The security problem is that when we transmit those intermediate features to the cloud server, we need to 
consider the man-in-the-middle attack, who can tap into the features and use Generative Adversarial 
Networks to restore the private training data from the features. The possibility that the attacker can 
recover the original data declines monotonically regarding the depth of the neural network. For VGG16, 
the possibility is conv3-64, conv3-64 (90%); conv3-128, conv3-128(70%); conv3-256, conv3-256, 
conv3-256 (40%); conv3-512, conv3-512, conv3-512 (20%); conv3-512, conv3-512, conv3-512 (5%), for 
each filter module, the number indicates the number of filters (e.g., 512 filters) and the percentage 
indicates the attack success rate (20%).
Now we want to achieve a balance between security and network bandwidth. For example, if we are 
transferring the first layer of 224x224x3, we are transferring 220x220x3x64 pixels with (1-90%) in the 
security gauge. We use a simple weighted formular to weigh the network bandwidth and security, Y = N 
+ a* S, where N = 220x220x3x64 + a*0.1, set a = 10^6. 
Compute the Y value for each filter bank. Note that you will need to calculate the correct output size from 
the convolutional layer. For example, the output size from the first conv3 layer is 224-3+1 = 222. After 
the second conv3 layer is 220x220x3. Show the computation for all the 64,128,256 and 512 layer 
modules (assume we partition the network at the end of each module).