StegEdge: Privacy protection of unknown sensitive attributes in edge intelligence via deception

Abstract

Due to the limited capabilities of user devices, such as smart phones, and the Internet of Things (IoT), edge intelligence is being recognized as a promising paradigm to enable effective analysis of the data generated by these devices with complex artificial intelligence (AI) models, and it often entails either fully or partially offloading the computation of neural networks from user devices to edge computing servers. To protect users’ data privacy in the process, most existing researches assume that the private (sensitive) attributes of user data are known in advance when designing privacy-protection measures. This assumption is restrictive in real life, and thus limits the application of these methods. Inspired by the research in image steganography and cyber deception, in this paper, we propose StegEdge, a conceptually novel approach to this challenge. StegEdge takes as input the user-generated image and a randomly selected “cover” image that does not pose any privacy concern (e.g., downloaded from the Internet), and extracts the features such that the utility tasks can still be conducted by the edge computing servers, while potential adversaries seeking to reconstruct/recover the original user data or analyze sensitive attributes from the extracted features sent from users to the server, will largely acquire information of the cover image. Thus, users’ data privacy is protected via a form of deception. Empirical results conducted on the CelebA and ImageNet datasets show that, at the same level of accuracy for utility tasks, StegEdge reduces the adversaries’ accuracy of predicting sensitive attributes by up to 38% compared with other methods, while also defending against adversaries seeking to reconstruct user data from the extracted features.

Keywords

Cyber deception privacy Internet of Things edge computing deep learning inference

1. Introduction

As user devices, such as the Internet of Things (IoT), smart phones, and autonomous vehicles, generate an ever-growing amount of data, the demand for greater computational power for data analysis has correspondingly increased over the years. To effectively analyze the data generated by these devices, artificial intelligence (AI) models have been widely deployed and utilized, with typical applications including traffic monitoring, intelligent surveillance [48], and autonomous driving [6]. Due to the great resource requirements of neural network inference, as well as the limited capabilities of user devices in terms of computational power and battery capacity, it is generally impractical to conduct neural network inference locally on such devices [26,33]. Consequently, the paradigm of edge intelligence has been recognized by researchers as a viable means of empowering user devices with the capabilities of AI [26,49]. This paradigm typically involves either fully or partially offloading the execution of neural networks from user devices to edge computing servers, in order to achieve a suitable balance of factors such as cost, latency of transmission, and accuracy of AI models. Specifically, it is estimated by IDC that European corporate spending on edge computing would double from 2020 to 2024, and the AI component of the spending would rise to 20% in 2024 [18]. Currently, there are already multiple commercial machine learning (ML) inference services available on the market, such as Azure Stack Edge1

¹
https://azure.microsoft.com/en-us/products/azure-stack/edge/

and AWS IoT Greengrass.2

https://aws.amazon.com/greengrass/ml/

Despite the benefits brought by offloading the expensive AI inference to the edge, there arises the problem of protecting the data privacy of users [8], as the original or preprocessed user data are sent to edge computing servers in the paradigm of edge intelligence. To illustrate the severity of potential privacy issues, it is demonstrated that adversaries can reconstruct the raw image from the intermediate features produced by the feature extractor of neural networks [24]. Additionally, private attributes, such as gender and age, can be inferred from such intermediate features derived from images [24,44]. These features are transmitted from user devices to edge computing servers in edge intelligence systems like JointDNN [12], and the transmission therefore poses a great threat to user privacy.

To deal with the privacy issue, researchers have proposed a variety of methods to process the user data. For instance, adversarial learning techniques can be applied such that the sensitive attributes of facial images would not be inferred by adversaries [29]. In addition, attributes of the user images can be manipulated and therefore the data privacy is protected through obfuscation [5].

However, most of the existing approaches explicitly or implicitly assume the symmetric knowledge of sensitive attributes, i.e., such sensitive attributes are known to the privacy-seeking users as well as the adversaries. In reality, it might be impractical to anticipate all the sensitive attributes in advance, and it is infeasible to re-distribute the updated retrained models on user devices when new sensitive attributes are discovered [35]. Additionally, edge computing service providers may lack the incentive to search for or disclose new sensitive attributes due to factors such as cost.

As a generally applicable scenario, we assume that the users have full access to both the architecture and the model weights of the feature extractor offered by the edge computing service provider (ESP), which we call the ESP FE . Consequently, this weak assumption excludes the scenario of ML inference inside user-side trusted execution environment (TEE) enclaves (e.g., Intel SGX) [37], in which users do not have direct access to the feature extractor provided by the ESP. The ESP FE may intentionally or unintentionally cause privacy leakage. The ESP, or eavesdroppers with access to the extracted features, may apply a privacy-intrusive classifier to acquire sensitive information, or try to reconstruct the original data (e.g., images) using a neural network. Users who are persuing data privacy then train a new feature extractor ( User FE ), to defend against the extraction of unknown private attributes, while maintaining the compatibility with the server’s classifier, such that the accuracy of the utility task is not severely impaired. For those users, the following primary difficulties exist,

Asymmetric knowledge of private attributes. Protecting known private attributes can be accomplished with techniques such as adversarial learning. However, such techniques do not directly apply to cases where the users do not have knowledge of the private attributes of interest to adversaries.

Training data disadvantage. Compared with ESPs who naturally have access to ample training data, users seeking to protect their privacy can have limited access to training data, and therefore are inherently in a disadvantageous position.

Limited processing power . As user devices have limited resources in terms of battery capacity and computational power, the neural network run on user devices should be as lightweight as possible.

Fig. 1.

(a) An overview of the threat model for edge intelligence scenarios. (b) An illustration of StegEdge, the proposed scheme for privacy protection inspired by steganography and cyber deception.

Faced with the above practical obstacles to privacy protection, we propose StegEdge (see Fig. 1), a conceptually novel approach to reducing the private information leakage in an edge intelligence setting, which is inspired by the concepts of steganography and deception-based cyber defense. Steganography, by definition, is the practice of concealing secret messages in superficially normal messages or physical objects. For instance, researchers show that a secret image can be hidden in another “cover image” (or “container image”) by using neural networks, without visually raising any suspicion [22]. As for cyber defense achieved by deception [13], it is a widely adopted idea of presenting fabricated false information to potential cyber intruders to divert adversaries and to protect the real systems and information. For instance, false information about the operating system and network topology can be presented to adversaries [19].

To better describe StegEdge, we first make several key assumptions. (a) It is assumed that apart from the ESP FE provided to users, as a gesture of goodwill, the ESP also disclose to users the server model, which we call the “benign classifier” . Detailed discussion on this assumption is provided in Section 3. (b), we assume that while the ESP provides a legitimate DNN inference service to users, the ESP or potential eavesdroppers are also interested in conducting two categories of user privacy infringement. In the first category, the adversaries try to recover the original user data from the latent representations it received. In the second category, the adversaries intends to infer additional attributes or identify extra classes, which are outside the scope of utility attributes/classes users specified.

With the above assumptions, StegEdge can be summarized as “hiding” the information related to the utility task in the latent representations of a random cover/container image (see Fig. 1). The cover image can be selected by users such that it does not raise any privacy concerns (e.g., randomly downloaded from the Internet). The StegEdge feature extractor is trained by minimizing the difference between the features to be transmitted to the server and the features extracted from the cover image by the ESP FE in the latent space, while maximizing the accuracy of the utility task. Therefore, the reconstructed image and extracted sensitive attributes by adversaries would be close to the cover image, instead of the real user image, while the utility task is affected as minimally as possible.

Similar to cyber defense achieved by deception, one of the key intuitions behind our design of StegEdge is that, considering the fact that it is generally impossible to completely disentangle [5] the information contained in the transmitted features according to the utility task, deliberately presenting false information is a more feasible approach to privacy protection. In other words, since it is impractical for users to reduce the amount of non-utility information to zero, StegEdge tries to present a “negative” amount of information (false information) to the adversaries.

The main contributions of this paper are summarized as follows,

For ML inference service in the edge computing setting, a new and more realistic threat model is proposed, in which we make less restrictive assumptions than prior work.

Inspired by steganography and cyber deception, we propose StegEdge, an approach to privacy protection of unknown sensitive attributes by leveraging misinformation, which is fundamentally distinct from existing research.

As a proof of concept, StegEdge is implemented with lightweight neural networks, which protects users’ privacy while preserving the accuracy of utility tasks, and is suitable for resource-limited user devices.

Evaluation on the CelebA and ImageNet datasets shows that StegEdge reduces the adversaries’ accuracy of predicting sensitive attributes by up to 38% compared with other methods, while also defending against adversaries seeking to reconstruct user data from the extracted features.

