inspiration from gradient inversion attacks in FL and propose the federated unlearning inversion attack (FUIA). The FUIA is specifically designed for the three types of FU (sample unlearning, client unlearning, and class unlearning), aiming to provide a comprehensive analysis of the privacy leakage risks associated with FU. In FUIA, the server acts as an honest-but-curious attacker, recording and exploiting the model differences before and after unlearning to expose the features and labels of forgotten data. FUIA significantly leaks the privacy of forgotten data and can target all types of FU. This attack contradicts the goal of FU to eliminate specific data influence, instead exploiting its vulnerabilities to recover forgotten data and expose its privacy flaws. Extensive experimental results show that FUIA can effectively reveal the private information of forgotten data. To mitigate this privacy leakage, we also explore two potential defense methods, although these come at the cost of reduced unlearning effectiveness and the usability of the unlearned model.