Di Gao,Cheng Zhuo

DOI: https://doi.org/10.3233/FAIA200294

2020-01-01

Abstract:The deployment of deep learning applications has to address the growing privacy concerns when using private and sensitive data for training. A conventional deep learning model is prone to privacy attacks that can recover the sensitive information of individuals from either model parameters or accesses to the target model. Recently, differential privacy that offers provable privacy guarantees has been proposed to train neural networks in a privacy-preserving manner to protect training data. However, many approaches tend to provide the worst case privacy guarantees for model publishing, inevitably impairing the accuracy of the trained models. In this paper, we present a novel private knowledge transfer strategy, where the private teacher trained on sensitive data is not publicly accessible but teaches a student to be publicly released. In particular, a three-player (teacher-student-discriminator) learning framework is proposed to achieve trade-off between utility and privacy, where the student acquires the distilled knowledge from the teacher and is trained with the discriminator to generate similar outputs as the teacher. We then integrate a differential privacy protection mechanism into the learning procedure, which enables a rigorous privacy budget for the training. The framework eventually allows student to be trained with only unlabelled public data and very few epochs, and hence prevents the exposure of sensitive training data, while ensuring model utility with a modest privacy budget. The experiments on MNIST, SVHN and CIFAR-10 datasets show that our students obtain the accuracy losses w.r.t teachers of 0.89%, 2.29%, 5.16%, respectively with the privacy bounds of (1.93, 10(-5)), (5.02, 10(-6)), (8.81, 10(-6)). When compared with the existing works [15, 20], the proposed work can achieve 582% accuracy loss improvement.

Sicong Liu,Anshumali Shrivastava,Junzhao Du,Lin Zhong

2019-01-01

Abstract:The remarkable success of machine learning, especially deep learning, has produced a variety of cloud-based services for mobile users. Such services require an end user to send data to the service provider, which presents a serious challenge to end-user privacy. To address this concern, prior works either add noise to the data or send features extracted from the raw data. They struggle to balance between the utility and privacy because added noise reduces utility and raw data can be reconstructed from extracted features. This work represents a methodical departure from prior works: we balance between a measure of privacy and another of utility by leveraging adversarial learning to find a sweeter tradeoff. We design an encoder that optimizes against the reconstruction error (a measure of privacy), adversarially by a Decoder, and the inference accuracy (a measure of utility) by a Classifier. The result is RAN, a novel deep model with a new training algorithm that automatically extracts features for classification that are both private and useful. It turns out that adversarially forcing the extracted features to only conveys the intended information required by classification leads to an implicit regularization leading to better classification accuracy than the original model which completely ignores privacy. Thus, we achieve better privacy with better utility, a surprising possibility in machine learning! We conducted extensive experiments on five popular datasets over four training schemes, and demonstrate the superiority of RAN compared with existing alternatives.

ADVERSARIAL NETWORK,Sicong Liu

2019-01-01

Abstract:The remarkable success of machine learning, especially deep learning, has produced a variety of cloud-based services for mobile users. Such services require an end user to send data to the service provider, which presents a serious challenge to end-user privacy. To address this concern, prior works either add noise to the data or send features extracted from the raw data. They struggle to balance between the utility and privacy because added noise reduces utility and raw data can be reconstructed from extracted features. This work represents a methodical departure from prior works: we balance between a measure of privacy and another of utility by leveraging adversarial learning to find a sweeter tradeoff. We design an encoder that optimizes against the reconstruction error (a measure of privacy), adversarially by a Decoder, and the inference accuracy (a measure of utility) by a Classifier. The result is RAN, a novel deep model with a new training algorithm that automatically extracts features for classification that are both private and useful. It turns out that adversarially forcing the extracted features to only conveys the intended information required by classification leads to an implicit regularization leading to better classification accuracy than the original model which completely ignores privacy. Thus, we achieve better privacy with better utility, a surprising possibility in machine learning! We conducted extensive experiments on five popular datasets over four training schemes, and demonstrate the superiority of RAN compared with existing alternatives.

