Cong Wang,Yanru Xiao,Xing Gao,Li,Jun Wang

DOI: https://doi.org/10.1145/3343031.3350904

2019-01-01

Abstract:Pre-trained deep learning models can be deployed on mobile devices to conduct inference. However, they are usually not updated thereafter. In this paper, we take a step further to incorporate training deep neural networks on battery-powered mobile devices and overcome the difficulties from the lack of labeled data. We design and implement a new framework to enlarge sample space via data paring and learn a deep metric under the privacy, memory and computational constraints. A case study of deep behavioral authentication is conducted. Our experiments demonstrate accuracy over 95% on three public datasets, a sheer 15% gain from traditional multi-class classification with less data and robustness against brute-force attacks with 99% success. We demonstrate the training performance on various smartphone models, where training 100 epochs takes less than 10 mins and can be boosted 3-5 times with feature transfer. We also profile memory, energy and computational overhead. Our results indicate that training consumes lower energy than watching videos so can be scheduled intermittently on mobile devices.

Fei Dai,Guozhi Liu,Bi Huang,Xiaolong Xu,Chaochao Chen,Zhangbing Zhou,Xiaokang Zhou

DOI: https://doi.org/10.1109/ithings-greencom-cpscom-smartdata-cybermatics55523.2022.00070

2022-01-01

Abstract:Industrial Internet of Things (IIoT) systems can leverage deep learning (DL) models to provide intelligent applications. However, the training process of such DL models tends to leak privacy when the training data contain sensitive operational and management information. Most studies about privacy-preserving DL require a trusted data collector and thus are not suitable in an untrusted environment. In this paper, we propose a distributed privacy-preserving framework for DL with edge-cloud computing, where direct privacy leakage and indirect privacy leakage of training data are both considered. First, a pre-trained convolutional neural network (CNN) is partitioned into two parts for limiting direct privacy leakage of raw data, namely the feature module and the classification module. The feature module consisting of the lower layers of the CNN is deployed on an edge server, which is used to attract the feature of raw data. The feature data is fed to the classification module consisting of the higher layers of the CNN, which is deployed on the cloud server to compute image classification tasks. Second, a perturbation module between the feature module and the classification module is designed for limiting indirect privacy leakage during feature data transmission. The perturbation module uses local differential privacy (LDP) to produce noise in the feature data. Third, to further improve the accuracy, we retrain the classification module with the randomized feature data from edge servers. Experimental results show that the proposed framework achieves high accuracy under low privacy budgets.

Xueluan Gong,Yanjiao Chen,Qian Wang,Meng Wang,Shuyang Li

DOI: https://doi.org/10.1109/MCOM.004.2100867

IF: 9.03

2022-01-01

IEEE Communications Magazine

Abstract:Machine learning models are established with a variety of data collected from individual users who are concerned about their privacy. Various cloud service providers (e.g., Amazon, Google, Alibaba) commercialize their models by selling them or providing limited access via APIs. However, existing studies have shown that such cloud-based models are susceptible to training data inference attacks (i.e., membership inference attacks, attribute inference attacks, and model inversion attacks) since the trained models remember information about the training data. In this article, we perform an exhaustive investigation on the current training data inference attacks against cloud-based models. According to the attack scenario, we divide the existing inference attacks into two categories: centralized and collaborative learning scenarios. We first give a comprehensive review of attacks in each category and then give a qualitative comparison of the existing attacks. Further, we quantitatively compare the performance of different attack strategies by experiments. Last but not least, we pinpoint some open issues and potential future directions that need to be investigated in this area.

Qiao Zhang,Cong Wang,Hongyi Wu,Chunsheng Xin,Tran V. Phuong

DOI: https://doi.org/10.24963/ijcai.2018/547

2018-01-01

Abstract:Privacy is a fundamental challenge for a variety of smart applications that depend on data aggregation and collaborative learning across different entities. In this paper, we propose a novel privacy-preserved architecture where clients can collaboratively train a deep model while preserving the privacy of each client's data. Our main strategy is to carefully partition a deep neural network to two non-colluding parties. One party performs linear computations on encrypted data utilizing a less complex homomorphic cryptosystem, while the other executes non-polynomial computations in plaintext but in a privacy-preserved manner. We analyze security and compare the communication and computation complexity with the existing approaches. Our extensive experiments on different datasets demonstrate not only stable training without accuracy loss, but also 14 to 35 times speedup compared to the state-of-the-art system.

