Licheng Lin,Zhouxiang Zhao,Zhaohui Yang,Zhaoyang Zhang

DOI: https://doi.org/10.1109/iccworkshops57953.2023.10283760

2023-01-01

Abstract:In this paper, a joint communication and learning resource allocation design is investigated for differential privacy (DP) based federated learning (FL) over multi-cell networks. In the considered model, each cell serves multiple users and each user transmits its local model plus Gaussian noise to the corresponding serving base station for protecting privacy. Each base station aggregates the received local model and forwards the obtained result to the server for final aggregation. To consider the privacy of the whole system, the problem is formulated as a total DP minimization through optimizing user association, transmit power, DP noise power with considering the convergence, user association, and power control constraints. To solve this problem, an iterative algorithm is proposed through optimizing user association subproblem, power control subproblem, and DP noise power subproblem. Simulation results show the effectiveness of the proposed scheme.

Wenjun Qian,Qingni Shen,Xiaoyi Chen,Cong Li,Yuejian Fang,Zhonghai Wu

DOI: https://doi.org/10.1093/comjnl/bxae081

2024-01-01

Abstract:Federated learning (FL) as a privacy-preserving technology enables multiple clients to collaboratively train models on decentralized data. However, transmitting model parameters between local clients and the central server can potentially result in information leakage. Differentially private federated learning (DPFL) has emerged as a promising solution to enhance privacy. Nevertheless, existing DPFL schemes suffer from two issues: (i) most schemes that aim to achieve desired model accuracy may incur a high privacy budget. (ii) several schemes that consider the trade-off between privacy and accuracy by utilizing linear clipping bound may distort numerous model parameters. In this paper, we first propose FDP-FL, a flexible differential privacy approach for FL. FDP-FL introduces a novel series sum privacy budget allocation instead of uniform allocation and enables adaptive and nonlinear noise scale decay. In this way, a tight bound for cumulative privacy loss can be achieved while optimizing model accuracy. Then in order to mitigate gradient leakages caused by honest-but-curious clients and server, we further design client-level FDP-FL and record-level FDP-FL, respectively. Experimental results demonstrate that our FDP-FL improves model accuracy by $\sim $13.3% compared with the basic DP-FL under a fixed privacy budget and outperforms existing trade-off schemes with the same hyperparameter setting.

A. Bellet,Aymeric Dieuleveut,Maxence Noble

2021-11-17

Abstract:Federated Learning (FL) is a paradigm for large-scale distributed learning which faces two key challenges: (i) efficient training from highly heterogeneous user data, and (ii) protecting the privacy of participating users. In this work, we propose a novel FL approach (DP-SCAFFOLD) to tackle these two challenges together by incorporating Differential Privacy (DP) constraints into the popular SCAFFOLD algorithm. We focus on the challenging setting where users communicate with a"honest-but-curious"server without any trusted intermediary, which requires to ensure privacy not only towards a third-party with access to the final model but also towards the server who observes all user communications. Using advanced results from DP theory, we establish the convergence of our algorithm for convex and non-convex objectives. Our analysis clearly highlights the privacy-utility trade-off under data heterogeneity, and demonstrates the superiority of DP-SCAFFOLD over the state-of-the-art algorithm DP-FedAvg when the number of local updates and the level of heterogeneity grow. Our numerical results confirm our analysis and show that DP-SCAFFOLD provides significant gains in practice.

Computer Science,Mathematics

Xicong Shen,Ying Liu,Zhaoyang Zhang

DOI: https://doi.org/10.1109/jiot.2022.3189361

IF: 10.6

2022-01-01

IEEE Internet of Things Journal

Abstract:Federated learning (FL), which enables multiple distributed devices (clients) to collaboratively train a global model without transmitting their private data, has attracted much attention in the Internet of Things (IoT) domain. Compared with centralized learning, FL has obvious privacy advantages because it can protect the clients’ raw data from direct access by adversaries. Furthermore, to prevent the adversaries from inferring private information from the transmitted parameters, several FL algorithms based on differential privacy (DP) have been proposed, where the clients add artificial noise to their local parameters for privacy protection. Nevertheless, the added noise would disrupt the learning process and degrade the performance of the trained model. Considering this, in this article, we develop a performance-enhanced DP-based FL (PEDPFL) algorithm, where a classifier-perturbation regularization method is proposed to improve the robustness of the trained model against DP-injected noise. We derive the theoretical privacy and convergence analysis of the proposed algorithm, and also demonstrate the influence of some hyperparameters on the convergence performance. Simulation results on real-world data sets show that the proposed algorithm has better classification performance than the existing DP-based FL algorithms at the same level of privacy protection, and thus, it is more applicable to IoT applications.