Bardia Azizian,Ivan V. Bajic

2024-09-05

Abstract:Privacy is a crucial concern in collaborative machine vision where a part of a Deep Neural network (DNN) model runs on the edge, and the rest is executed on the cloud. In such applications, the machine vision model does not need the exact visual content to perform its task. Taking advantage of this potential, private information could be removed from the data insofar as it does not significantly impair the accuracy of the machine vision system. In this paper, we present an autoencoder-style network integrated within an object detection pipeline, which generates a latent representation of the input image that preserves task-relevant information while removing private information. Our approach employs an adversarial training strategy that not only removes private information from the bottleneck of the autoencoder but also promotes improved compression efficiency for feature channels coded by conventional codecs like VVC-Intra. We assess the proposed system using a realistic evaluation framework for privacy, directly measuring face and license plate recognition accuracy. Experimental results show that our proposed method is able to reduce the bitrate significantly at the same object detection accuracy compared to coding the input images directly, while keeping the face and license plate recognition accuracy on the images recovered from the bottleneck features low, implying strong privacy protection. Our code is available at <a class="link-external link-https" href="https://github.com/bardia-az/ppa-code" rel="external noopener nofollow">this https URL</a>.

Image and Video Processing

Yuting Ma,Yuanzhi Yao,Xiaowei Liu,Nenghai Yu

DOI: https://doi.org/10.1109/globecom48099.2022.10001061

2022-01-01

Abstract:Collaborative learning in which local clients jointly train a deep learning model by sharing parameters to the centralized server has gained great popularity. However, recent works have shown that local private data can be leaked to the server by gradient sharing. In this paper, a privacy-preserving collaborative learning scheme is proposed to defend against gradient-based reconstruction attacks. The sensitive training images are firstly permutated by transformation with scalable block sizes. Then, features of permutated images are extracted by a classification-compliant autoencoder for meaningful representation of high-dimensional images and facilitating classification. The model accuracy constraint is incorporated in the training process to maintain decent classification accuracy. Experimental results demonstrate that the proposed scheme can achieve high privacy preservation with minimal impact on model accuracy.

Narasima Mallikarjunan,Harine Rajashree R.,Sundarakantham K.,Mercy Shalinie S.

DOI: https://doi.org/10.1016/j.engappai.2024.108384

IF: 8

2024-04-16

Engineering Applications of Artificial Intelligence

Abstract:Edge computing enables real-time processing and response by storing, analyzing, and processing data near the source. The surge in the amount of data generated as a result of the Internet of Things (IoT) civilization has further expanded the use of edge computing. Industries, including healthcare, manufacturing, and transportation, benefit from analytics on the generated data. However, analytics on the generated data pose privacy threats. Existing privacy preserving approaches suffer from limitations such as high cost and poor utility of data. To overcome the limitation, we propose a privacy-aware image classification framework deployable at the edge. The framework uses a novel autoencoder training approach that learns to transform raw data into task-specific, insensitive features. This framework reduces the computation overhead and increases the privacy of the end user. The following milestones can be realized if our proposed framework is utilized: (i) Service Providers can retain proprietary models as there will be no need to share the moderator as in federated learning techniques (ii) End users can utilize inexpensive, resource-constrained devices to gain data privacy at a low cost. We tested our model on the benchmark datasets, the CIFAR10 and MNIST datasets, and reported the results. The framework achieves a classification accuracy of more than 89%, which denotes that the utility of the data is maintained. Furthermore, only 21% data leakage is recorded in the proposed framework, thereby making it feasible for practical applications.

automation & control systems,computer science, artificial intelligence,engineering, electrical & electronic, multidisciplinary