Shuang Zhang,Liyao Xiang,Congcong Li,Yixuan Wang,Zeyu Liu,Quanshi Zhang,Bo Li

2019-01-01

Abstract:Powered by machine learning services in the cloud, numerous learning-driven mobile applications are gaining popularity in the market. As deep learning tasks are mostly computation-intensive, it has become a trend to process raw data on devices and send the neural network features to the cloud, whereas the part of the neural network residing in the cloud completes the task to return final results. However, there is always the potential for unexpected leakage with the release of features, with which an adversary could infer a significant amount of information about the original data. To address this problem, we propose a privacy-preserving deep learning framework on top of the mobile cloud infrastructure: the trained deep neural network is tailored to prevent information leakage through features while maintaining highly accurate results. In essence, we learn the strategy to prevent leakage by modifying the trained deep neural network against a generic opponent, who infers unintended information from released features and auxiliary data, while preserving the accuracy of the model as much as possible.

Ji Wang,Jianguo Zhang,Weidong Bao,Xiaomin Zhu,Bokai Cao,Philip S. Yu

DOI: https://doi.org/10.1145/3219819.3220106

2018-01-01

Abstract:The increasing demand for on-device deep learning services calls for a highly efficient manner to deploy deep neural networks (DNNs) on mobile devices with limited capacity. The cloud-based solution is a promising approach to enabling deep learning applications on mobile devices where the large portions of a DNN are offloaded to the cloud. However, revealing data to the cloud leads to potential privacy risk. To benefit from the cloud data center without the privacy risk, we design, evaluate, and implement a cloud-based framework ARDEN which partitions the DNN across mobile devices and cloud data centers. A simple data transformation is performed on the mobile device, while the resource-hungry training and the complex inference rely on the cloud data center. To protect the sensitive information, a lightweight privacy-preserving mechanism consisting of arbitrary data nullification and random noise addition is introduced, which provides strong privacy guarantee. A rigorous privacy budget analysis is given. Nonetheless, the private perturbation to the original data inevitably has a negative impact on the performance of further inference on the cloud side. To mitigate this influence, we propose a noisy training method to enhance the cloud-side network robustness to perturbed data. Through the sophisticated design, ARDEN can not only preserve privacy but also improve the inference performance. To validate the proposed ARDEN, a series of experiments based on three image datasets and a real mobile application are conducted. The experimental results demonstrate the effectiveness of ARDEN. Finally, we implement ARDEN on a demo system to verify its practicality.

Xiaoyu Zhang,Chao Chen,Yi Xie,Xiaofeng Chen,Jun Zhang,Yang Xiang

DOI: https://doi.org/10.1016/j.csi.2022.103672

2023-01-01

Abstract:Deep Neural Network (DNN), one of the most powerful machine learning algorithms, is increasingly leveraged to overcome the bottleneck of effectively exploring and analyzing massive data to boost advanced scientific development. It is not a surprise that cloud computing providers offer the cloud-based DNN as an out-of-the-box service. Though there are some benefits from the cloud-based DNN, the interaction mechanism among two or multiple entities in the cloud inevitably induces new privacy risks. This survey presents the most recent findings of privacy attacks and defenses appeared in cloud-based neural network services. We systematically and thoroughly review privacy attacks and defenses in the pipeline of cloud-based DNN service, i.e., data manipulation, training, and prediction. In particular, a new theory, called cloud-based ML privacy game, is extracted from the recently published literature to provide a deep understanding of state-of-the-art research. Finally, the challenges and future work are presented to help researchers to continue to push forward the competitions between privacy attackers and defenders.