2. Related work

In this section, we present several key related concepts, and clarify the distinction between them and our work.

2.1. Edge computing for DNN inference

Researchers have previously established that compared with full-offloading, improved latency, bandwidth consumption, and energy efficiency can be achieved by splitting the execution of DNN models between user devices and edge servers [45,49]. In this process, users have the opportunity to remove certain sensitive information for better privacy [15].

2.2. Cryptographic methods

Rathee et al. propose CrypTFlow2 [34], a cryptographic framework based on homomorphic encryption (HE) for two-party secure inference of neural networks, such that the server has no access to user data, but is able to compute the correct result of the neural network on behalf of users. The major drawbacks of such HE-based methods are slow computing speed and high communication overhead [30].

In contrast, methods based on trusted execution environments (TEEs) generally provide more efficiency. For instance, with the Intel SGX, Slalom [41] enables users to securely upload data to the server’s enclaves for DNN inference. The efficiency of TEE-based methods comes at the cost of requiring trust in hardware vendors [30]. Furthermore, several severe vulnerabilities have been discovered over the past years, which lead to side-channel attacks against TEEs including Intel SGX and ARM TrustZone [30].

2.3. Information bottleneck

The general idea of using information bottleneck [1] to protect user privacy is to limit the amount of information present in the latent representations transmitted to servers, such that the information related to the utility attributes is retained while other information is removed. Formally, it aims to optimize the following problem $\begin{matrix} (1) & min_{θ} I (X; Z) - β I (Z; Y) \end{matrix}$ where $θ$ represents the relevant parameters (e.g., model parameters of a neural network), $I (X; Z)$ is the mutual information between the user input and the latent representation, and $I (Z; Y)$ is the mutual information between the latent representation and the desired inference results (e.g., classification results). Due to the inherent overlap of information, the objectives of maximizing $I (Z; Y)$ and minimizing $I (X; Z)$ result in a trade-off, which is often represented as a curve called the “information plane” [11] by setting different values to the weighting factor β.

While approaches based on the information bottleneck attempt to minimize the amount of information contained in the latent representation that is irrelevant to the utility task, it is generally impossible to reduce the amount of irrelevant information to zero (thus the information plane). In contrast, StegEdge circumvents this inherent limitation by incorporating misinformation, as further explained in Section 4.3.

2.4. Targeted protection of sensitive attributes

In [31], Morales et al. propose to apply adversarial learning to suppress the user-aware sensitive attributes in the latent space, such that such attributes are impossible to be exploited by adversaries.

In this paper, we do not introduce any major obstacle to implementing the above protection of selected attributes on top of StegEdge. These two paradigms are orthogonal to a certain extent. Therefore, they can both be utilized by users to simultaneously protect unknown and known sensitive attributes.

2.5. Adversarial attacks against neural networks

The goal of adversarial attacks against neural networks is typically to modify the input to a model, such that the model incorrectly classifies the input, either as a random label or a label specified by the attacker (called “targeted attack”). For instance, a physical stop sign can be modified such that a neural network used in autonomous driving is not able to correctly recognize it [25].

This paper is similar to adversarial attacks in the sense that they both attempt to make the target neural network make certain “wrong” predictions (i.e., StegEdge tries to make the ESP acquire the sensitive attributes of an irrelevant image instead of the real user image). StegEdge is different from adversarial attacks in the sense that the target neural network’s ability to correctly classify the utility attributes is maintained.

2.6. Image steganography

With methods such as modifying the least significant bits (LSBs) of pixels, as well transforming an image with neural networks [23], secret information (e.g., images, encrypted messages) can be hidden in cover (container) images, such that the modified image is visually indistinguishable from the cover image. While the goal of steganography is typically secret communication, StegEdge is conceptually similar to steganography in the following sense. The useful information of utility tasks contained in the extracted features is akin to the secret message in steganography, and the latent space information associated with a random cover image in StegEdge is similar to the cover (container) image in steganography. In both cases, only the intended receiver can correctly extract useful information, while others would acquire superficially correct misinformation.

2.7. Task-agnostic privacy protection

In [35], Samragh et al. apply singular value decomposition to protect the privacy of user data against the extraction of unknown sensitive attributes. The authors make the assumption of an honest edge computing service provider, and require the ESP to train the whole model with a privacy-friendly method. In this case, users need to unilaterally believe that the providers are behaving in a bona fide manner and offering the genuine privacy-protecting model, while such potentially restrictive assumptions are not made in this paper.

To similarly protect privacy against the extraction of unknown sensitive attributes, Wu et al. propose to use the ensemble of several known sensitive attributes to defend against the exploitation of unknown sensitive attributes [43]. As the knowledge and training data of such known sensitive attributes may be difficult for users to obtain in practice, we adopt a less restrictive threat model and do not require knowledge of such attributes.

3. Threat model

In this section we discuss the key assumptions made by StegEdge, and the rationale behind them.

Limited trust in ESPs. Certain researches assume that the ESPs take privacy protection into consideration during the initial process of model training (e.g., [35]). In other words, the ESP is considered bona fide and cooperative in the protection of users’ data privacy. However, due to factors such as lack of incentive, potential new discoveries of new sensitive attributes, monetary cost, difficulties in re-distribution of updated models [35], the assumption of bona fide ESPs can be limiting, considering that there also exists the threat of data breach of ESP servers, as well as potential malicious eavesdroppers with access to the transmitted features.

Asymmetric knowledge of sensitive attributes. While most existing work related to privacy protection in ML inference service makes the assumption that the users are aware of the exact sensitive attributes in advance, this assumption may lead to certain limitations in practice. In this paper, we assume that the knowledge of sensitive attributes is asymmetric for ESPs and users. Specifically, the adversaries try to extract, from the received latent features, sensitive attributes of user data, or attempt to classify user data into new classes that are beyond the knowledge of users. For instance, the ESP may provide users with the service of classifying images into 50 classes, while secretly classifying them into 100 classes to gain more detailed information on user data.

Asymmetric access to training data. As the performance of neural networks significantly relies on the amount of training data, the unequal amount of training data available to users and ESPs is a realistic yet seldom considered factor in the literature. It is highly impractical to make the assumption that users have access to the same amount of training data as ESPs when developing their measures of privacy protection. On top of that, the training data available to ESPs are valuable commercial intellectual properties and are subject to various regulations like GDPR, leaving privacy-seeking users in a disadvantageous position.

Disclosure of the benign classifier. It is not impractical for us to make the assumption that ESPs disclose the benign classifier to users as a gesture of good faith, while the provider may secretly switch to a privacy-intruding classifier in practice. Alternatively, eavesdroppers or data leaks/breaches on the ESP side would similarly result in the compromise of users’ data privacy. By contrast, in two-party secure inference systems like CtypTFlow2 [34], it is necessary for users to have knowledge of the detailed neural network architecture of the server’s model. However, it is our belief that the assumption of ESP’s disclosure of the benign classifier can be relaxed, and a “black-box” model can be adopted instead, since black-box attacks against neural networks have been quite successful over the past years [2]. For instance, researchers have shown that users can make few queries to the server’s model, and design a “surrogate” model to substitute the original server’s model [40]. The black-box scenario will be investigated in future work.

Inconspicuous privacy protection. The act of trying to protect privacy per se, could lead to privacy concerns in some cases. For instance, such users could be labeled as “privacy-sensitive” (“have something to hide”), and in turn receive targeted advertisement [38]. As an effective measure against these concerns, a study shows 40% of Internet users report presenting false information about themselves to commercial websites, in order to protect their privacy [36]. In our case, protecting the act of privacy protection is further complicated by the fact that the ESP (as well as eavesdroppers) could easily detect such an act by evaluating the quality of the reconstructed image, when users apply techniques such as replacing non-utility information with noise [14]. To solve this problem, StegEdge adopts deception and makes it less likely for users’ privacy protection measures to raise suspicion.

4. Details of StegEdge

The following two primary factors are considered in the general process of model design for StegEdge (see Fig. 2). First, the StegEdge FE should be as lightweight as possible, so that it can be efficiently run on resource-limited user devices. Second, the architecture of the StegEdge FE would preferably be similar to the ESP FE , and therefore it is easier for privacy-seeking users to design, while having a better chance of maintaining compatibility with the server’s classifier.

For simplicity, we assume that the cover images are a large fixed set of images that do not cause any privacy concerns to users. Consequently, the probability is low for a potential adversary to find the cover image used by the StegEdge user and subsequently extract more sensitive information. After training, the user would randomly select a cover image, and it is very unlikely that an attacker would make a correct guess about which cover image was used by the user, provided that the attacker knows that StegEdge is being applied. It is possible for users to select a cover image not within the training set, but could lead to inferior performance.