Moshe Hanukoglu,Nissan Goldberg,Aviv Rovshitz,Amos Azaria

DOI: https://doi.org/10.48550/arXiv.1909.09156

2019-09-19

Abstract:In this paper, we introduce a learning model able to conceals personal information (e.g. gender, age, ethnicity, etc.) from an image, while maintaining any additional information present in the image (e.g. smile, hair-style, brightness). Our trained model is not provided the information that it is concealing, and does not try learning it either. Namely, we created a variational autoencoder (VAE) model that is trained on a dataset including labels of the information one would like to conceal (e.g. gender, ethnicity, age). These labels are directly added to the VAE's sampled latent vector. Due to the limited number of neurons in the latent vector and its appended noise, the VAE avoids learning any relation between the given images and the given labels, as those are given directly. Therefore, the encoded image lacks any of the information one wishes to conceal. The encoding may be decoded back into an image according to any provided properties (e.g. a 40 year old woman). The proposed architecture can be used as a mean for privacy preserving and can serve as an input to systems, which will become unbiased and not suffer from prejudice. We believe that privacy and discrimination are two of the most important aspects in which the community should try and develop methods to prevent misuse of technological advances.

Machine Learning,Computer Vision and Pattern Recognition,Human-Computer Interaction

Yitian Zhang,Hojjat Salehinejad,Joseph Barfett,Errol Colak,Shahrokh Valaee

DOI: https://doi.org/10.1109/globalsip45357.2019.8969086

2019-01-01

Abstract:In this paper, we propose a distributed machine learning framework for training and inference in machine learning models using distributed data while preserving privacy of the data owner. In the training mode, we deploy an encoder on the end-user device which extracts high level features from input data. The extracted features along with the corresponding annotation are sent to a centralized machine learning server. In the inference mode, the users submit the extracted features from encoder instead of the original data for inference to the server. This approach enables users to contributed in training a machine learning model and use inference services without sharing their original data with the server or a third party. We have studied this approach on MNIST, Fashion, SVHN and CIFAR-10 datasets. The results show high classification accuracy of neural networks, trained with encoded features, and high encryption performance of the encoders.

Bo Ma,W. Yan,E. Lai,Jingsong Wu

DOI: https://doi.org/10.1007/978-3-030-72073-5_1

2021-01-01

Abstract:Centralised machine learning brings in side effect pertaining to privacy preservation, most of machine learning methods prone to using the frameworks without privacy protection, as current methods for privacy preservation will slow down model training and testing. In order to resolve this problem, we develop a new noise generating method based on information entropy by using differential privacy for betterment the privacy protection which owns the architecture of federated machine learning. Our experiments unveil that this solution effectively preserves privacy in the vein of centralized federated learning. The gained accuracy is promising which has a room to be uplifted.

Jude TCHAYE-KONDI,Yanlong Zhai,Liehuang Zhu

DOI: https://doi.org/10.36227/techrxiv.13698883.v1

2021-01-01

Abstract:We address privacy and latency issues in the edge/cloud computing environment while training a centralized AI model. In our particular case, the edge devices are the only data source for the model to train on the central server. Current privacy-preserving and reducing network latency solutions rely on a pre-trained feature extractor deployed on the devices to help extract only important features from the sensitive dataset. However, finding a pre-trained model or pubic dataset to build a feature extractor for certain tasks may turn out to be very challenging. With the large amount of data generated by edge devices, the edge environment does not really lack data, but its improper access may lead to privacy concerns. In this paper, we present DeepGuess , a new privacy-preserving, and latency aware deeplearning framework. DeepGuess uses a new learning mechanism enabled by the AutoEncoder(AE) architecture called Inductive Learning, which makes it possible to train a central neural network using the data produced by end-devices while preserving their privacy. With inductive learning, sensitive data remains on devices and is not explicitly involved in any backpropagation process. The AE’s Encoder is deployed on devices to extracts and transfers important features to the server. To enhance privacy, we propose a new local deferentially private algorithm that allows the Edge devices to apply random noise to features extracted from their sensitive data before transferred to an untrusted server. The experimental evaluation of DeepGuess demonstrates its effectiveness and ability to converge on a series of experiments.

