On the Importance of Encrypting Deep Features
This addresses privacy risks in deployed machine learning models, particularly for applications like person re-identification, but is incremental as it builds on existing encryption and attack research.
The study tackles model inversion attacks by showing that adversaries can infer sensitive information from feature vectors under practical constraints, and proposes ShuffleBits, a method to encrypt deep features as a plug-and-play module, with experiments on person re-identification models demonstrating successful attacks.
In this study, we analyze model inversion attacks with only two assumptions: feature vectors of user data are known, and a black-box API for inference is provided. On the one hand, limitations of existing studies are addressed by opting for a more practical setting. Experiments have been conducted on state-of-the-art models in person re-identification, and two attack scenarios (i.e., recognizing auxiliary attributes and reconstructing user data) are investigated. Results show that an adversary could successfully infer sensitive information even under severe constraints. On the other hand, it is advisable to encrypt feature vectors, especially for a machine learning model in production. As an alternative to traditional encryption methods such as AES, a simple yet effective method termed ShuffleBits is presented. More specifically, the binary sequence of each floating-point number gets shuffled. Deployed using the one-time pad scheme, it serves as a plug-and-play module that is applicable to any neural network, and the resulting model directly outputs deep features in encrypted form. Source code is publicly available at https://github.com/nixingyang/ShuffleBits.