Privacy-preserving inference in edge computing paradigms encourages the users of machine-learning services to locally run a model on their private input, for a target task, and only share the model's outputs with the server. We study how a vicious server can reconstruct the input data by observing only the model's outputs, while keeping the target accuracy very close to that of a honest server: by jointly training a target model (to run at users' side) and an attack model for data reconstruction (to secretly use at server's side). We present a new measure to assess the reconstruction risk in edge inference. Our evaluations on six benchmark datasets demonstrate that the model's input can be approximately reconstructed from the outputs of a single target inference. We propose a potential defense mechanism that helps to distinguish vicious versus honest classifiers at inference time. We discuss open challenges and directions for future studies and release our code as a benchmark for future work.

翻译：在边缘计算范式中，隐私保护推理鼓励机器学习服务的用户在本地对私有输入运行目标模型，并仅将模型输出分享给服务器。本文研究恶意服务器如何仅通过观察模型输出重建输入数据，同时使目标准确率与诚实服务器非常接近：通过联合训练用户端的目标模型和服务器端秘密使用的数据重建攻击模型。我们提出了一种评估边缘推理中重建风险的新指标。在六个基准数据集上的评估表明，仅通过单次目标推理的输出即可近似重建模型输入。我们提出一种潜在的防御机制，帮助在推理阶段区分恶意分类器与诚实分类器。最后讨论了开放挑战与未来研究方向，并开源代码作为后续工作的基准。