Alexander Bienstock,Ujjwal Kumar,Antigoni Polychroniadou

2024-10-22

Abstract:Federated Learning (FL) has gained lots of traction recently, both in industry and academia. In FL, a machine learning model is trained using data from various end-users arranged in committees across several rounds. Since such data can often be sensitive, a primary challenge in FL is providing privacy while still retaining utility of the model. Differential Privacy (DP) has become the main measure of privacy in the FL setting. DP comes in two flavors: central and local. In the former, a centralized server is trusted to receive the users' raw gradients from a training step, and then perturb their aggregation with some noise before releasing the next version of the model. In the latter (more private) setting, noise is applied on users' local devices, and only the aggregation of users' noisy gradients is revealed even to the server. Great strides have been made in increasing the privacy-utility trade-off in the central DP setting, by utilizing the so-called matrix mechanism. However, progress has been mostly stalled in the local DP setting. In this work, we introduce the distributed matrix mechanism to achieve the best-of-both-worlds; local DP and also better privacy-utility trade-off from the matrix mechanism. We accomplish this by proposing a cryptographic protocol that securely transfers sensitive values across rounds, which makes use of packed secret sharing. This protocol accommodates the dynamic participation of users per training round required by FL, including those that may drop out from the computation. We provide experiments which show that our mechanism indeed significantly improves the privacy-utility trade-off of FL models compared to previous local DP mechanisms, with little added overhead.

Cryptography and Security,Machine Learning

Kang Wei,Jun Li,Ming Ding,Chuan Ma,Hang Su,Bo Zhang,H. Vincent Poor

2020-01-01

Abstract:As a means of decentralized machine learning, federated learning (FL) has recently drawn considerable attentions. One of the prominent advantages of FL is its capability of preventing clients' data from being directly exposed to external adversaries. Nevertheless, via a viewpoint of information theory, it is still possible for an attacker to steal private information from eavesdropping upon the shared models uploaded by FL clients. In order to address this problem, we develop a novel privacy preserving FL framework based on the concept of differential privacy (DP). To be specific, we first borrow the concept of local DP and introduce a client-level DP (CDP) by adding artificial noises to the shared models before uploading them to servers. Then, we prove that our proposed CDP algorithm can satisfy the DP guarantee with adjustable privacy protection levels by varying the variances of the artificial noises. More importantly, we derive a theoretical convergence upper-bound of the CDP algorithm. Our derived upper-bound reveals that there exists an optimal number of communication rounds to achieve the best convergence performance in terms of loss function values for a given privacy protection level. Furthermore, to obtain this optimal number of communication rounds, which cannot be derived in a closed-form expression, we propose a communication rounds discounting (CRD) method. Compared with the heuristic searching method, our proposed CRD can achieve a much better trade-off between the computational complexity of searching for the optimal number and the convergence performance. Extensive experiments indicate that our CDP algorithm with an optimization on the number of communication rounds using the proposed CRD can effectively improve both the FL training efficiency and FL model quality for a given privacy protection level.

Rui Xue,Kaiping Xue,Bin Zhu,Xinyi Luo,Tianwei Zhang,Qibin Sun,Jun Lu

DOI: https://doi.org/10.1109/tifs.2023.3318944

IF: 7.231

2024-01-01

IEEE Transactions on Information Forensics and Security

Abstract:Federated Learning (FL) enables multiple distributed clients to collaboratively train a model with owned datasets. To avoid the potential privacy threat in FL, researchers propose the DP-FL strategy, which utilizes differential privacy (DP) to add elaborate noise to the exchanged parameters to hide privacy information. DP-FL guarantees the privacy of FL at the cost of model performance degradation. To balance the trade-off between model accuracy and security, we propose a differentially private federated learning scheme with an adaptive noise mechanism. This is challenging, as the distributed nature of FL makes it difficult to appropriately estimate sensitivity, where sensitivity is a concept in DP that determines the scale of noise. To resolve this, we design a generic method for sensitivity estimates based on local and global historical information. We also provide instances on four commonly used optimizers to verify its effectiveness. The experiments on MNIST, FMNIST and CIFAR-10 convincingly prove that our proposed scheme achieves higher accuracy while keeping high-level privacy protection compared to prior works.

