Defending CNN against privacy leakage in edge computing via binary neural networks

Abstract

As the IoT has developed, edge computing has played an increasingly important role in the IoT ecosystem. The edge computing paradigm offers low latency and high computing performance, which is conducive to machine learning tasks such as object detection in autonomous driving. However, data privacy risks in edge computing still exist and the existing privacy-preserving methods are not satisfactory due to the large computational overhead and unbearable accuracy loss.We have designed a privacy-preserving machine learning framework for both user and cloud data. Users and the cloud provide data for inference and training respectively, and the privacy protection of these two aspects is both considered in this paper. Users provide test data and want to access the data-processing models in cloud for inference, and the cloud provides the training data used for training an eligible model. For user data, in order to maintain the overall performance of the machine learning framework while using homomorphic encryption, instead of providing encrypted data to all machine learning tasks, we divide the neural network into two parts, with one part kept on the trusted edge and provided with plaintext, and the other deployed on the untrusted cloud and provided with encrypted input. For cloud data, we apply the binary neural network, a network with the binarized value of weights. This method is practical for narrowing the confidence score gap (between the training and test sets) predicted by the model, which accounts most for a successful exploratory attack on training data. Experiments demonstrate that the results of the adversary’s membership inference attack are close to random guessing, and the accuracy is only slightly affected. Compared with the unencrypted network on VGG19, when the network is split from conv4_1 to fc8, the efficiency of using HE is only 100 to 30 times slower.