As a proof of concept, we base our model on ResNet-50 and MobileNet v3 respectively for two scenarios, namely facial attribute classification and image classification. As detailed in Section 5.2, we double the number of CNN filters in the first several layers of the feature extractor, such that the information of both the cover image and the user image can be retained for merging in the subsequent layers. This design is similar to some models in image steganography, e.g., [10].

Fig. 2.

A detailed illustration of StegEdge.

4.1. Models of the ESP and StegEdge

Denote by $x$ the user image after preprocessing operations like cropping and normalization. The output of the ESP feature extractor $E_{e}$ is represented as $\begin{matrix} (2) & z_{e} = E_{e} (x) \end{matrix}$

Operations including the (optional) quantization and compression of $z_{e}$ are omitted for brevity. The benign classifier is defined as $f_{b}$ , and the malicious classifier as $f_{m}$ . The labels obtained by the ESP FE and benign classifier is therefore $\begin{matrix} (3) & y_{eb} = f_{b} (z_{e}) = f_{b} (E_{e} (x)) \end{matrix}$ where the subscript $eb$ corresponds to “ESP FE” and “benign”. The label $y_{em}$ can be defined in a similar manner as follows $\begin{matrix} (4) & y_{em} = f_{m} (z_{e}) = f_{m} (E_{e} (x)) \end{matrix}$

Denote by $x_{c}$ the preprocessed randomly chosen cover image in StegEdge, where the subscript c represents “cover”. The StegEdge feature extractor is denoted as $E_{s}$ , and the extracted features $z_{s}$ is given by $\begin{matrix} (5) & z_{s} = E_{s} (x, x_{c}) \end{matrix}$

Given the cover image $x_{c}$ , the output of $E_{e}$ is defined as $z_{ce} = E_{e} (x_{c})$ . The labels obtained by $E_{s}$ and the malicious classifier $f_{m}$ is written as $\begin{matrix} (6) & y_{sm} = f_{m} (z_{s}) = f_{m} (E_{s} (x, x_{c})) \end{matrix}$ with “sm” representing “StegEdge” and “malicious”. The labels $y_{sb}$ , $y_{sm}$ can be similarly defined as above.

Suppose the ESP secretly uses a reconstructor neural network $R_{e}$ to reconstruct the user data, and obtains $\begin{matrix} (7) & {\tilde{x}}_{e} = R_{e} (z) \end{matrix}$ where $z$ is either $z_{e}$ or $z_{s}$ . For purposes like validation of performance, the users may develop their own reconstructor $R_{s}$ and have $\begin{matrix} (8) & {\tilde{x}}_{s} = R_{s} (z_{s}) = R_{s} (E_{s} (x, x_{c})) \end{matrix}$

Denote the loss function of the utility task (e.g., cross-entropy) as $\begin{matrix} (9) & L^{util} (y_{b}) = CE (y_{b}, y_{b}^{true}) \end{matrix}$ where $y_{b}^{true}$ is the ground truth. From the perspective of ESPs, define the loss function of the data reconstruction task as $\begin{matrix} (10) & \begin{matrix} L_{e}^{recon} & = D_{i} (x, {\tilde{x}}_{e}) \\ = {[R_{e} (z) - x]}^{2} \end{matrix} \end{matrix}$ where the subscript i refers to image, and $D_{i}$ is chosen by us as the mean squared error for simplicity, while more complicated metrics like the VGG perceptual distance [21] can also be adopted. Similar to $L^{util}$ , denote the loss for the task of extracting sensitive attributes as $L^{priv} (y_{m})$ .

4.2. Loss functions

Therefore, from the perspective of ESPs, the goal is to train the ESP FE, the benign classifier, the malicious classifier, and the ESP reconstructor, such that the reconstructed image is close to the user image, and that the classification of both utility and sensitive attributes is as accurate as possible. The optimization problem is as follows, $\begin{matrix} (11) & \begin{matrix} min_{E_{e}, R_{e}, f_{b}, f_{m}} E [L_{e} (x)] \\ = E [D_{i} (x, {\tilde{x}}_{e}) + w_{e}^{u} L^{util} + w_{e}^{p} L^{priv}] \end{matrix} \end{matrix}$ where $w_{s}^{u}$ and $w_{s}^{p}$ are the weights for the corresponding terms.

For StegEdge, to measure the similarity between $z_{ce}$ and $z_{s}$ in the latent space, we define the distance between them as follows for simplicity, $\begin{matrix} (12) & \begin{matrix} D_{l} (z_{ce}, z_{s}) & = {(z_{ce} - z_{s})}^{2} \\ = {[E_{s} (x, x_{c}) - E_{e} (x)]}^{2} \end{matrix} \end{matrix}$ where the subscript l means “latent”. From the perspective of users, the objective is to train the StegEdge FE, such that the features extracted by StegEdge FE similar to the features extracted from the cover image using the ESP FE, while maintaining the accuracy of the utility task. The loss function for StegEdge is shown below, $\begin{matrix} (13) & min_{E_{s}} E [L_{s} (x, x_{c})] = E [L^{util} + w_{s}^{D} D_{l} (z_{ce}, z_{s})] \end{matrix}$

4.3. An information-theoretic perspective

From a general point of view, consider a universal framework of privacy protection (StegEdge can be regarded as a special case) which transforms the user input X into the latent representation Z. The ESP then classifies Z as the utility attributes $Y_{b}$ , and tries to reconstruct the user data from Z to $R_{e}$ (with a slight abuse of notation). Since users do not have access to the ESP’s reconstructor, the users develop their own reconstructor and obtain $R_{u}$ instead (or $R_{s}$ for StegEdge). Then, we have the Markov chains $X \to Z \to Y_{b}$ and $X \to Z \to R_{u}$ .

Consequently, the typical problem (the Information Bottleneck) of privacy protection is formulated as follows, $\begin{matrix} (14) & min_{E} I (X; Z) - β I (Z; Y_{b}) \end{matrix}$ where E represents the privacy-preserving encoder trained by users.

As directly computing $I (X; Z)$ is generally impractical [44], the standard approach to solving the problem is using variational inference [9], which is to minimize the following loss function $\begin{matrix} (15) & \begin{matrix} L_{VIB} = & E_{D} [E_{z \sim p_{ϕ} (z | x)} [- log (p_{θ} (y_{b} | z))]] \\ + β_{VIB} D_{KL} (p_{ϕ} (z | x) ‖ q (z)) \end{matrix} \end{matrix}$ where $E_{D}$ denotes the expectation taken over the entire dataset, $D_{KL}$ is the Kullback-Leibler (KL) divergence, $p_{ϕ} (z | x)$ is an encoder parameterized by ϕ mapping X to Z, $p_{θ} (y | z)$ is the classifier (often called the “decoder” in the literature) parameterized by θ, and $q (z)$ is a prior distribution (e.g. a Gaussian distribution). This approach is often called the variational information bottleneck (VIB).

An alternative approach to privacy protection proposed by Xiao et al. [44] is to optimize $\begin{matrix} (16) & min_{E} I (R_{u}; X) - β_{1} I (Z; Y_{b}) \end{matrix}$

As the entropy $H (Y_{b})$ , $H (X)$ are constants in the dataset, and the following equalities hold, $\begin{array}{l} (17) & I (Z_{s}; Y_{b}) = H (Y_{b}) - H (Y_{b} | Z_{s}) \\ (18) & I (R_{u}; X) = H (X) - H (X | R_{u}) \end{array}$ the optimization in Eq. (16) is equivalent to $\begin{matrix} (19) & min_{E} - H (X | R_{u}) + β_{1} H (Y_{b} | Z) \end{matrix}$

The inherent limitation of this approach, as mentioned by Xiao et al. [44], is that the conditional entropy $H (X | R_{u})$ and the entropy $H (Z)$ are not equivalent. According to the data processing inequality [3] and some basic properties of mutual information, it can be obtained that $\begin{matrix} I (X; Z) ⩾ I (X; R_{u}), H (X | R_{u}) ⩾ H (X | Z) \end{matrix}$

Therefore, minimizing $- H (X | R_{u})$ in Eq. (19) can be regarded as a relaxation of minimizing $- H (X | Z)$ , and would lead to a certain degree of leakage of sensitive information, since the focus is to protect the latent variable Z transmitted by users to the ESP. This is also the rationale behind our choice of directly optimizing StegEdge with the term $D_{l} (z_{ce}, z_{s})$ in Eq. (13), instead of $D_{i} [(R_{s} (z_{ce}), x_{c}]$ , i.e., making $z_{s}$ “similar” to $z_{ce}$ by directly applying the mean squared error to $z_{s}$ and $z_{ce}$ , instead of indirectly making the reconstructed image similar to the cover image.

