Split inference (SI) enables users to access deep learning (DL) services without directly transmitting raw data. However, recent studies reveal that data reconstruction attacks (DRAs) can recover the original inputs from the smashed data sent from the client to the server, leading to significant privacy leakage. While various defenses have been proposed, they often result in substantial utility degradation, particularly when the client-side model is shallow. We identify a key cause of this trade-off: existing defenses apply excessive perturbation to redundant information in the smashed data. To address this issue in computer vision tasks, we propose InfoDecom, a defense framework that first decomposes and removes redundant information and then injects noise calibrated to provide theoretically guaranteed privacy. Experiments demonstrate that InfoDecom achieves a superior utility-privacy trade-off compared to existing baselines.

翻译：拆分推理（SI）使得用户无需直接传输原始数据即可访问深度学习（DL）服务。然而，近期研究表明，数据重建攻击（DRA）能够从客户端发送至服务器的中间数据中恢复原始输入，从而导致严重的隐私泄露。尽管已有多种防御方法被提出，但它们通常会导致显著的效用下降，尤其是在客户端模型较浅时。我们发现这一权衡问题的关键原因在于：现有防御方法对中间数据中的冗余信息施加了过度扰动。针对计算机视觉任务中的这一问题，我们提出了InfoDecom防御框架，该框架首先分解并移除冗余信息，随后注入经过校准的噪声以提供理论保证的隐私保护。实验表明，与现有基线方法相比，InfoDecom实现了更优的效用-隐私权衡。