The security problem is that when we transmit those intermediate features to the cloud server, we need toconsider the man-in-the-middle attack, who can tap into the features and use Generative AdversarialNetworks to restore the private training data from the features. The possibility that the attacker canrecover the original data declines monotonically regarding the depth of the neural network. For VGG16,the possibility is conv3-64, conv3-64 (90%); conv3-128, conv3-128(70%); conv3-256, conv3-256,conv3-256 (40%); conv3-512, conv3-512, conv3-512 (20%); conv3-512, conv3-512, conv3-512 (5%), foreach filter module, the number indicates the number of filters (e.g., 512 filters) and the percentageindicates the attack success rate (20%).Now we want to achieve a balance between security and network bandwidth. For example, if we aretransferring the first layer of 224x224x3, we are transferring 220x220x3x64 pixels with (1-90%) in thesecurity gauge. We use a simple weighted formular to weigh the network bandwidth and security, Y = N+ a* S, where N = 220x220x3x64 + a*0.1, set a = 10^6.Compute the Y value for each filter bank. Note that you will need to calculate the correct output size fromthe convolutional layer. For example, the output size from the first conv3 layer is 224-3+1 = 222. Afterthe second conv3 layer is 220x220x3. Show the computation for all the 64,128,256 and 512 layermodules (assume we partition the network at the end of each module).
Already registered? Login
Not Account? Sign up
Enter your email address to reset your password
Back to Login? Click here