From the perspective of information theory, the above methods intend to reduce the amount of information in Z that is irrelevant to the utility attributes, and inevitably leaves a certain amount of sensitive information remaining. In contrast, StegEdge accepts the fact that it is impractical to completely remove the sensitive information contained in Z, and attempts to apply misinformation (i.e., the cover image) to the users’ advantage. Denote by $X_{c}$ the random variables representing the cover image. Similarly, denote the variable for features extracted by StegEdge as $Z_{s}$ . The optimization problem of StegEdge in Eq. (12) can also be interpreted as follows, $\begin{matrix} (20) & min_{E_{s}} - I (X_{c}; Z_{s}) - β_{2} I (Z_{s}; Y_{b}) \end{matrix}$ where $β_{1}$ is a weighting factor. This formulation aims to minimize the mutual information between the user image and the extracted features, while maximizing the mutual information between the cover image and the extracted features, and also maximizing the mutual information between the features and the classification results of the utility attributes.

As $I (Z_{s}; Y_{b}) = H (Y_{b}) - H (Y_{b} | Z_{s})$ , and $H (Y_{b})$ is a constant in the dataset, Eq. (20) is equivalent to $\begin{matrix} (21) & min_{E_{s}} - I (X_{c}; Z_{s}) + β_{2} H (Y_{b} | Z_{s}) \end{matrix}$ where $I (X_{c}; Z_{s})$ is implemented with $D_{l} (z_{ce}, z_{s})$ , and $H (Y_{b} | Z_{s})$ is implemented with the standard loss function for classification (i.e., cross-entropy).

5. Evaluation

In this section, we evaluate StegEdge to answer the following questions:

Is StegEdge able to protect sensitive attributes which are unknown to users, while preserving the ability to classify the utility attributes? (Section 5.4.1, Section 5.4.3)

Is it easy for the ESP to detect the users’ act of privacy protection? (Section 5.4.2, Section 5.4.6)

How are the attributes entangled in the latent space? (Section 5.4.4)

How does StegEdge visually affect the reconstructed images? (Section 5.4.6)

How much additional computation is introduced, and is StegEdge lightweight for user devices? (Section 5.4.7)

What are the impacts of a different amount of training data available to users? (Section 5.4.8)

5.1. Evaluation settings

Datasets. The first dataset used is CelebA [27], which includes facial images of celebrities annotated with 40 attributes. It has 163k, 20k, and 20k images in the training set, validation set, and test set respectively. The images are normalized, cropped, and resized to 128 × 128 according to the practice of TensorFlow.3

³
https://github.com/tensorflow/tensor2tensor/blob/master/tensor2tensor/data_generators/celeba.py#L175-L205

Of all the 40 attributes in the original dataset, we only choose 12 attributes, namely Attractive, Big Nose, Black Hair, Brown Hair, High Cheekbones, Male, Mouth Slightly Open, Smiling, Straight Hair, Wavy Hair, Wearing Lipstick, and Young. The twelve attributes are selected because they are relatively balanced in the dataset (the percentage of positive samples ranges from 18% to 76% in the training set), and therefore we do not need to introduce further complexity to solve issues related to class imbalance. The first eight attributes are chosen as utility attributes, while the remaining four attributes are regarded as sensitive attributes in our experiment.

The second dataset is ImageNet [7], in which 10% of the original train set is used as our validation set from the perspective of users, while the original validation set is used as our test set. After the standard procedure of center cropping to 224 × 224 pixels, the images are then normalized. Of all the 1000 classes in ImageNet, we choose the first 800 classes for the utility task, and the remaining 200 for evaluating the privacy leakage. Thus, the pretrained MobileNet-v3-large model can be used without major modifications.

The training at the users’ side only involves 80% of the training set for CelebA. Similarly, for ImageNet, only the images with labels in any of the first 800 classes are used at the users’ side, while all training images are available at the ESP’s side.

The cover images required by the training of StegEdge are randomly chosen from the users’ portion of the respective training set, with a fixed seed. During testing, all the images in the training set are randomly chosen as the cover.

Metrics. The metrics for the evaluation of the objective quality of reconstructed images are the Peak Signal-to-Noise Ratio (PSNR), and the Structural Similarity Index Measure (SSIM).

For CelebA, the metrics for classification are the F1 score and Matthews correlation coefficient (MCC) [4], which is defined as follows, $\begin{matrix} (22) & MCC = \frac{(TP \cdot TN - FP \cdot FN)}{\sqrt{(TP + FP) (TP + FN) (TN + FP) (TN + FN)}} \end{matrix}$ where TP refers to true positive and FN refers to false negative. The value of MCC is within the range $[- 1, 1]$ , with values of 1,0, and −1 respectively suggesting the best, random, and worst predictions.

For ImageNet, the metric for classification is simply the accuracy (percentage of samples correctly classified).

Hardware. All experiments are conducted on a server with two Intel Xeon E5-2678 v3 @2.50GHz CPUs, and four Nvidia RTX 3080 graphics cards. The file reading and writing operations required by benchmarking of performance are conducted in a ramdisk instead of the hard drive.

Methods for comparison. Similar to other relevant work such as Deep Poisoning [14], methods for comparison include,

Gaussian Filter (GF), using the Python library scikit-image4

⁴

https://scikit-image.org/

with default settings. A total of 40 values of the parameter σ ranging from 0.0 to 40.0 are used. A higher σ corresponds to a higher level of blurring. The filtered images are then processed by the ESP FE at the user side.

Gaussian Noise (GN). For images that are normalized to 0.0 to 1.0, Gaussian noise is added using Numpy,5

⁵

https://numpy.org/

with a total of 46 values of the parameter σ used ranging from 0.0 to 0.9. A larger σ leads to more noise. The noisy images are then processed by the ESP FE at the user side.

Deep Poisoning (DP) [14]. The details are described below.

While the original paper of Deep Poisoning [14] attempts to make the reconstructed image as noisy as possible, we make a slight modification in our paper and try to make the extracted features as noisy as possible, for better suitability for our threat model and more meaningful comparison with StegEdge. Similar to StegEdge, we define the features extracted by the encoder of DP $E_{p}$ as $\begin{matrix} (23) & z_{p} = E_{p} (x) \end{matrix}$

The objective of the (modified) Deep Poisoning model is to minimize the error of classifying the utility attributes, while maximizing the distance between the features extracted by the DP FE and the features extracted by the ESP FE in the latent space. The loss function to be minimized is as follows, $\begin{matrix} (24) & \begin{matrix} min_{E_{p}} E [L_{t}] & = E [L^{util} - w_{p}^{D} D_{l} (E_{e} (x), z_{p})] \\ = E [L^{util} - w_{p}^{D} {[E_{e} (x) - z_{p}]}^{2}] \end{matrix} \end{matrix}$

From the perspective of information theory, the DP can be equivalently considered as a method based on the information bottleneck, as explained as follows, $\begin{matrix} (25) & min_{E_{p}} I (E_{e} (X), Z_{p}) - β_{p} I (Z_{p}; Y_{b}) \end{matrix}$ where $β_{p}$ is a weighting factor.

Training settings. The StegEdge model is trained with each value of weight $w_{s}^{D}$ in {0, 100, 500, 1000, 2000, 3000, 4000} for CelebA and ImageNet. The Deep Poisoning model is trained with the weight $w_{p}^{D}$ in {0, 10, 50, 100, 200, 250, 300} for CelebA, and {0, 10, 20, 30, 40, 50, 60} for ImageNet.

For StegEdge and Deep Poisoning which are based on neural networks, the models are all trained for 30 epochs. The effective batch size of for the two datasets and the two methods are set to 800 since a total of 4 GPUs are used. The Adam optimizer is adopted with default parameters. The initial learning rates are all set to 4e-3 as a relatively conservative choice. Only a few learning rates were tried, with the aim of selecting one that stabilizes training while achieving a tolerable convergence speed. For CelebA, the learning rates for the two methods are reduced by 20% for every two epochs. The widely used cosine annealing scheduler is adopted for training on the ImageNet. No fine-tuning of the hyper-parameters is conducted for the following two reasons. First, investigating the trade-off of accuracy for the utility and sensitive attributes requires training many models, and will thus make the resource demand of hyper-parameter tuning prohibitively high. Second, this paper primarily serves as a proof of concept, and we demonstrate in our experiments that even without such tuning, StegEdge achieves promising results.

5.2. Implementation details

All models in our experiments are implemented with PyTorch v1.8.2.

