Protecting privacy during inference with deep neural networks is possible by adding noise to the activations in the last layers prior to the final classifiers or other task-specific layers. The activations in such layers are known as "features" (or, less commonly, as "embeddings" or "feature embeddings"). The added noise helps prevent reconstruction of the inputs from the noisy features. Lower bounding the variance of every possible unbiased estimator of the inputs quantifies the confidentiality arising from such added noise. Convenient, computationally tractable bounds are available from classic inequalities of Hammersley and of Chapman and Robbins -- the HCR bounds. Numerical experiments indicate that the HCR bounds are on the precipice of being effectual for small neural nets with the data sets, "MNIST" and "CIFAR-10," which contain 10 classes each for image classification. The HCR bounds appear to be insufficient on their own to guarantee confidentiality of the inputs to inference with standard deep neural nets, "ResNet-18" and "Swin-T," pre-trained on the data set, "ImageNet-1000," which contains 1000 classes. Supplementing the addition of noise to features with other methods for providing confidentiality may be warranted in the case of ImageNet. In all cases, the results reported here limit consideration to amounts of added noise that incur little degradation in the accuracy of classification from the noisy features. Thus, the added noise enhances confidentiality without much reduction in the accuracy on the task of image classification.
翻译:在深度神经网络推理过程中,通过在最终分类器或其他任务特定层之前的末层激活中添加噪声,可以实现隐私保护。此类层中的激活通常被称为“特征”(较少情况下称为“嵌入”或“特征嵌入”)。所添加的噪声有助于防止从含噪特征中重构输入数据。通过为所有可能无偏输入估计量的方差建立下界,可以量化此类添加噪声所产生的保密性强度。利用Hammersley以及Chapman与Robbins的经典不等式——即HCR界限——可获得计算高效且便于应用的界值。数值实验表明,对于采用“MNIST”和“CIFAR-10”数据集(均包含10个图像分类类别)的小型神经网络,HCR界限已接近具备实际效力。然而对于在“ImageNet-1000”数据集(包含1000个类别)上预训练的标准深度神经网络“ResNet-18”和“Swin-T”,单独使用HCR界限似乎不足以保证推理过程中输入数据的保密性。针对ImageNet场景,可能需要结合特征加噪与其他保密性增强方法。所有实验均限定在添加噪声量对含噪特征分类精度影响较小的范围内。因此,添加的噪声在基本不降低图像分类任务准确性的前提下,有效增强了系统的保密性。