Model inversion attacks against collaborative inference

Zecheng He, Tianwei Zhang, Ruby B. Lee

Research output: Chapter in Book/Report/Conference proceedingConference contribution

138 Scopus citations


The prevalence of deep learning has drawn attention to the privacy protection of sensitive data. Various privacy threats have been presented, where an adversary can steal model owners’ private data. Meanwhile, countermeasures have also been introduced to achieve privacy-preserving deep learning. However, most studies only focused on data privacy during training, and ignored privacy during inference. In this paper, we devise a new set of attacks to compromise the inference data privacy in collaborative deep learning systems. Specifically, when a deep neural network and the corresponding inference task are split and distributed to different participants, one malicious participant can accurately recover an arbitrary input fed into this system, even if he has no access to other participants’ data or computations, or to prediction APIs to query this system. We evaluate our attacks under different settings, models and datasets, to show their effectiveness and generalization. We also study the characteristics of deep learning models that make them susceptible to such inference privacy threats. This provides insights and guidelines to develop more privacy-preserving collaborative systems and algorithms.

Original languageEnglish (US)
Title of host publicationProceedings - 35th Annual Computer Security Applications Conference, ACSAC 2019
PublisherAssociation for Computing Machinery
Number of pages15
ISBN (Electronic)9781450376280
StatePublished - Dec 9 2019
Event35th Annual Computer Security Applications Conference, ACSAC 2019 - San Juan, United States
Duration: Dec 9 2019Dec 13 2019

Publication series

NameACM International Conference Proceeding Series


Conference35th Annual Computer Security Applications Conference, ACSAC 2019
Country/TerritoryUnited States
CitySan Juan

All Science Journal Classification (ASJC) codes

  • Software
  • Human-Computer Interaction
  • Computer Vision and Pattern Recognition
  • Computer Networks and Communications


  • Deep Neural Network
  • Distributed Computation
  • Model Inversion Attack


Dive into the research topics of 'Model inversion attacks against collaborative inference'. Together they form a unique fingerprint.

Cite this