The whole models. For CelebA, the final layers (the ones after the average pooling layer) of the ResNet-50 model are replaced with a shared module, which is followed by twelve separate modules (one for each attribute). The shared module consists of a linear layer (2048 × 512), a batchnorm layer, a dropout layer with dropout rate 0.15, and the ReLU activation function. Each module used for a single attribute consists of two linear layers (512 × 256, and 256 × 1), and outputs the classification result for that attribute. Thus, the benign and malicious classifiers ( $f_{b}$ , $f_{m}$ ) are implemented by discarding a certain part of the outputs of the whole classifier.

For ImageNet, the pretrained MobileNet-v3-large model [16] downloaded from torchvision is used as the whole ESP model. Since the model outputs a total of 1000 classes at the final linear layer, the benign classifier is chosen as the first 800 output classes while ignoring the rest 200 classes, and the malicious classifier $f_{m}$ vice versa.

Selection of the splitting layer. In edge AI inference systems like JointDNN [12], the splitting point of the AI model inference between the user device and the edge computing server is generally chosen such that a balance between the amount of computation of user devices and the size of transmitted latent features is achieved.

In our evaluation, we select the splitting point of ResNet-50 (for CelebA) such that the aforementioned shared module and the twelve classifiers are used as the ESP’s classifier, while all the preceding layers are used as the ESP feature extractor $E_{e}$ . Given an input image size of 128 × 128 with three color channels, the size of the transmitted latent features is 2048, i.e., 4.17% of the original size, without considering the operations such as quantization and compression.

For the MobileNet model used for ImageNet, the first 14 layers are chosen as the users’ feature extractor, yielding extracted features of size 160 × 7 × 7 given an input size of 224 × 224, i.e., 5.21% of the original size. We believe such selections are consistent with the practice in the relevant literature like [12,17].

DP and StegEdge models. For Deep Poisoning, the architectures of the feature extractors for both datasets are the same as the ESP feature extractor. The modified models used by StegEdge FEs based on the original models are presented in Table 1, in which conv(A,B) represents a convolutional layer with A input channels and B output channels, BN is BatchNorm, IN is InstanceNorm, and IR is the inverted residual module used by the MobileNet model. No modification is made to the rest of the layers.

Table 1
Model architectures of the ESP FE (without any modification to the respective original models) and StegEdge FE

ResNet CelebA StegEdge CelebA MobileNet ImageNet StegEdge ImageNet

conv(3, 64), BN, ReLU conv(3, 128), IN, ReLU IR(16, 16, 16) IR(32, 32, 32)

Maxpool conv(128, 96), IN, ReLU IR(16, 64, 64) IR(32, 64, 48)

Layer1 conv(96, 64), IN, ReLU IR(24, 72, 24) IR(48, 72, 48)

Layer2 conv(64, 64), IN, ReLU IR(24, 72, 40) IR(48, 72, 40)

$\dots$ Layer1 IR(40, 120, 40) IR(40, 120, 40)

$\dots$ $\dots$ $\dots$ $\dots$

ResNet CelebA	StegEdge CelebA	MobileNet ImageNet	StegEdge ImageNet
conv(3, 64), BN, ReLU	conv(3, 128), IN, ReLU	IR(16, 16, 16)	IR(32, 32, 32)
Maxpool	conv(128, 96), IN, ReLU	IR(16, 64, 64)	IR(32, 64, 48)
Layer1	conv(96, 64), IN, ReLU	IR(24, 72, 24)	IR(48, 72, 48)
Layer2	conv(64, 64), IN, ReLU	IR(24, 72, 40)	IR(48, 72, 40)
$\dots$	Layer1	IR(40, 120, 40)	IR(40, 120, 40)
$\dots$	$\dots$	$\dots$	$\dots$

Reconstructors. The model architectures of the reconstructor used by the users and the ESP are listed in Table 2, where “conv” represents deconvolution (transposed convolution), and $N \times K / S ↑$ denotes a conv layer with N filters, a kernel size of K, and an upsampling factor of S. Except for the final one, each conv layer is followed by a batchnorm layer and the ReLU activation function (omitted in the table). The architectures used by users and the ESP are deliberately set to be different, to simulate the fact that users do not have access to the ESP’s reconstructor in reality.

Table 2

Model architectures of the reconstructor used by the users and the ESP

User, CelebA	ESP, CelebA	User, ImageNet	ESP, ImageNet
conv 2048 × 3/2↑	conv 2048 × 3/2↑	conv 160 × 3/2↑	conv 160 × 3/2↑
conv 1024 × 3/2↑	conv 1024 × 3/2↑	conv 140 × 3/1	conv 128 × 3/1
conv 512 × 3/2↑	conv 512 × 3/2↑	conv 128 × 3/2↑	conv 128 × 3/2↑
conv 256 × 3/2↑	conv 256 × 3/1	conv 64 × 3/1	conv 64 × 3/1
conv 128 × 3/2↑	conv 256 × 3/2↑	conv 64 × 3/2↑	conv 64 × 3/2↑
conv 64 × 3/2↑	conv 128 × 3/2↑	conv 32 × 3/1	conv 32 × 3/1
conv 32 × 3/2↑	conv 64 × 3/2↑	conv 32 × 3/2↑	conv 32 × 3/2↑
conv 16 × 3/1	conv 32 × 3/1	conv 16 × 3/2↑	conv 16 × 3/2↑
conv 8 × 3/1	conv 32 × 3/2↑	conv 8 × 3/1	conv 8 × 3/1
	conv 16 × 3/1
	conv 8 × 3/1

5.3. Training procedures

From the users’ perspective, all the relevant models are trained on 80% of the training set for both datasets, while the ESP’s models are trained on 100% of the training set.

Without loss of generality, the procedures for training the relevant models are summarized as follows,

Train the “whole” model of the modified ResNet mentioned in Section 5.2 (including the ESP FE and the classifiers for 12 attributes). The pretrained MobileNet-v3-large model is downloaded.

The trained ESP classifiers are split into the “benign” part for utility attributes, and the “malicious” part for sensitive attributes.

The ESP reconstructors are trained based on the FEs. The user reconstructors can also be optionally trained.

The StegEdge FE and DP FE are trained, given the benign ESP classifiers.

As users do not have access to the sensitive attributes, training a user reconstructor to simulate the real ESP reconstructor does not provide significant practical benefits. Consequently, from the users’ perspective, we train the StegEdge FE and DP FE, and select the result of the epoch that yields the highest accuracy of the utility task in validation.

Fig. 3.

The weight $w_{s}^{D}$ , $w_{p}^{D}$ of the distance $D_{l}$ in the loss function vs the accuracy of the utility and sensitive attributes for StegEdge and Deep Poisoning on the CelebA and ImageNet dataset.

5.4. Evaluation results

5.4.1. Impacts of $w_{s}^{D}$ and $w_{p}^{D}$

Figure 3 presents the accuracy metrics for both the utility and sensitive attributes under varying weights for in the loss function (i.e. $w_{s}^{D}$ , $w_{p}^{D}$ ). Intuitively, when the weight $w_{s}^{D}$ increases for StegEdge, the extracted features of StegEdge and the features extracted by ESP FE from the cover image are forced to be closer to each other, and consequently StegEdge reduces the information leakage of sensitive attributes unknown to the users, at the cost of simultaneously decreasing the accuracy for the utility attributes.

For Deep Poisoning, a larger $w_{p}^{D}$ puts more emphasis on pushing the features extracted by Deep Poisoning and those extracted by the ESP FE further apart in the latent space (notice the minus sign before $w_{p}^{D}$ in Eq. (24)), i.e., making the Deep Poisoning features more “noisy”. As Deep Poisoning aims to push these extracted features apart without a specific direction, its curves appear uneven in Fig. 3 due to such inherent randomness.

Fig. 4.

Visualization of the extracted features for CelebA and ImageNet. A total of 500 images in the test set are used as user images.

5.4.2. Visualizing latent features

To analyze the characteristics of the extracted features of StegEdge, Deep Poisoning, as well as the ESP FE, and investigate whether inconspicuous privacy protection can be achieved, we resort to the widely adopted methods of t-SNE [42] and the Uniform Manifold Approximation and Projection (UMAP) [28]. The default parameters for both t-SNE and UMAP are adopted. The weight $w_{s}^{D}$ used by StegEdge for CelebA and ImageNet are 1000 and 500 respectively. The weight $W_{p}^{D}$ used by Deep Poisoning for the two datasets are 10 and 30 respectively.