Junpeng Zhang,Hui Zhu,Fengwei Wang,Yandong Zheng,Zhe Liu,Hui Li

DOI: https://doi.org/10.1016/j.ins.2024.121035

IF: 8.1

2024-01-01

Information Sciences

Abstract:Federated learning (FL), as a distributed machine learning paradigm, essentially promises that multiple parties can jointly train the model collaboratively without sharing local data. Recent research demonstrates that the adversary can deduce the sensitive data through shared model updates. To protect the data privacy of the participants, differential privacy (DP) is deployed in various FL scenarios due to the lightweight computational overhead. However, the trade-off between the availability and privacy of local models is the fundamental problem that needs to be solved in DP applications. In this paper, we propose a fine-grained and privacy-aware FL framework (iDP-FL) to enable training data and model parameters to satisfy confidentiality while markedly improving the model's prediction accuracy. Specifically, we first design an individualized perturbation noise (IPN) algorithm that adds different artificial noises dependent on the importance of each participant's model weight. Then, we propose a perturbation mechanism on the aggregator side, a DP protection method under the premise of loss function convergence, which prevents the global model parameters from being stolen by malicious adversaries. Moreover, to achieve lightweight protection throughout the learning, we present an advanced bilateral perturbation (ABP) protocol to perform iterative training. Theoretical analysis indicates that iDP-FL provides the DP guarantee, which yields superior prediction accuracy and excellent privacy-preserving with the same privacy level. Finally, extensive experiments conducted on real-world datasets demonstrate that our approach shows significant advantages with limited privacy budgets, especially at small privacy losses.

Chun Liu,Youliang Tian,Jinchuan Tang,Shuping Dang,Gaojie Chen

DOI: https://doi.org/10.1016/j.eswa.2023.120266

IF: 8.5

2023-05-03

Expert Systems with Applications

Abstract:Local differential privacy federated learning (LDP-FL) is a framework to achieve high local data privacy protection while training the model in a decentralized environment. Currently, LDP-FL's trainings are suffering from efficiency problems due to many existing researches combine LDP and FL without looking deep into the relationships between the two most important parameters, i.e., privacy budget for privacy protection and gradients for model training. In this work, we propose a novel LDP-FL under multi-privacy regimes to combat the above problems. Firstly, unlike the existing multiple privacy regimes-based LDP-FL to compute the non-unbiased global gradient, we propose an unbiased mean estimator using maximum likelihood estimation (MLE) to obtain small variance global gradients with a higher training accuracy. Secondly, to improve the efficiency of model training for multi-privacy scenarios, we design two different dynamic privacy budget allocation approaches for users to choose from. The first approach allocates the privacy budget based on the training model's accuracy, and the second approach's privacy budget grows linearly, avoiding the computational effort caused by the comparison operation. Finally, since directly perturbing the high-dimensional local gradients in traditional methods would lead to considerable utility loss, we propose a layered dimension selection strategy by randomly selecting the layers of gradients that take part in the noise perturbation while others remain untouched. In simulations using the handwritten MNIST and Fashion-MNIST datasets, we compare our framework with the traditional LDP-FL, simple personalized mean estimation (S-PME), and PLU-FedOA. The results demonstrate the training efficiency of our framework.

computer science, artificial intelligence,engineering, electrical & electronic,operations research & management science

Mahtab Talaei,Iman Izadi

2024-06-27

Abstract:Federated learning (FL), a novel branch of distributed machine learning (ML), develops global models through a private procedure without direct access to local datasets. However, it is still possible to access the model updates (gradient updates of deep neural networks) transferred between clients and servers, potentially revealing sensitive local information to adversaries using model inversion attacks. Differential privacy (DP) offers a promising approach to addressing this issue by adding noise to the parameters. On the other hand, heterogeneities in data structure, storage, communication, and computational capabilities of devices can cause convergence problems and delays in developing the global model. A personalized weighted averaging of local parameters based on the resources of each device can yield a better aggregated model in each round. In this paper, to efficiently preserve privacy, we propose a personalized DP framework that injects noise based on clients' relative impact factors and aggregates parameters while considering heterogeneities and adjusting properties. To fulfill the DP requirements, we first analyze the convergence boundary of the FL algorithm when impact factors are personalized and fixed throughout the learning process. We then further study the convergence property considering time-varying (adaptive) impact factors.

