Ensembler: Protect Collaborative Inference Privacy from Model Inversion Attack via Selective Ensemble

Dancheng Liu; Chenhui Xu; Jiajie Li; Amir Nassereldine; Jinjun Xiong

doi:10.1109/DAC63849.2025.11132673

Ensembler: Protect Collaborative Inference Privacy from Model Inversion Attack via Selective Ensemble

Dancheng Liu
, Chenhui Xu
, Jiajie Li
, Amir Nassereldine
, Jinjun Xiong

Department of Computer Science and Engineering

University at Buffalo

SUNY Buffalo

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

Abstract

For collaborative inference through a cloud computing platform, it is sometimes essential for the client to shield its sensitive information from the cloud provider. In this paper, we introduce Ensembler, an extensible framework designed to substantially increase the difficulty of conducting model inversion attacks by adversarial parties. Ensembler leverages selective model ensemble on the adversarial server to obfuscate the reconstruction of the client's private information. Our experiments demonstrate that Ensembler can effectively shield input images from reconstruction attacks, even when the client only retains one layer of the network locally. Ensembler significantly outperforms baseline methods by up to 43.5% in structural similarity while only incurring 4.8% time overhead during inference.

Original language	English
Title of host publication	2025 62nd ACM/IEEE Design Automation Conference, DAC 2025
Publisher	Institute of Electrical and Electronics Engineers Inc.
ISBN (Electronic)	9798331503048
DOIs	https://doi.org/10.1109/DAC63849.2025.11132673
State	Published - 2025
Event	62nd ACM/IEEE Design Automation Conference, DAC 2025 - San Francisco, United States Duration: Jun 22 2025 → Jun 25 2025

Publication series

Name	Proceedings - Design Automation Conference

Conference

Conference	62nd ACM/IEEE Design Automation Conference, DAC 2025
Country/Territory	United States
City	San Francisco
Period	06/22/25 → 06/25/25

Access to Document

10.1109/DAC63849.2025.11132673

Cite this

Liu, D., Xu, C., Li, J., Nassereldine, A., & Xiong, J. (2025). Ensembler: Protect Collaborative Inference Privacy from Model Inversion Attack via Selective Ensemble. In 2025 62nd ACM/IEEE Design Automation Conference, DAC 2025 (Proceedings - Design Automation Conference). Institute of Electrical and Electronics Engineers Inc.. https://doi.org/10.1109/DAC63849.2025.11132673

@inproceedings{d6ac037b4ffd457aa02e0167f8366d66,

title = "Ensembler: Protect Collaborative Inference Privacy from Model Inversion Attack via Selective Ensemble",

abstract = "For collaborative inference through a cloud computing platform, it is sometimes essential for the client to shield its sensitive information from the cloud provider. In this paper, we introduce Ensembler, an extensible framework designed to substantially increase the difficulty of conducting model inversion attacks by adversarial parties. Ensembler leverages selective model ensemble on the adversarial server to obfuscate the reconstruction of the client's private information. Our experiments demonstrate that Ensembler can effectively shield input images from reconstruction attacks, even when the client only retains one layer of the network locally. Ensembler significantly outperforms baseline methods by up to 43.5\% in structural similarity while only incurring 4.8\% time overhead during inference.",

author = "Dancheng Liu and Chenhui Xu and Jiajie Li and Amir Nassereldine and Jinjun Xiong",

note = "Publisher Copyright: {\textcopyright} 2025 IEEE.; 62nd ACM/IEEE Design Automation Conference, DAC 2025 ; Conference date: 22-06-2025 Through 25-06-2025",

year = "2025",

doi = "10.1109/DAC63849.2025.11132673",

language = "English",

series = "Proceedings - Design Automation Conference",

publisher = "Institute of Electrical and Electronics Engineers Inc.",

booktitle = "2025 62nd ACM/IEEE Design Automation Conference, DAC 2025",

address = "United States",

}

Liu, D, Xu, C, Li, J, Nassereldine, A & Xiong, J 2025, Ensembler: Protect Collaborative Inference Privacy from Model Inversion Attack via Selective Ensemble. in 2025 62nd ACM/IEEE Design Automation Conference, DAC 2025. Proceedings - Design Automation Conference, Institute of Electrical and Electronics Engineers Inc., 62nd ACM/IEEE Design Automation Conference, DAC 2025, San Francisco, United States, 06/22/25. https://doi.org/10.1109/DAC63849.2025.11132673

Ensembler: Protect Collaborative Inference Privacy from Model Inversion Attack via Selective Ensemble. / Liu, Dancheng; Xu, Chenhui; Li, Jiajie et al.
2025 62nd ACM/IEEE Design Automation Conference, DAC 2025. Institute of Electrical and Electronics Engineers Inc., 2025. (Proceedings - Design Automation Conference).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

TY - GEN

T1 - Ensembler

T2 - 62nd ACM/IEEE Design Automation Conference, DAC 2025

AU - Liu, Dancheng

AU - Xu, Chenhui

AU - Li, Jiajie

AU - Nassereldine, Amir

AU - Xiong, Jinjun

PY - 2025

Y1 - 2025

N2 - For collaborative inference through a cloud computing platform, it is sometimes essential for the client to shield its sensitive information from the cloud provider. In this paper, we introduce Ensembler, an extensible framework designed to substantially increase the difficulty of conducting model inversion attacks by adversarial parties. Ensembler leverages selective model ensemble on the adversarial server to obfuscate the reconstruction of the client's private information. Our experiments demonstrate that Ensembler can effectively shield input images from reconstruction attacks, even when the client only retains one layer of the network locally. Ensembler significantly outperforms baseline methods by up to 43.5% in structural similarity while only incurring 4.8% time overhead during inference.

AB - For collaborative inference through a cloud computing platform, it is sometimes essential for the client to shield its sensitive information from the cloud provider. In this paper, we introduce Ensembler, an extensible framework designed to substantially increase the difficulty of conducting model inversion attacks by adversarial parties. Ensembler leverages selective model ensemble on the adversarial server to obfuscate the reconstruction of the client's private information. Our experiments demonstrate that Ensembler can effectively shield input images from reconstruction attacks, even when the client only retains one layer of the network locally. Ensembler significantly outperforms baseline methods by up to 43.5% in structural similarity while only incurring 4.8% time overhead during inference.

UR - https://www.scopus.com/pages/publications/105017791011

U2 - 10.1109/DAC63849.2025.11132673

DO - 10.1109/DAC63849.2025.11132673

M3 - Conference contribution

T3 - Proceedings - Design Automation Conference

BT - 2025 62nd ACM/IEEE Design Automation Conference, DAC 2025

PB - Institute of Electrical and Electronics Engineers Inc.

Y2 - 22 June 2025 through 25 June 2025

ER -

Ensembler: Protect Collaborative Inference Privacy from Model Inversion Attack via Selective Ensemble

Abstract

Publication series

Conference

Access to Document

Other files and links

Fingerprint

Cite this