computer science, software engineering, hardware & architecture

Xiaoyu Zhang,Chao Chen,Yi Xie,Xiaofeng Chen,Jun Zhang,Yang Xiang

DOI: https://doi.org/10.48550/arXiv.2105.06300

2021-05-13

Abstract:Deep Neural Network (DNN), one of the most powerful machine learning algorithms, is increasingly leveraged to overcome the bottleneck of effectively exploring and analyzing massive data to boost advanced scientific development. It is not a surprise that cloud computing providers offer the cloud-based DNN as an out-of-the-box service. Though there are some benefits from the cloud-based DNN, the interaction mechanism among two or multiple entities in the cloud inevitably induces new privacy risks. This survey presents the most recent findings of privacy attacks and defenses appeared in cloud-based neural network services. We systematically and thoroughly review privacy attacks and defenses in the pipeline of cloud-based DNN service, i.e., data manipulation, training, and prediction. In particular, a new theory, called cloud-based ML privacy game, is extracted from the recently published literature to provide a deep understanding of state-of-the-art research. Finally, the challenges and future work are presented to help researchers to continue to push forward the competitions between privacy attackers and defenders.

Cryptography and Security,Artificial Intelligence

Ji Wang,Jianguo Zhang,Weidong Bao,Xiaomin Zhu,Bokai Cao,Philip S. Yu

DOI: https://doi.org/10.1145/3219819.3220106

2018-01-01

Abstract:The increasing demand for on-device deep learning services calls for a highly efficient manner to deploy deep neural networks (DNNs) on mobile devices with limited capacity. The cloud-based solution is a promising approach to enabling deep learning applications on mobile devices where the large portions of a DNN are offloaded to the cloud. However, revealing data to the cloud leads to potential privacy risk. To benefit from the cloud data center without the privacy risk, we design, evaluate, and implement a cloud-based framework ARDEN which partitions the DNN across mobile devices and cloud data centers. A simple data transformation is performed on the mobile device, while the resource-hungry training and the complex inference rely on the cloud data center. To protect the sensitive information, a lightweight privacy-preserving mechanism consisting of arbitrary data nullification and random noise addition is introduced, which provides strong privacy guarantee. A rigorous privacy budget analysis is given. Nonetheless, the private perturbation to the original data inevitably has a negative impact on the performance of further inference on the cloud side. To mitigate this influence, we propose a noisy training method to enhance the cloud-side network robustness to perturbed data. Through the sophisticated design, ARDEN can not only preserve privacy but also improve the inference performance. To validate the proposed ARDEN, a series of experiments based on three image datasets and a real mobile application are conducted. The experimental results demonstrate the effectiveness of ARDEN. Finally, we implement ARDEN on a demo system to verify its practicality.

Ben Niu,Likun Zhang,Yahong Chen,Ang Li,Wei Du,Jin Cao,Fenghua Li

DOI: https://doi.org/10.1109/GLOBECOM42002.2020.9322322

2020-01-01

Abstract:Suffered from the contradiction between the limited capacity of local devices and large size of DNN models, a practical solution is transferring the heavy computational tasks from the local to the server side such as cloud. However, the untrusted server naturally requires all the user data to train neural networks and infer results, which causes the asset loss of the local and raises serious privacy concerns on user's sensitive information. To solve this problem in scenarios of machine learning as a service, we propose a general framework to balance the user privacy, model accuracy and training efficiency, simultaneously. Specifically, our representative subset selection algorithm takes the training value of data into account, selecting the most representative subset from the training data, in order to mitigate the loss of data assets, lower down the transmission overhead from the local to the server and lessen the training burden on the server at the same time. We also design a noisy representation transformation algorithm applying on the features extracted by neural networks to further perturb the data within the selected representative subset. Extensive experiments demonstrate that our framework can run locally with little sacrifice on the computation resource. It can not only protect private data before uploading, but also promote the training efficiency of servers.

Chang Xia,Jingyu Hua,Wei Tong,Yayuan Xiong,Sheng Zhong

DOI: https://doi.org/10.1109/icme46284.2020.9102960

2020-07-01

Abstract:In recent years, more and more mobile applications adopt deep learning technologies, especially CNN-based image recognition. To protect service providers’ interests, the CNN models are usually deployed on the cloud, and the users are required to upload raw images, which cause serious privacy concerns since images may contain sensitive information unrelated to the desired recognition tasks. The previous solution off-loads the shallow portions of the CNN to the clients, and thus the uploaded data becomes the extracted lower-level features rather than the raw images. Nevertheless, although service providers are prevented from obtaining the original images, it is still probably for them to perform some sensitive recognition tasks other than the desired one on the lower-lever features (even after being perturbed to satisfy Differential Privacy). Different from such solution, in this paper, we propose an independent local CNN, which is dedicated for the image perturbation on the clients. It is co-trained with the cloud CNN to learn to intelligently allocate diverse noises among pixels depending on their significance to the desired recognition service. Extensive experiments demonstrate that our mechanism can well prevent curious service providers from performing undesired recognition tasks while maintaining the high accuracy of the desired one.