Figure 4 shows the visualization of extracted features for the two datasets. For CelebA, it is evident from the results of both t-SNE and UMAP that the features extracted by Deep Poisoning (orange) are straightforwardly distinguishable from the features extracted by the ESP FE (green), making the act of privacy protection likely to be detected and draw attention if the ESP implements even rudimentary measures to validate the features they receive. In contrast, the extracted features of StegEdge (blue) successfully blend in with the features extracted by the ESP FE. The two distributions largely overlap, rendering the privacy protection process of StegEdge inconspicuous from the perspective of adversaries.

As for ImageNet, the three methods do not show any significant difference in Fig. 4. This can be explained by the fact that the extracted features of CelebA only have 2048 elements and a total of merely 12 attributes are involved, while the extracted features of ImageNet have $160 \times 7 \times 7 = 7840$ elements which are then classified into 1000 classes. Thus, the latent space for the MobileNet model at the splitting layer is more complex. For Deep Poisoning, although users’ act of privacy protection may not be effortlessly recognizable at the level of extracted features, the unique quality of reconstructed images would raise significant suspicion of ESPs, as illustrated in Section 5.4.6.

5.4.3. Utility-privacy trade-off

Instead of a fixed single trade-off between privacy protection and the accuracy of utility tasks, StegEdge aims to provide users with the opportunity to balance privacy protection and the accuracy of utility tasks based on their own preferences. The utility-privacy trade-off for the four methods are illustrated in Fig. 5. As shown in the two subfigures, the traditional methods of adding noise and mean filtering do not offer adequate protection of users’ data privacy, which is also verified by the visual inspection in Fig. 8 and Fig. 9 of Section 5.4.6.

For the two datasets, StegEdge generally yields the lowest leakage of sensitive information, i.e., the best Pareto front. In Fig. 5(a), at the same level of utility accuracy, especially in the range of 0.6 to 0.7 which might be considered the most useful in practice, StegEdge achieves the best performance. Note that in each subfigure of Fig. 5, the rightmost part of the lines for GN and GF corresponds to zero modification to the original images. Consequently, it is obvious that, in the extreme case of ignoring privacy protection to gain the highest utility accuracy, the utility accuracy achieved by StegEdge is very close to that of conducting classification directly on unmodified images.

As users do not have access to the “unknown” sensitive attributes, the validation step for the StegEdge and Deep Poisoning models does not gain many practical benefits, and therefore the curves of them in Fig. 5 are not smooth. Additionally for Deep Poisoning, its curves are rougher, since it tries to push the features extracted by Deep Poisoning FE and those by the ESP FE apart in the latent space without a specific direction, leading to certain randomness as mentioned above.

Fig. 5.

The utility-privacy tradeoff for different methods.

5.4.4. Correlation of attributes

To investigate the inherent overlap of information related to each attribute (i.e., entanglement [5]) in the latent space, we conduct an experiment on the selected twelve attributes of the CelebA dataset. To that end, we train the ResNet model (with the aforementioned classifiers) for 12 times. Each time, the model is trained for 10 epochs and only a single attribute is used in the calculation of loss function (cross-entropy). After that, the model parameters of the feature extractor and the classifier for the single attribute are frozen, and the classifier modules for the remaining 11 attributes are trained for 3 epochs. Finally, the test set is used to obtain the resultant accuracy for all of the 12 attributes.

In Fig. 6, we illustrate how much the training of one attribute leads to the accuracy improvement of other attributes, as an indirect way of showing how the information of these attributes overlap in the latent space. For instance, the final box of the top row represents how the training of the attribute Attractive increases the accuracy of Young compared with a random guess (i.e., 50% accuracy). By comparing any two rows, we can acquire a qualitative understanding of the correlation between attributes. For example, by comparing the 8th and 9th boxes in the first column, it can be seen that the attribute Straight Hair is more correlated with the attribute Attractive than Smiling.

Fig. 6.

An empirical illustration of how well the classifiers for the 12 attributes behave compared with random guess (i.e., 50% accuracy), when the feature extractor is trained for only a single attribute (each row).

Fig. 7.

For StegEdge, the percentages of sensitive attributes classified as those of the cover images and those of the user images by the ESP’s malicious classifiers.

5.4.5. Classification and deception

We evaluate whether StegEdge makes the ESP’s malicious classifiers wrongly classify their inputs as the sensitive attributes of the cover images, and present the classification results of sensitive attributes in Fig. 7. As can be seen in Fig. 7(a), for CelebA, at a lower level of utility accuracy, a higher percentage of the sensitive attributes are classified as those of the cover images. Such a phenomenon is less significant for ImageNet in Fig. 7(b), since the latent space of MobileNet at the splitting layer is more complex as mentioned before. Compared with the case of CelebA shown in Fig. 8, the complexity of the latent space for MobileNet (corresponding to ImageNet) can also be understood in Fig. 9, in which the reconstructor is able to render images of relatively rich details given the extracted features.

5.4.6. Image reconstruction

Fig. 8.

Visual comparison of the relevant images of all methods for CelebA.

Fig. 9.

Visual comparison of the relevant images of all methods for ImageNet.

Visualization of the images related to all the methods is illustrated in Fig. 8 and Fig. 9. It is noticeable that given a higher weight $w_{s}^{D} = 3000$ for the distance in the latent space, StegEdge makes the ESP’s reconstructed image visually closer to the cover image compared with the setting of $w_{s}^{D} = 100$ . Note that the utility attributes used in our experiments are Attractive, Big Nose, Black Hair, Brown Hair, High Cheekbones, Male, Mouth Slightly Open, and Smiling, while the sensitive attributes considered include Straight Hair, Wavy Hair, Wearing Lipstick, and Young. By comparing the first three columns in Fig. 8, it can be easily confirmed that the utility attributes of Black Hair, Brown Hair, Male, and Mouth Slightly Open are preserved by StegEdge, while the sensitive attribute of hairstyle is barely recognizable in the reconstructed image.

In Fig. 8, it is obvious that the reconstructed images of Deep Poisoning are distinct from those of other methods, and could potentially raise the ESP’s suspicion. For StegEdge, the reconstructed images appear relatively natural, and achieves the objective of inconspicuous privacy protection. As can be seen in Fig. 8, Deep Poisoning leads to reconstructed images that are quite similar, except for the utility attributes (e.g., the eyebrows in the figure). While both StegEdge and Deep Poisoning lead to drastic changes of the images, the reconstructed images for the traditional methods of GN and GF are visually closer to the user images in Fig. 8. Such an effect is less obvious for ImageNet in Fig. 9, as the latent space of the selected splitting layer of MobileNet is more complex than the one of ResNet.

To quantitatively measure the quality of reconstructed images for each method, we adopt the PSNR and SSIM, and a higher value means the target image is more similar to the reference image. As can be seen in Fig. 10, among all the methods, StegEdge consistently achieves low PSNR and SSIM of the reconstructed images measured against the user images, and thus reduces the leakage of sensitive information. With regard to the PSNR and SSIM measured against the cover images of StegEdge, it is intuitive that at a higher level of accuracy for utility attributes (i.e., lower emphasis on reducing the distance in the latent space), the reconstructed image would be less similar to the cover image.

Fig. 10.

The quality of the ESP’s reconstructed images measured by PSNR and SSIM against the user images ( lower better ), and additionally against the cover images used by StegEdge ( higher better ).

Table 3

Comparison of the model complexity and computing speed at the user side

Method	Input Size	Output Size	GMACs	# of Parameters	Computing time per image (ms)
ESP ResNet FE (CelebA)	3 × 128 × 128	2048	1.35	23.51 M	9.43
Steg ResNet FE (CelebA)	3 × 128 × 128	2048	3.4	42.73 M	17.96
ESP MobileNet FE (ImageNet)	3 × 224 × 224	160 × 7 × 7	0.18	1.22 M	7.82
Steg MobileNet FE (ImageNet)	3 × 224 × 224	160 × 7 × 7	0.25	1.23 M	7.86
GN + ESP FE (CelebA)	3 × 128 × 128	2048	/	/	11.89
GF + ESP FE (CelebA)	3 × 128 × 128	2048	/	/	25.81
GN + ESP FE (ImageNet)	3 × 224 × 224	160 × 7 × 7	/	/	15.01
GF + ESP FE (ImageNet)	3 × 224 × 224	160 × 7 × 7	/	/	47.86

5.4.7. Model complexity and inference speed

The model complexity of the StegEdge FEs and ESP FEs, as well as the computing speed of the methods are illustrated in Table 3, where MAC is “Multiply–accumulate operation”. The results for DP FEs are not listed, since they have exactly the same architecture as the ESP FEs. While modifications of the relevant neural networks (e.g., weight quantization [20]) are generally required in practice for them to be more efficiently run on resource-constrained devices, they are out of the scope of this paper. Note that the neural networks are run on a single GPU, while the methods of Gaussian filter and Gaussian noise are run on the CPU.

