Collaborative inference has been a promising solution to enable resource-constrained edge devices to perform inference using state-of-the-art deep neural networks (DNNs). In collaborative inference, the edge device first feeds the input to a partial DNN locally and then uploads the intermediate result to the cloud to complete the inference. However, recent research indicates model inversion attacks (MIAs) can reconstruct input data from intermediate results, posing serious privacy concerns for collaborative inference. Existing perturbation and cryptography techniques are inefficient and unreliable in defending against MIAs while performing accurate inference. This paper provides a viable solution, named PATROL, which develops privacy-oriented pruning to balance privacy, efficiency, and utility of collaborative inference. PATROL takes advantage of the fact that later layers in a DNN can extract more task-specific features. Given limited local resources for collaborative inference, PATROL intends to deploy more layers at the edge based on pruning techniques to enforce task-specific features for inference and reduce task-irrelevant but sensitive features for privacy preservation. To achieve privacy-oriented pruning, PATROL introduces two key components: Lipschitz regularization and adversarial reconstruction training, which increase the reconstruction errors by reducing the stability of MIAs and enhance the target inference model by adversarial training, respectively. On a real-world collaborative inference task, vehicle re-identification, we demonstrate the superior performance of PATROL in terms of against MIAs.

翻译：协作推理已成为一种有前景的解决方案，使资源受限的边缘设备能够利用最先进的深度神经网络（DNN）进行推理。在协作推理中，边缘设备首先将输入数据馈入本地部署的部分DNN，随后将中间结果上传至云端以完成推理。然而，近期研究表明，模型反演攻击（MIAs）能够从中间结果中重建输入数据，这对协作推理构成了严重的隐私威胁。现有的扰动和加密技术在抵御MIAs的同时保持精确推理方面存在效率低下和可靠性不足的问题。本文提出一种名为PATROL的可行方案，该方案开发了面向隐私保护的剪枝方法，以平衡协作推理的隐私性、效率与效用性。PATROL利用深度神经网络中更靠后层能提取更多任务特定特征这一特性。针对协作推理中本地资源有限的约束，PATROL旨在基于剪枝技术在边缘端部署更多网络层，以强制提取用于推理的任务特定特征，同时减少与任务无关但敏感的特征以保护隐私。为实现面向隐私保护的剪枝，PATROL引入了两个关键组件：Lipschitz正则化和对抗重建训练。前者通过降低MIAs的稳定性来增加重建误差，后者通过对抗训练增强目标推理模型。在真实的协作推理任务——车辆重识别中，我们证明了PATROL在抵御MIAs方面的优越性能。