Omobayode Fagbohungbe,Sheikh Rufsan Reza,Xishuang Dong,Lijun Qian

DOI: https://doi.org/10.48550/arXiv.2005.04563

2021-09-04

Abstract:In order to extract knowledge from the large data collected by edge devices, traditional cloud based approach that requires data upload may not be feasible due to communication bandwidth limitation as well as privacy and security concerns of end users. To address these challenges, a novel privacy preserving edge computing framework is proposed in this paper for image classification. Specifically, autoencoder will be trained unsupervised at each edge device individually, then the obtained latent vectors will be transmitted to the edge server for the training of a classifier. This framework would reduce the communications overhead and protect the data of the end users. Comparing to federated learning, the training of the classifier in the proposed framework does not subject to the constraints of the edge devices, and the autoencoder can be trained independently at each edge device without any server involvement. Furthermore, the privacy of the end users' data is protected by transmitting latent vectors without additional cost of encryption. Experimental results provide insights on the image classification performance vs. various design parameters such as the data compression ratio of the autoencoder and the model complexity.

Machine Learning,Cryptography and Security,Computer Vision and Pattern Recognition,Image and Video Processing

Sanjay Kariyappa,Ousmane Dia,Moinuddin K Qureshi

DOI: https://doi.org/10.48550/arXiv.2104.02261

2021-04-06

Cryptography and Security

Abstract:User-facing software services are becoming increasingly reliant on remote servers to host Deep Neural Network (DNN) models, which perform inference tasks for the clients. Such services require the client to send input data to the service provider, who processes it using a DNN and returns the output predictions to the client. Due to the rich nature of the inputs such as images and speech, the input often contains more information than what is necessary to perform the primary inference task. Consequently, in addition to the primary inference task, a malicious service provider could infer secondary (sensitive) attributes from the input, compromising the client's privacy. The goal of our work is to improve inference privacy by injecting noise to the input to hide the irrelevant features that are not conducive to the primary classification task. To this end, we propose Adaptive Noise Injection (ANI), which uses a light-weight DNN on the client-side to inject noise to each input, before transmitting it to the service provider to perform inference. Our key insight is that by customizing the noise to each input, we can achieve state-of-the-art trade-off between utility and privacy (up to 48.5% degradation in sensitive-task accuracy with <1% degradation in primary accuracy), significantly outperforming existing noise injection schemes. Our method does not require prior knowledge of the sensitive attributes and incurs minimal computational overheads.

Aorui Gou,Heming Sun,Xiaoyang Zeng,Yibo Fan

DOI: https://doi.org/10.1109/iscas58744.2024.10558330

2024-01-01

Abstract:The dataset for Video Coding for Machines (VCM) contains sensitive information that requires privacy preservation to address vulnerabilities. Achieving a balance to protect this sensitive data while maintaining VCM performance is crucial. We introduce an autoencoder integrated with a deep learning network that utilizes the ResNet architecture. This design blurs private details while preserving the contours, offering a high-dimensional representation that upholds privacy and VCM performance. The division position between the encoder and decoder is critical, influencing the equilibrium between compression efficacy and machine task performance. We craft a flexible, position-adjustable setting for the autoencoder to optimize this, facilitating a harmonious trade-off between bitrate and mAP across various deep-learning networks. This adaptation demonstrates superior performance relative to existing models. With FasterRCNN, our methods achieve 62.3 of mAP and 5681.29 of bitrate, and their versatility is further validated using YoloV5 and SSD.

Xiaoqian Liu,Qianmu Li,Zhen Ni,Jun Hou

DOI: https://doi.org/10.1109/iThings/GreenCom/CPSCom/SmartData.2019.00094

2019-01-01

Abstract:In recent years, deep learning has achieved remarkable fruits in a wide variety of domains, such as recommender systems. In addition, privacy preservation is unprecedentedly necessary in today's era. In this paper, we leverage the privacy preservation problem in recommendation with the deep learning model, i.e., autoencoders. In order to predict user preferences in the collaborative filtering way, the work reconstructs user sparse ratings with autoencoders to estimate unobserved user preferences. To further protect user privacy, the Gaussian mechanism is combined in the stochastic gradient descent process to ensure that the training process meets the requirements of approximate differential privacy.