Yuan Zhang,Zixi Wang,Xiaodi Guan,Lijun He,Fan Li

DOI: https://doi.org/10.1016/j.displa.2024.102857

IF: 3.074

2024-01-01

Displays

Abstract:In the emerging Internet of Things (IoT) paradigm, mobile cloud inference serves as an efficient application framework that relieves the computation and storage burden on resource-constrained mobile devices offloading the workload to cloud servers. However, mobile cloud inference encounters computation, communication, and privacy challenges to ensure efficient system inference and protect the privacy of mobile users' collected information. To address the deployment of deep neural networks (DNN) with large capacity, we propose splitting computing (SC) where the entire model is divided into two parts, to be executed mobile and cloud ends respectively. However, the transmission of intermediate data poses a bottleneck system performance. This paper initially demonstrates the privacy issue arising from the machine analysis oriented intermediate feature. We conduct a preliminary experiment to intuitively reveal the latent potential for enhancing the privacy-preserving ability of the initial feature. Motivated by this, we propose a framework for privacy-preserving intermediate feature compression, which addresses the limitations in both compression and privacy that arise in the original extracted feature data. Specifically, we propose a method that jointly enhances privacy and encoding efficiency, achieved through the collaboration of the encoding feature privacy enhancement module and the privacy feature ordering enhancement module. Additionally, we develop gradient-reversal optimization strategy based on information theory to ensure the utmost concealment of core privacy information throughout the entire codec process. We evaluate the proposed method on two DNN models using two datasets, demonstrating its ability to achieve superior analysis accuracy and higher privacy preservation than HEVC. Furthermore, we provide an application case of a wireless sensor network to validate the effectiveness of the proposed method in a real-world scenario.

Shulan Wang,Qin Liu,Yang Xu,Hongbo Jiang,Jie Wu,Tian Wang,Tao Peng,Guojun Wang

DOI: https://doi.org/10.1109/tmc.2023.3323450

IF: 6.075

2024-01-01

IEEE Transactions on Mobile Computing

Abstract:With the wide spread of data-driven deep learning applications, a growing number of users outsource compute-intensive inference processes to the cloud. To protect inference privacy, Liu (INFOCOM 2022) proposed two steganography-based solutions, named GHOST and GHOST + , relying on the mobile-cloud collaborative framework, where the mobile device hides sensitive images into public cover images before feature extraction, while launching adversarial attacks on the cloud-side deep neural network (DNN) to obtain desired results. Although both solutions demonstrate significant advantages in private deep learning, they suffer from limited practicality; since the inference accuracy decreases sharply as the hiding ratio increases. To address this, we propose two improved solutions, IGHO and IGHO + , which ensure high inference accuracy even when abundant sensitive images need to be hidden. Specifically, IGHO as the improved version of GHOST proposes two feature fusion methods, feature synthesis and pixel synthesis, to preprocess cover images, making the poisoned DNN learn hidden sensitive features better, while IGHO + as the improved version of GHOST + designs a novel feature mining generative adversarial network (FMGAN) to craft adversarial perturbations highly robust against variable sensitive types. Experimental results show that the proposed solutions highly improve the practicality of GHOST and GHOST + .

Chugui Xu,Ju Ren,Liang She,Yaoxue Zhang,Zhan Qin,Kui Ren

DOI: https://doi.org/10.1109/jiot.2019.2897005

IF: 10.6

2019-01-01

IEEE Internet of Things Journal

Abstract:Deep neural networks have been widely applied in various machine learning applications for mobile data analytics in cloud. However, this approach introduces significant data challenges, because the cloud operator can perform deep inferences on the available data. Recent advances in edge computing have paved the way to more efficient and private data processing at the edge of the network for simple tasks and lightweight models, but challenges still remain in building efficient complex models (e.g., deep learning) for edge computing. To tackle these issues, we propose EdgeSanitizer, a deep inference framework-based edge computing with local differential privacy for mobile data analytics. EdgeSanitizer leverages deep learning model to conduct data minimization and obfuscates the learned features by adaptively injecting noise, thereby forming a new protection layer against sensitive inference. We evaluate its performance in terms of data privacy and utility through theoretical analysis and experimental evaluation. The theoretical analysis proves that EdgeSanitizer can provide provable privacy guarantees with a large improvement in utility. And the experimental results demonstrate the robustness of our approach against sensitive inference, as well as its applicability on resource-constrained edge devices.