Machine Learning,Cryptography and Security,Distributed, Parallel, and Cluster Computing

Adrien Banse,Jan Kreischer,Xavier Oliva i Jürgens

2024-02-04

Abstract:Federated learning (FL), as a type of distributed machine learning, is capable of significantly preserving client's private data from being shared among different parties. Nevertheless, private information can still be divulged by analyzing uploaded parameter weights from clients. In this report, we showcase our empirical benchmark of the effect of the number of clients and the addition of differential privacy (DP) mechanisms on the performance of the model on different types of data. Our results show that non-i.i.d and small datasets have the highest decrease in performance in a distributed and differentially private setting.

Machine Learning,Artificial Intelligence,Distributed, Parallel, and Cluster Computing

Linghui Zhu,Xinyi Liu,Yiming Li,Xue Yang,Shu-Tao Xia,Rongxing Lu

DOI: https://doi.org/10.1109/jiot.2021.3131258

IF: 10.6

2022-01-01

IEEE Internet of Things Journal

Abstract:Federated learning (FL) enables data owners to train a global model with shared gradients while keeping private training data locally. However, recent research demonstrated that the adversary may infer private training data of clients from the exchanged local gradients, e.g., having deep leakage from gradients (DLGs). Many existing privacy-preserving approaches take usage of differential privacy (DP) to guarantee privacy. Nevertheless, the widely used privacy budget of DP (e.g., evenly distribution) leads to a sharp decline of model accuracy. To improve the model accuracy, some schemes only consider allocating the privacy budget to the fully connected layers. However, we reveal that the adversary may still reconstruct the private training data by adopting the DLG attack with the gradients of convolutional layers. In this article, we propose a fine-grained DP federated learning (DPFL) scheme, which guarantees privacy and remains high model performance simultaneously. Specifically, inspired by the methods that measure the importance of layers in deep learning, we propose a fine-grained method to allocate noise according to the importance value of layers in order to remain high model performance. Besides, we combine an active client selection strategy with DPFL and perform fine-tuning with a public data set on the server to further ensure the model performance. We evaluate DPFL under both independent and identically distributed (i.i.d) and non-i.i.d data settings to show that our method can achieve similar accuracy as the plain FL (e.g., FedAvg). We also demonstrate that our DPFL can resist the DLG attack to verify its privacy guarantee.

Yufeng Wang,Jianhua Ma,Xu Zhang,Qun Jin

DOI: https://doi.org/10.1002/cpe.7429

2022-11-01

Abstract:As a distributed learning framework, Federated Learning (FL) allows different local learners/participants to collaboratively train a joint model without exposing their own localdata,andoffersafeasiblesolutiontolegallyresolvedataislands.However,among them, the data privacy and model security are two challenges. The former means that, if original data are used for trained FL models, various methods can be used to deduce the original data samples, thereby causing the leakage of data. The latter implies that unreliable/malicious participants may affect or destroy the joint FL model, through uploading wrong local model parameters. Therefore, this paper proposes a novel distributed FL training framework, namely LDP-Fed + , which takes into account differential privacy protection and model security defense. Specifically, firstly, a local perturbationmoduleisaddedatthelocallearnerside,whichperturbstheoriginaldata of local learners through feature extraction, binary encoding and decoding, and random response. Then, through using the perturbed data, local neural network model is trained to obtain the network parameters that meet local differential protection, to effectively deal with model inversion attacks. Secondly, a security defense module is added on the server side, which uses the auxiliary model and differential index mechanismtoselectanappropriatenumberoflocaldisturbanceparametersforaggre-gationtoenhancemodelsecuritydefenseanddealwithmembershipinferenceattacks. The experimental results show that, compared with other federated learning models based on differential privacy, LDP-Fed + has stronger robustness for model security and higher accuracy for model training while ensuring strict privacy protection.

Computer Science

Lu Shi,Jiangang Shu,Weizhe Zhang,Yang Liu

DOI: https://doi.org/10.1109/globecom46510.2021.9685644

2021-01-01

Abstract:Federated learning (FL) is a framework of distributed machine learning, which aims to protect data privacy by transferring parameters instead of private data from local clients. Compared with the typical cloud-client architecture, applying FL on a cloud-edge-client hierarchical architecture could train the model faster and achieve better communication-computation trade-offs. However, hierarchical federated learning (HFL) still suffers from privacy leakage by analyzing uploaded parameters from clients or edge servers. To address this problem, we propose a privacy-preserving scheme based on the theory of local differential privacy (LDP), where adding the noise to the shared model parameters before uploading them to edge and cloud servers. According to our analysis by the moment accounting, the proposed algorithm can realize the strict differential privacy guarantee for the layers of clients and edge servers with adjustable privacy protection levels. We evaluate its performance based on the image classification tasks, and the result demonstrates that our theoretical analyses are consistent with simulations.