Jalpesh Vasa,Amit Thakkar

DOI: https://doi.org/10.1007/s11042-023-18037-3

IF: 2.577

2024-01-21

Multimedia Tools and Applications

Abstract:Deep learning (DL) models are used in a variety of real-world applications but are often vulnerable to privacy attacks. Nevertheless, this DL model is attacked by membership inference attacks, model inversion attacks, reconstruction attacks, model extraction attacks, gradient leakage attacks, correlation attacks, and white box attacks (inference attacks). In order to mitigate this issue, various existing research has attempted to design an effective privacy mechanism. However, the existing schemes failed to obtain higher security in DL because of several limitations like computational complexity, lower efficiency, difficult-to-select parameters, cumulative privacy loss, etc. Recently, the auto-encoder-based deep learning model has become more popular due to its great ability, and its variants have achieved notable success in various fields such as medicine, healthcare and NLP (Natural Language Programming). However, the privacy of the auto-encoder model is affected because of the vulnerable attacks. Thus, to avoid this issue, the proposed study prefers the differential privacy (DP) method for securing the deep auto-encoder model. DP is a privacy-preserving technique that can be used to protect deep learning models from the aforementioned attacks. In this paper, a Differential Privacy-Improved Stochastic Gradient Descent (DP-ISGD) algorithm is proposed to improve the privacy and utility of the Deep Autoencoder method by adding Gaussian noise to the gradients before the clipping process. Thus, the convergence speed and accuracy of the proposed algorithm are enhanced. The experimentation is conducted in the Python platform, and metrics like convergence, accuracy and TPVD (Total Parameters Value Difference) are evaluated to measure the performance of the proposed study. The comparative analysis is performed for the no privacy, privacy with SGD, privacy with batch gradient descent (BGD) and mini-batch gradient descent (MBGD) models. The proposed approach is evaluated against six datasets, Pima Indians Diabetes (PID), Adult, MNIST, CIFAR-10, MovieLens 20 M and CD-FSL, with improved accuracy results of 98.6%, 98.6%, 98.3%, 98.14%, 97.92% and 98.17% for each dataset at the epsilon ( ) value of 0.2. The comparison analysis showed that the proposed algorithm achieves better accuracy than other privacy protection methods. Thus, the significant findings in the proposed work state that the proposed privacy model is suitable for several applications, including medical fields, algorithm development, education and awareness, by affording strong privacy guarantees.

computer science, information systems, theory & methods,engineering, electrical & electronic, software engineering

Yuan Zhao,Bo Liu,Tianqing Zhu,Ming Ding,Wanlei Zhou

DOI: https://doi.org/10.1002/cpe.6548

2021-01-01

Concurrency and Computation Practice and Experience

Abstract:SummaryThe explosive growth of various computer vision technologies generates a tremendous amount of visual data online every day. In addition to bringing convenience and revolutionizing our daily life, image data also reveal a wide range of sensitive information and pose unprecedented privacy leakage risks. Particularly, in the case of photos contain human faces, people can easily access those face images on social media without any consent, and the misuse of personal information could cause serious privacy violation to individuals. Therefore, it is essential to consider sanitizing people's identity information when using images containing human faces. As a result, there has been rapid development in the area of facial anonymization, also called image de‐identification. However, due to the emergence of numerous deep‐learning based attacks, traditional anonymization methods such as blurring and mosaic are weak and ineffective to protect individual's privacy in face images. To respond to this challenge, this article proposes a novel de‐identification method that utilizes a deep neural network. The proposed framework encompasses two modules: encoder network and generator network. The encoder transforms a face image into a high‐semantic latent vector of codes, which will be de‐identified according to the differential privacy criterion. The generator leverages the unconditional generative adversarial network to synthesize high‐quality images based on the modified latent codes from the encoder. Extensive experimental results indicate that our proposed model can protect image privacy while keeping the processed image visual realistic.