Compared with the ESP FE, the StegEdge FE increases the number of parameters by 81.8% and 0.82% respectively for CelebA and ImageNet, while increasing the time required for computation by 90.5% and 5.1%. The computing speed of StegEdge is competitive against traditional methods of GN and GF. The computing speed and model complexity should be considered in the design of model architectures of StegEdge FE in reality, and is out of the scope of this paper.

Fig. 11.

The MCC scores of utility vs sensitive attributes on CelebA, when the user trains StegEdge and Deep Poisoning models with 60%, 80%, and 100% of the training data available to the ESP.

5.4.8. Impacts of training data availability

In the setting of the previous experiments, only 80% of the training data are available to the users, while 100% of the data are available to the ESP. We now investigate how a different percentage contributes to the accuracy levels of utility and sensitive attributes in CelebA. Specifically, the percentage is set to 60% and 100% with all other things being equal. In addition to the StegEdge and DP feature extractors, the ESP reconstructors are also trained with the respective settings of percentage.

In Fig. 11(a), it is evident that with a higher percentage of training data available, StegEdge consistently achieves lower leakage of sensitive information at the same level of utility accuracy. Shown in Fig. 11(b), a higher percentage generally leads to lower leakage of sensitive information, and the roughness of the curves can be explained by the inherent randomness of DP as mentioned before.

6. Discussion

6.1. Potential countermeasures against StegEdge

Offense and defense are an ever-escalating game. For either side, gaining knowledge about the other side leads to remarkable advantages. A great defense would largely benefit from attackers’ unawareness of the specific defensive techniques being applied. In our case, attackers are even deceived into believing that no measures of privacy protection is put in place by users, i.e., inconspicuous privacy protection. Considering the advantages ESPs have over users, including computational resources and data availability, we believe that such deception would help users alleviate the imbalance of positions.

Regarding the potential countermeasures/attacks that could compromise the privacy protection of StegEdge, the following cases are considered to the best of our effort.

Advanced anomaly detection. Although in Fig. 4 we show that it is hard to distinguish between no privacy protection and StegEdge at the level of latent space with UMAP and t-SNE, it is possible for ESPs to deploy sophisticated anomaly detection systems [32], confirm users’ maniputation of the latent codes, and subsequently devise targeted countermeasures.

Model watermarking [47]. The ESP could present to users a feature extractor with hidden watermarks. Consequently, when users make modifications to the feature extractor for privacy protection, it can be easily detected by the ESP.

Compromised utility classifiers. The ESP could present users with a compromised utility classifier, such that the utility and sensitive attributes are highly entangled [39] in the latent space of the classifier. As a result, it would be difficult for users to protect their privacy without causinig significant reduction in accuracy of utility attributes.

6.2. Obfuscated images vs obfuscated features

In this paper, the focus is on manipulating the latent space such that privacy is protected while utility is maintained, since we assume the setting splitting the execution of neural networks between user devices and the edge computing server, due to its superior latency and energy efficiency [49].

Alternatively, users could make directly send obfuscated images instead of obfuscated features to servers. For instance, as in [46], they could apply GANs to modify the utility attributes of a randomly selected image from the Internet to match those of the user image, such that ESP’s accuracy of classifying the utility attributes is maintained while adversaries could not extract the true sensitive unknown attributes. However, this approach requires heavy computation on the user’s side by involving extracting features, manipulating attributes, and generating obfuscated images, while obviously contradicting the fundamental goal of edge computing, i.e., offoading computation from user devices to servers.

7. Conclusion

In the paradigm of edge intelligence where user devices upload extracted features to edge computing servers for neural network inference, users’ data privacy needs to be protected against unauthorized data reconstruction, as well as extraction of sensitive private attributes unknown to the users. In a more realistic setting considering factors that hinder privacy protection, such as limited trust in edge computing service providers, and users’ disadvantageous access to training data, we propose StegEdge, a conceptually novel approach to data privacy protection, inspired by the concepts of steganography and deception-based cyber defense. StegEdge maximizes the amount of information related to the utility task in the extracted features, while replacing the rest of the information with features extracted from a random cover image, such that the accuracy of the utility task is not severely impaired. Evaluation on the CelebA and ImageNet datasets shows that StegEdge is able to defend against data reconstruction attacks, and can reduce adversaries’ accuracy of predicting the sensitive attributes by up to 38%, at the same level of utility task accuracy.

Footnotes

Acknowledgments

This work is partially supported by the Natural Science Foundation of Tianjin (No. 20JCZDJC00610), the National Natural Science Foundation of China (No. 62172241), the Technology Research and Development Program of Tianjin (No. 18ZXZNGX00200).

References

Achille and

Soatto , Information dropout: Learning optimal representations through noisy computation, 40(12) (2018), 2897–2905.

Andriushchenko ,

Croce ,

Flammarion and

Hein , Square attack: A query-efficient black-box adversarial attack via random search, in: European Conference on Computer Vision, Springer, 2020, pp. 484–501.

N.J.

Beaudry and

Renner , An intuitive proof of the data processing inequality, Quantum Info. Comput. 12(5–6) (2012), 432–441.

Boughorbel ,

Jarray and

El-Anbari , Optimal classifier for imbalanced data using matthews correlation coefficient metric, PloS one 12(6) (2017), e0177678. doi:10.1371/journal.pone.0177678.

J.-W.

Chen ,

L.-J.

Chen ,

C.-M.

Yu and

C.-S.

Lu , Perceptual Indistinguishability-Net (PI-Net): Facial image obfuscation with manipulable semantics, in: Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition, 2021, pp. 6478–6487.

Chen ,

Lin ,

Lu ,

Cao ,

Wu ,

Guo ,

Liu and

F.-Y.

Wang , Deep neural network based vehicle and pedestrian detection for autonomous driving: A survey, 22(6) (2021), 3234–3246.

Deng ,

Dong ,

Socher ,

L.-J.

Li ,

Li and

Fei-Fei , ImageNet: A large-scale hierarchical image database, in: 2009 IEEE Conference on Computer Vision and Pattern Recognition, 2009, pp. 248–255. doi:10.1109/CVPR.2009.5206848.

Deng ,

Zhao ,

Fang ,

Yin ,

Dustdar and

A.Y.

Zomaya , Edge intelligence: The confluence of edge computing and artificial intelligence, 7(8) (2020), 7457–7469.

Du ,

Xu ,

Xiong ,

Qiu ,

Zhen ,

C.G.

Snoek and

Shao , Learning to learn with variational information bottleneck for domain generalization, in: European Conference on Computer Vision, Springer, 2020, pp. 200–216.

10.

Duan ,

Guo ,

Liu ,

Li ,

Gou and

Qin , A new high capacity image steganography method combined with image elliptic curve cryptography and deep neural network, 8 (2020), 25777–25788.

11.

Elad ,

Haviv ,

Blau and

Michaeli , Direct validation of the information bottleneck principle for deep nets, in: Proceedings of the IEEE/CVF International Conference on Computer Vision Workshops, 2019.

12.

A.E.

Eshratifar ,

M.S.

Abrishami and

Pedram , JointDNN: An efficient training and inference engine for, Intelligent Mobile Cloud Computing Services 20(2) (2021), 565–576. doi:10.1109/TMC.2019.2947893.

13.

K.J.

Ferguson-Walter ,

M.M.

Major ,

C.K.

Johnson and

D.H.

Muhleman , Examining the efficacy of decoy-based and psychological cyber deception, in: 30th USENIX Security Symposium (USENIX Security, Vol. 21, 2021, pp. 1127–1144.

14.

Guo ,

Dolhansky ,

Hsin ,

Dinh ,

C.C.

Ferrer and

Wang , Deep poisoning: Towards robust image data sharing against visual disclosure, in: Proceedings of the IEEE/CVF Winter Conference on Applications of Computer Vision, 2021, pp. 686–696.

15.

He ,

Zhang and

R.B.

Lee , Attacking and protecting data privacy in edge–cloud collaborative inference systems, 8(12) (2020), 9706–9716.

16.

Howard ,

Sandler ,

Chu ,

L.-C.

Chen ,

Tan ,

Wang ,

Zhu ,

Pang ,

Vasudevan et al., Searching for mobilenetv3, in: Proceedings of the IEEE/CVF International Conference on Computer Vision, 2019, pp. 1314–1324.

17.