Junxu Liu,Jian Lou,Li Xiong,Xiaofeng Meng

DOI: https://doi.org/10.1145/3583780.3615247

2023-01-01

Abstract:The meteoric rise of cross-silo Federated Learning (FL) is due to its ability to mitigate data breaches during collaborative training. To further provide rigorous privacy protection with consideration of the varying privacy requirements across different clients, a privacy-enhanced line of work on personalized differentially private federated learning (PDP-FL) has been proposed. However, the existing solution for PDP-FL [20] assumes the raw privacy budgets of all clients should be collected by the server. These values are then directly utilized to improve the model utility via facilitating the privacy preferences partitioning (i.e., partitioning all clients into multiple privacy groups). It is however non-realistic because the raw privacy budgets can be quite informative and sensitive. In this work, our goal is to achieve PDP-FL without exposing clients' raw privacy budgets by indirectly partitioning the privacy preferences solely based on clients' noisy model updates. The crux lies in the fact that the noisy updates could be influenced by two entangled factors of DP noises and non-IID clients' data, leaving it unknown whether it is possible to uncover privacy preferences by disentangling the two affecting factors. To overcome the hurdle, we systematically investigate the unexplored question of under what conditions can the model updates of clients be primarily influenced by noise levels rather than data distribution. Then, we propose a simple yet effective strategy based on clustering the L2 norm of the noisy updates, which can be integrated into the vanilla PDP-FL to maintain the same performance. Experimental results demonstrate the effectiveness and feasibility of our privacy-budget-agnostic PDP-FL method.

Lin Chen,Xiaofeng Ding,Zhifeng Bao,Pan Zhou,Hai Jin

DOI: https://doi.org/10.1109/tkde.2024.3379001

IF: 9.235

2024-01-01

IEEE Transactions on Knowledge and Data Engineering

Abstract:Federated learning (FL) has attracted increasing attention in recent years due to its data privacy preservation and great applicability to large-scale user scenarios. However, when FL faces numerous clients, it is inevitable to emerge the non-independent and identically distributed (non-iid) data between clients, which brings an enormous challenge for model training and performance analysis like convergence. Besides, due to the non-iid data, the participating clients of FL tend to be extremely heterogeneous so the number of samplings among clients causes a sampling variance problem, which induces a huge variation in convergence. More importantly, although FL can foster privacy security via locally retaining the training data, if local data is secret and sensitive, FL should have more powerful privacy protection to resist the cloud server or third party to infer private information from shared models or intermediate gradients. Facing the non-iid and privacy challenges, we propose a differential privacy (DP) based non-iid FL algorithm called DPNFL to jointly tackle these two issues. Specifically, motivated by the DP and its variants, we are the first to adopt the truncated concentrated differential privacy technique under the FL scenario to more tightly track end-to-end privacy loss, while requiring less noise injection for the same level of DP. To avoid the sampling variance problem, we enable the server to sample the partial clients uniformly without replacement, which also guarantees unbiased sampling. To further improve the algorithm performance, we also propose an adaptive version of DPNFL named AdDPNFL, which adopts the adaptive optimization on the server-side to simultaneously alleviate the impact of non-iid data and DP noise on model utility. Finally, we perform extensive experiments to validate the effectiveness and superiority of our algorithms.

Shuya Feng,Meisam Mohammady,Hanbin Hong,Shenao Yan,Ashish Kundu,Binghui Wang,Yuan Hong

2024-07-24

Abstract:Differentially private federated learning (DP-FL) is a promising technique for collaborative model training while ensuring provable privacy for clients. However, optimizing the tradeoff between privacy and accuracy remains a critical challenge. To our best knowledge, we propose the first DP-FL framework (namely UDP-FL), which universally harmonizes any randomization mechanism (e.g., an optimal one) with the Gaussian Moments Accountant (viz. DP-SGD) to significantly boost accuracy and convergence. Specifically, UDP-FL demonstrates enhanced model performance by mitigating the reliance on Gaussian noise. The key mediator variable in this transformation is the Rényi Differential Privacy notion, which is carefully used to harmonize privacy budgets. We also propose an innovative method to theoretically analyze the convergence for DP-FL (including our UDP-FL ) based on mode connectivity analysis. Moreover, we evaluate our UDP-FL through extensive experiments benchmarked against state-of-the-art (SOTA) methods, demonstrating superior performance on both privacy guarantees and model performance. Notably, UDP-FL exhibits substantial resilience against different inference attacks, indicating a significant advance in safeguarding sensitive data in federated learning environments.