Xue Jiang,Xuebing Zhou,Jens Grossklags

DOI: https://doi.org/10.2478/popets-2022-0024

2021-11-20

Proceedings on Privacy Enhancing Technologies

Abstract:Abstract Business intelligence and AI services often involve the collection of copious amounts of multidimensional personal data. Since these data usually contain sensitive information of individuals, the direct collection can lead to privacy violations. Local differential privacy (LDP) is currently considered a state-ofthe-art solution for privacy-preserving data collection. However, existing LDP algorithms are not applicable to high-dimensional data; not only because of the increase in computation and communication cost, but also poor data utility. In this paper, we aim at addressing the curse-of-dimensionality problem in LDP-based high-dimensional data collection. Based on the idea of machine learning and data synthesis, we propose DP-F ed -W ae , an efficient privacy-preserving framework for collecting high-dimensional categorical data. With the combination of a generative autoencoder, federated learning, and differential privacy, our framework is capable of privately learning the statistical distributions of local data and generating high utility synthetic data on the server side without revealing users’ private information. We have evaluated the framework in terms of data utility and privacy protection on a number of real-world datasets containing 68–124 classification attributes. We show that our framework outperforms the LDP-based baseline algorithms in capturing joint distributions and correlations of attributes and generating high-utility synthetic data. With a local privacy guarantee ∈ = 8, the machine learning models trained with the synthetic data generated by the baseline algorithm cause an accuracy loss of 10% ~ 30%, whereas the accuracy loss is significantly reduced to less than 3% and at best even less than 1% with our framework. Extensive experimental results demonstrate the capability and efficiency of our framework in synthesizing high-dimensional data while striking a satisfactory utility-privacy balance.

Sicong Liu,Junzhao Du,Anshumali Shrivastava,Lin Zhong

DOI: https://doi.org/10.1145/3369816

2020-06-08

Abstract:The remarkable success of machine learning has fostered a growing number of cloud-based intelligent services for mobile users. Such a service requires a user to send data, e.g. image, voice and video, to the provider, which presents a serious challenge to user privacy. To address this, prior works either obfuscate the data, e.g. add noise and remove identity information, or send representations extracted from the data, e.g. anonymized features. They struggle to balance between the service utility and data privacy because obfuscated data reduces utility and extracted representation may still reveal sensitive information. This work departs from prior works in methodology: we leverage adversarial learning to a better balance between privacy and utility. We design a \textit{representation encoder} that generates the feature representations to optimize against the privacy disclosure risk of sensitive information (a measure of privacy) by the \textit{privacy adversaries}, and concurrently optimize with the task inference accuracy (a measure of utility) by the \textit{utility discriminator}. The result is the privacy adversarial network (\systemname), a novel deep model with the new training algorithm, that can automatically learn representations from the raw data. Intuitively, PAN adversarially forces the extracted representations to only convey the information required by the target task. Surprisingly, this constitutes an implicit regularization that actually improves task accuracy. As a result, PAN achieves better utility and better privacy at the same time! We report extensive experiments on six popular datasets and demonstrate the superiority of \systemname compared with alternative methods reported in prior work.

Machine Learning,Artificial Intelligence,Cryptography and Security

Jiahui Ren,Xian Xu,Zhihuan Yao,Huiqun Yu

DOI: https://doi.org/10.1109/COMPSAC.2019.00059

2019-01-01

Abstract:Recommender systems are widely applied in practice. However the process of recommender involves the users' sensitive and privacy information inevitably. The privacy protection of recommender systems must be taken into account. In this paper, a recommender system model based on autoencoder and differential privacy is proposed. Two methods of applying differential privacy to autoencoder are designed: input perturbation and objective function perturbation.Both theoretical analysis and experimental results show that the proposed methods, as well as related algorithms, can provide reliable privacy preservation while maintaining high prediction accuracy.