Dixing Xu,Mengyao Zheng,Linshan Jiang,Chaojie Gu,Rui Tan,Peng Cheng

2019-01-01

Abstract:The growing momentum of instrumenting the Internet of Things (IoT) with advanced machine learning techniques such as deep neural networks (DNNs) faces two practical challenges of limited compute power of edge devices and the need of protecting the confidentiality of the DNNs. The remote inference scheme that executes the DNNs on the server-class or cloud backend can address the above two challenges. However, it brings the concern of leaking the privacy of the IoT devices' users to the curious backend since the user-generated/related data is to be transmitted to the backend. This work develops a lightweight and unobtrusive approach to obfuscate the data before being transmitted to the backend for remote inference. In this approach, the edge device only needs to execute a small-scale neural network, incurring light compute overhead. Moreover, the edge device does not need to inform the backend on whether the data is obfuscated, making the protection unobtrusive. We apply the approach to three case studies of free spoken digit recognition, handwritten digit recognition, and American sign language recognition. The evaluation results obtained from the case studies show that our approach prevents the backend from obtaining the raw forms of the inference data while maintaining the DNN's inference accuracy at the backend.

Kaixin Liu,Huixin Xiong,Bingyu Duan,Zexuan Cheng,Xinyu Zhou,Wanqian Zhang,Xiangyu Zhang

2024-08-09

Abstract:In the domain of cloud-based deep learning, the imperative for external computational resources coexists with acute privacy concerns, particularly identity leakage. To address this challenge, we introduce XNN and XNN-d, pioneering methodologies that infuse neural network features with randomized perturbations, striking a harmonious balance between utility and privacy. XNN, designed for the training phase, ingeniously blends random permutation with matrix multiplication techniques to obfuscate feature maps, effectively shielding private data from potential breaches without compromising training integrity. Concurrently, XNN-d, devised for the inference phase, employs adversarial training to integrate generative adversarial noise. This technique effectively counters black-box access attacks aimed at identity extraction, while a distilled face recognition network adeptly processes the perturbed features, ensuring accurate identification. Our evaluation demonstrates XNN's effectiveness, significantly outperforming existing methods in reducing identity leakage while maintaining a high model accuracy.

Cryptography and Security,Computer Vision and Pattern Recognition

Seyed Ali Osia,Ali Shahin Shamsabadi,Sina Sajadmanesh,Ali Taheri,Kleomenis Katevas,Hamid R. Rabiee,Nicholas D. Lane,Hamed Haddadi

DOI: https://doi.org/10.1109/jiot.2020.2967734

IF: 10.6

2020-05-01

IEEE Internet of Things Journal

Abstract:Internet-of-Things (IoT) devices and applications are being deployed in our homes and workplaces. These devices often rely on continuous data collection to feed machine learning models. However, this approach introduces several privacy and efficiency challenges, as the service operator can perform unwanted inferences on the available data. Recently, advances in edge processing have paved the way for more efficient, and private, data processing at the source for simple tasks and lighter models, though they remain a challenge for larger and more complicated models. In this article, we present a hybrid approach for breaking down large, complex deep neural networks for cooperative, and privacy-preserving analytics. To this end, instead of performing the whole operation on the cloud, we let an IoT device to run the initial layers of the neural network, and then send the output to the cloud to feed the remaining layers and produce the final result. In order to ensure that the user's device contains no extra information except what is necessary for the main task and preventing any secondary inference on the data, we introduce Siamese fine-tuning. We evaluate the privacy benefits of this approach based on the information exposed to the cloud service. We also assess the local inference cost of different layers on a modern handset. Our evaluations show that by using Siamese fine-tuning and at a small processing cost, we can greatly reduce the level of unnecessary, potentially sensitive information in the personal data, thus achieving the desired tradeoff between utility, privacy, and performance.

