PEEL the Layers and Find Yourself: Revisiting Inference-time Data Leakage for Residual Neural Networks
It addresses privacy risks for users of deep learning models, particularly in computer vision, by revealing a significant vulnerability in popular residual networks, though it is incremental as it builds on prior work on data leakage.
This paper tackles the problem of inference-time data leakage in residual neural networks by proposing a backward feature inversion method called PEEL, which recovers high-quality input features from intermediate outputs, outperforming state-of-the-art methods by an order of magnitude in mean squared error.
This paper explores inference-time data leakage risks of deep neural networks (NNs), where a curious and honest model service provider is interested in retrieving users' private data inputs solely based on the model inference results. Particularly, we revisit residual NNs due to their popularity in computer vision and our hypothesis that residual blocks are a primary cause of data leakage owing to the use of skip connections. By formulating inference-time data leakage as a constrained optimization problem, we propose a novel backward feature inversion method, \textbf{PEEL}, which can effectively recover block-wise input features from the intermediate output of residual NNs. The surprising results in high-quality input data recovery can be explained by the intuition that the output from these residual blocks can be considered as a noisy version of the input and thus the output retains sufficient information for input recovery. We demonstrate the effectiveness of our layer-by-layer feature inversion method on facial image datasets and pre-trained classifiers. Our results show that PEEL outperforms the state-of-the-art recovery methods by an order of magnitude when evaluated by mean squared error (MSE). The code is available at \href{https://github.com/Huzaifa-Arif/PEEL}{https://github.com/Huzaifa-Arif/PEEL}