Machine Learning,Cryptography and Security

Fardin Jalil Piran,Zhiling Chen,Mohsen Imani,Farhad Imani

2024-11-25

Abstract:Federated Learning (FL) is essential for efficient data exchange in Internet of Things (IoT) environments, as it trains Machine Learning (ML) models locally and shares only model updates. However, FL is vulnerable to privacy threats like model inversion and membership inference attacks, which can expose sensitive training data. To address these privacy concerns, Differential Privacy (DP) mechanisms are often applied. Yet, adding DP noise to black-box ML models degrades performance, especially in dynamic IoT systems where continuous, lifelong FL learning accumulates excessive noise over time. To mitigate this issue, we introduce Federated HyperDimensional computing with Privacy-preserving (FedHDPrivacy), an eXplainable Artificial Intelligence (XAI) framework that combines the neuro-symbolic paradigm with DP. FedHDPrivacy carefully manages the balance between privacy and performance by theoretically tracking cumulative noise from previous rounds and adding only the necessary incremental noise to meet privacy requirements. In a real-world case study involving in-process monitoring of manufacturing machining operations, FedHDPrivacy demonstrates robust performance, outperforming standard FL frameworks-including Federated Averaging (FedAvg), Federated Stochastic Gradient Descent (FedSGD), Federated Proximal (FedProx), Federated Normalized Averaging (FedNova), and Federated Adam (FedAdam)-by up to 38%. FedHDPrivacy also shows potential for future enhancements, such as multimodal data fusion.

Machine Learning,Artificial Intelligence,Cryptography and Security

Shuaishuai Zhang,Jie Huang,Peihao Li,Chuang Liang

DOI: https://doi.org/10.1016/j.ins.2024.120960

IF: 8.1

2024-01-01

Information Sciences

Abstract:Differential Privacy (DP) is applied in Federated Learning (FL) for defending against various privacy attacks. Existing methods based on Gaussian mechanism require the operations of clipping and adding noise, leading to significant accuracy degradation. In this paper, we propose a novel FL scheme named DPFL-LMG to provide user-level DP guarantee while maintaining a high model accuracy. Our main idea is to mitigate the negative effects of the clipping on the model convergence by decreasing the L2 norm of local updates and the cross-client update variance. Specifically, our method includes two techniques, Local Momentum Updates (LMU) and Gradients Filtering (GF). LMU combines local updates of different rounds in a momentum way. It can significantly decrease the cross-client update variance by weakening the gradient noise in local updates caused by stochastic gradient descent (SGD) algorithm. GF estimates the gradient noise in each element of local updates by observing the element-wise variance. Elements with large noise are considered unnecessary and are zeroed out for the reduction of local update norms. We theoretically analyze the privacy guarantee and the convergence of our method. Experiments demonstrate that DPFL-LMG can effectively mitigate the accuracy degradation caused by clipping and outperform previous DPFL methods in the accuracy.

Li Zhang,Jianbo Xu,Audithan Sivaraman,Jegatha Deborah Lazarus,Pradip Kumar Sharma,Vijayakumar Pandi

DOI: https://doi.org/10.1109/JBHI.2023.3306425

Abstract:The issue of data privacy protection must be considered in distributed federated learning (FL) so as to ensure that sensitive information is not leaked. In this article, we propose a two-stage differential privacy (DP) framework for FL based on edge intelligence. Various levels of privacy preservation can be provided according to the degree of data sensitivity. In the first stage, the randomized response mechanism is used to perturb the original feature data by the user terminal for data desensitization, and the user can self-regulate the level of privacy preservation. In the second stage, noise is added to the local models by the edge server to further guarantee the privacy of the models. Finally, the model updates are aggregated in the cloud. In order to evaluate the performance of the proposed end-edge-cloud FL framework in terms of training accuracy and convergence, extensive experiments are conducted on a real electrocardiogram (ECG) signal dataset. Bi-directional long-short-term memory (BiLSTM) neural network is adopted to training classification model. The effect of different combinations of feature perturbation and noise addition on the model accuracy is analyzed depending on different privacy budgets and parameters. The experimental results demonstrate that the proposed privacy-preserving framework provides good accuracy and convergence while ensuring privacy.