computer science, information systems,telecommunications,engineering, electrical & electronic

Weizhong Qiang,Renwan Liu,Hai Jin

DOI: https://doi.org/10.1016/j.future.2021.06.037

IF: 7.307

2021-01-01

Future Generation Computer Systems

Abstract:As the IoT has developed, edge computing has played an increasingly important role in the IoT ecosystem. The edge computing paradigm offers low latency and high computing performance, which is conducive to machine learning tasks such as object detection in autonomous driving. However, data privacy risks in edge computing still exist and the existing privacy-preserving methods are not satisfactory due to the large computational overhead and unbearable accuracy loss. We have designed a privacy-preserving machine learning framework for both user and cloud data. Users and the cloud provide data for inference and training respectively, and the privacy protection of these two aspects is both considered in this paper. Users provide test data and want to access the data-processing models in cloud for inference, and the cloud provides the training data used for training an eligible model. For user data, in order to maintain the overall performance of the machine learning framework while using homomorphic encryption, instead of providing encrypted data to all machine learning tasks, we divide the neural network into two parts, with one part kept on the trusted edge and provided with plaintext, and the other deployed on the untrusted cloud and provided with encrypted input. For cloud data, we apply the binary neural network, a network with the binarized value of weights. This method is practical for narrowing the confidence score gap (between the training and test sets) predicted by the model, which accounts most for a successful exploratory attack on training data. Experiments demonstrate that the results of the adversary's membership inference attack are close to random guessing, and the accuracy is only slightly affected. Compared with the unencrypted network on VGG19, when the network is split from conv4_1 to fc8, the efficiency of using HE is only 100 to 30 times slower. (C) 2021 Elsevier B.V. All rights reserved.

Hongyu Huang,Hongyuan Zhao,Chunqiang Hu,Chao Chen,Yantao Li

DOI: https://doi.org/10.1109/ijcnn52387.2021.9534066

2021-01-01

Abstract:In recent years, there have been increasing demands for using deep neural networks (DNNs) to provide image processing services for mobile devices. Considering the privacy of users' images, we utilize a two-tiers DNN which deploys the shallow and deep model on mobile devices and the cloud respectively. Then we propose a novel privacy protection mechanism which is deployed on the mobile device to satisfy the differential privacy. Meanwhile, based on the convolution kernel analysis, we also propose a novel method to improve the computation efficiency of mobile devices. The highlight of our mechanism is that it not only provides customized privacy protection which can resist the attack of Generative Adversarial Network (GAN), but also improves the accuracy of the neural network model. The experimental results on the ImageNet dataset show that we have improved the top-5 accuracy of image classification by 2%-3%. Under the premise of ensuring that the accuracy of the network is not degraded, our method reduces the CPU consumption on the VGG16 and ResNet50 networks to 74.6% and 48.9%, respectively, and can reduce 90% of the memory overhead. This improvement makes it possible to enable mobile deep neural network applications.

Meng Li,Liangzhen Lai,Naveen Suda,Vikas Chandra,David Z. Pan

DOI: https://doi.org/10.48550/arxiv.1709.06161

2017-01-01

Abstract:Massive data exist among user local platforms that usually cannot support deep neural network (DNN) training due to computation and storage resource constraints. Cloud-based training schemes provide beneficial services but suffer from potential privacy risks due to excessive user data collection. To enable cloud-based DNN training while protecting the data privacy simultaneously, we propose to leverage the intermediate representations of the data, which is achieved by splitting the DNNs and deploying them separately onto local platforms and the cloud. The local neural network (NN) is used to generate the feature representations. To avoid local training and protect data privacy, the local NN is derived from pre-trained NNs. The cloud NN is then trained based on the extracted intermediate representations for the target learning task. We validate the idea of DNN splitting by characterizing the dependency of privacy loss and classification accuracy on the local NN topology for a convolutional NN (CNN) based image classification task. Based on the characterization, we further propose PrivyNet to determine the local NN topology, which optimizes the accuracy of the target learning task under the constraints on privacy loss, local computation, and storage. The efficiency and effectiveness of PrivyNet are demonstrated with the CIFAR-10 dataset.