Hu ,

Bao ,

Wang and

Liu , Dynamic adaptive DNN surgery for inference acceleration on the edge, in: IEEE INFOCOM 2019 – IEEE Conference on Computer Communications, 2019, pp. 1423–1431. doi:10.1109/INFOCOM.2019.8737614.

18.

IDC, European Enterprise Edge Market Forecast 2020–2024 (2021), https://www.idc.com/getdoc.jsp?containerId=EUR147186321.

19.

M.M.

Islam and

Al-Shaer , Active deception framework: An extensible development environment for adaptive cyber deception, in: 2020 IEEE Secure Development (SecDev), IEEE, 2020, pp. 41–48. doi:10.1109/SecDev45635.2020.00023.

20.

Jin ,

Yang and

Liao , Adabits: Neural network quantization with adaptive bit-widths, in: Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition, 2020, pp. 2146–2156.

21.

Johnson ,

Alahi and

Fei-Fei , Perceptual losses for real-time style transfer and super-resolution, in: European Conference on Computer Vision, Springer, 2016, pp. 694–711.

22.

Jung ,

Bae ,

H.-S.

Choi and

Yoon , PixelSteganalysis: Pixel-wise hidden information removal with low visual degradation, 2021.

23.

I.J.

Kadhim ,

Premaratne ,

P.J.

Vial and

Halloran , Comprehensive survey of image steganography: Techniques, evaluations, and trends in future research, Neurocomputing 335 (2019), 299–326. doi:10.1016/j.neucom.2018.06.075.

24.

Li ,

Duan ,

Yang ,

Chen and

Yang , TIPRDC: Task-independent privacy-respecting data crowdsourcing framework for deep learning with anonymized intermediate representations, in: Proceedings of the 26th ACM SIGKDD International Conference on Knowledge Discovery & Data Mining, 2020, pp. 824–832.

25.

Li ,

Xu ,

Xiao ,

Li and

H.T.

Shen , Adaptive square attack: Fooling autonomous cars with adversarial traffic signs, 8(8) (2020), 6337–6347.

26.

W.Y.B.

Lim ,

J.S.

Ng ,

Xiong ,

Jin ,

Zhang ,

Niyato ,

Leung and

Miao , Decentralized edge intelligence: A dynamic resource allocation framework for hierarchical federated learning, 33(3) (2021), 536–550.

27.

Liu ,

Luo ,

Wang and

Tang , Deep learning face attributes in the wild, in: Proceedings of International Conference on Computer Vision (ICCV), 2015.

28.

McInnes ,

Healy and

Melville , UMAP: Uniform manifold approximation and projection for dimension reduction, 2018, arXiv preprint arXiv:1802.03426.

29.

Mirjalili ,

Raschka and

Ross , PrivacyNet: Semi-adversarial networks for multi-attribute face privacy, 29 (2020), 9400–9412.

30.

Mishra ,

Lehmkuhl ,

Srinivasan ,

Zheng and

R.A.

Popa , Delphi: A cryptographic inference service for neural networks, in: 29th USENIX Security Symposium (USENIX Security, Vol. 20, 2020, pp. 2505–2522.

31.

Morales ,

Fierrez ,

Vera-Rodriguez and

Tolosana , Sensitivenets: Learning agnostic representations with application to face images, 43(6) (2020), 2158–2164.

32.

Pang ,

Shen ,

Cao and

A.V.D.

Hengel , Deep learning for anomaly detection: A review, ACM Computing Surveys (CSUR) 54(2) (2021), 1–38. doi:10.1145/3439950.

33.

Qi ,

Li ,

Song ,

Guo and

Jamalipour , Extensive edge intelligence for future vehicular networks in 6G, 28(4) (2021), 128–135.

34.

Rathee ,

Kumar ,

Chandran ,

Gupta ,

Rastogi and

Sharma , CrypTFlow2: Practical 2-party secure inference, in: Proceedings of the 2020 ACM SIGSAC Conference on Computer and Communications Security, 2020, pp. 325–342. doi:10.1145/3372297.3417274.

35.

Samragh ,

Hosseini ,

Triastcyn ,

Azarian ,

Soriaga and

Koushanfar , Unsupervised information obfuscation for split inference of neural networks, in: International Conference on Machine Learning, PMLR, 2021.

36.

Sannon ,

N.N.

Bazarova and

Cosley , Privacy lies: Understanding how, when, and why people Lie to protect their privacy in multiple online contexts, in: Proceedings of the 2018 CHI Conference on Human Factors in Computing Systems, 2018, pp. 1–13.

37.

Schlögl and

Böhme , eNNclave: Offline inference with model confidentiality, in: Proceedings of the 13th ACM Workshop on Artificial Intelligence and Security, 2020, pp. 93–104. doi:10.1145/3411508.3421376.

38.

Speicher ,

Ali ,

Venkatadri ,

F.N.

Ribeiro ,

Arvanitakis ,

Benevenuto ,

K.P.

Gummadi ,

Loiseau and

Mislove , Potential for discrimination in online targeted advertising, in: Conference on Fairness, Accountability and Transparency, PMLR, 2018, pp. 5–19.

39.

Standley ,

Zamir ,

Chen ,

Guibas ,

Malik and

Savarese , Which tasks should be learned together in multi-task learning? in: International Conference on Machine Learning, PMLR, 2020, pp. 9120–9132.

40.

Sun ,

Cheng ,

Li ,

Pei and

Han , Exploring effective data for surrogate training towards black-box attack, in: Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition, 2022, pp. 15355–15364.

41.

Tramèr and

Boneh , Slalom: Fast, verifiable and private execution of neural networks in trusted hardware, in: 7th International Conference on Learning Representations, ICLR 2019, New Orleans, LA, USA, May 6–9, 2019, OpenReview.net, 2019.

42.

Van der Maaten and

Hinton , Visualizing data using t-SNE, Journal of machine learning research 9(11) (2008), 2579–2605.

43.

Wu ,

Wang ,

Jin and

Wang , Privacy-preserving deep action recognition: An adversarial learning framework and a new dataset, 2020.

44.

Xiao ,

Y.-H.

Tsai ,

Sohn ,

Chandraker and

M.-H.

Yang , Adversarial learning of privacy-preserving and task-oriented representations, in: Proceedings of the AAAI Conference on Artificial Intelligence, Vol. 34, 2020, pp. 12434–12441.

45.

Xiao ,

Shi ,

Li ,

Saad and

H.V.

Poor , in: Toward Self-Learning Edge Intelligence in 6G 58(12), 2020, pp. 34–40.

46.

Yang ,

Fei ,

Ding ,

Liu ,

Lu and

Xiang , L2m-gan: Learning to manipulate latent space semantics for facial attribute editing, in: Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition, 2021, pp. 2951–2960.

47.

Yang ,

Lao and

Li , Robust watermarking for deep neural networks via bi-level optimization, in: Proceedings of the IEEE/CVF International Conference on Computer Vision, 2021, pp. 14841–14850.

48.

Zhou ,

Xu ,

Liang ,

Zeng and

Yan , Deep-learning-enhanced multitarget detection for end–edge–cloud surveillance in smart IoT, 8(16) (2021), 12588–12596.

49.

Zhou ,

Chen ,

Li ,

Zeng ,

Luo and

Zhang , Edge intelligence: Paving the last mile of artificial intelligence with edge computing, Proc. IEEE 107 (2019), 1738–1762. doi:10.1109/JPROC.2019.2918951.

StegEdge: Privacy protection of unknown sensitive attributes in edge intelligence via deception

Abstract

Keywords

1. Introduction

1 https://azure.microsoft.com/en-us/products/azure-stack/edge/

2.1. Edge computing for DNN inference

2.2. Cryptographic methods

2.3. Information bottleneck

2.4. Targeted protection of sensitive attributes

2.5. Adversarial attacks against neural networks

2.6. Image steganography

2.7. Task-agnostic privacy protection

3. Threat model

4. Details of StegEdge

4.2. Loss functions

4.3. An information-theoretic perspective

5. Evaluation

5.1. Evaluation settings

3 https://github.com/tensorflow/tensor2tensor/blob/master/tensor2tensor/data_generators/celeba.py#L175-L205

5.4.1. Impacts of w s D and w p D

5.4.3. Utility-privacy trade-off

5.4.6. Image reconstruction

6. Discussion

6.1. Potential countermeasures against StegEdge

6.2. Obfuscated images vs obfuscated features

7. Conclusion

Footnotes

Acknowledgments

References

¹
https://azure.microsoft.com/en-us/products/azure-stack/edge/

³
https://github.com/tensorflow/tensor2tensor/blob/master/tensor2tensor/data_generators/celeba.py#L175-L205

5.4.1. Impacts of $w_{s}^{D}$ and $w_{p}^{D}$