Cong Wang,Yanru Xiao,Xing Gao,Li,Jun Wang

DOI: https://doi.org/10.1145/3343031.3350904

2019-01-01

Abstract:Pre-trained deep learning models can be deployed on mobile devices to conduct inference. However, they are usually not updated thereafter. In this paper, we take a step further to incorporate training deep neural networks on battery-powered mobile devices and overcome the difficulties from the lack of labeled data. We design and implement a new framework to enlarge sample space via data paring and learn a deep metric under the privacy, memory and computational constraints. A case study of deep behavioral authentication is conducted. Our experiments demonstrate accuracy over 95% on three public datasets, a sheer 15% gain from traditional multi-class classification with less data and robustness against brute-force attacks with 99% success. We demonstrate the training performance on various smartphone models, where training 100 epochs takes less than 10 mins and can be boosted 3-5 times with feature transfer. We also profile memory, energy and computational overhead. Our results indicate that training consumes lower energy than watching videos so can be scheduled intermittently on mobile devices.

Wang Cong,Xiao Yanru,Gao Xing,Li Li,Wang Jun

2020-01-01

Abstract: The fast-growing smart applications on mobile devices leverage pre-trained deep learning models for inference. However, the models are usually not updated thereafter. This leaves a big gap to adapt the new data distributions. In this paper, we take a step further to incorporate training deep neural networks on battery-powered mobile devices. We identify several challenges from performance and privacy that hinder effective learning in a dynamic mobile environment. We re-formulate the problem as metric learning to tackle overfitting and enlarge sample space via data paring under the memory constraints. We also make the scheme robust against side-channel attacks and run-time fluctuations. A case study based on deep behavioral authentication is conducted. The experiments demonstrate accuracy over 95% on three public datasets, a sheer 15% gain from multi-class classification with less data and robustness against brute-force and side-channel attacks with 99% and 90% success, respectively. We show the feasibility of training with mobile CPUs, where training 100 epochs takes less than 10 mins and can be boosted 3-5 times with feature transfer. Finally, we profile memory, energy and computational overhead. Our results indicate that training consumes lower energy than watching videos and slightly higher energy than playing games.

Fei Dai,Guozhi Liu,Bi Huang,Xiaolong Xu,Chaochao Chen,Zhangbing Zhou,Xiaokang Zhou

DOI: https://doi.org/10.1109/ithings-greencom-cpscom-smartdata-cybermatics55523.2022.00070

2022-01-01

Abstract:Industrial Internet of Things (IIoT) systems can leverage deep learning (DL) models to provide intelligent applications. However, the training process of such DL models tends to leak privacy when the training data contain sensitive operational and management information. Most studies about privacy-preserving DL require a trusted data collector and thus are not suitable in an untrusted environment. In this paper, we propose a distributed privacy-preserving framework for DL with edge-cloud computing, where direct privacy leakage and indirect privacy leakage of training data are both considered. First, a pre-trained convolutional neural network (CNN) is partitioned into two parts for limiting direct privacy leakage of raw data, namely the feature module and the classification module. The feature module consisting of the lower layers of the CNN is deployed on an edge server, which is used to attract the feature of raw data. The feature data is fed to the classification module consisting of the higher layers of the CNN, which is deployed on the cloud server to compute image classification tasks. Second, a perturbation module between the feature module and the classification module is designed for limiting indirect privacy leakage during feature data transmission. The perturbation module uses local differential privacy (LDP) to produce noise in the feature data. Third, to further improve the accuracy, we retrain the classification module with the randomized feature data from edge servers. Experimental results show that the proposed framework achieves high accuracy under low privacy budgets.

Ji Wang, Jianguo Zhang, Weidong Bao, Xiaomin Zhu, Bokai Cao, Philip S Yu

2018-07-19

Abstract:The increasing demand for on-device deep learning services calls for a highly efficient manner to deploy deep neural networks (DNNs) on mobile devices with limited capacity. The cloud-based solution is a promising approach to enabling deep learning applications on mobile devices where the large portions of a DNN are offloaded to the cloud. However, revealing data to the cloud leads to potential privacy risk. To benefit from the cloud data center without the privacy risk, we design, evaluate, and implement a cloud-based framework ARDEN which partitions the DNN across mobile devices and cloud data centers. A simple data transformation is performed on the mobile device, while the resource-hungry training and the complex inference rely on the cloud data center. To protect the sensitive information, a lightweight privacy-preserving mechanism consisting of arbitrary data nullification and random noise addition …

Ji Wang,Jianguo Zhang,Weidong Bao,Xiaomin Zhu,Bokai Cao,Philip S. Yu

DOI: https://doi.org/10.1145/3219819.3220106

2018-01-01

Abstract:The increasing demand for on-device deep learning services calls for a highly efficient manner to deploy deep neural networks (DNNs) on mobile devices with limited capacity. The cloud-based solution is a promising approach to enabling deep learning applications on mobile devices where the large portions of a DNN are offloaded to the cloud. However, revealing data to the cloud leads to potential privacy risk. To benefit from the cloud data center without the privacy risk, we design, evaluate, and implement a cloud-based framework ARDEN which partitions the DNN across mobile devices and cloud data centers. A simple data transformation is performed on the mobile device, while the resource-hungry training and the complex inference rely on the cloud data center. To protect the sensitive information, a lightweight privacy-preserving mechanism consisting of arbitrary data nullification and random noise addition is introduced, which provides strong privacy guarantee. A rigorous privacy budget analysis is given. Nonetheless, the private perturbation to the original data inevitably has a negative impact on the performance of further inference on the cloud side. To mitigate this influence, we propose a noisy training method to enhance the cloud-side network robustness to perturbed data. Through the sophisticated design, ARDEN can not only preserve privacy but also improve the inference performance. To validate the proposed ARDEN, a series of experiments based on three image datasets and a real mobile application are conducted. The experimental results demonstrate the effectiveness of ARDEN. Finally, we implement ARDEN on a demo system to verify its practicality.

Chang Xia,Jingyu Hua,Wei Tong,Yayuan Xiong,Sheng Zhong

DOI: https://doi.org/10.1109/icme46284.2020.9102960

2020-07-01

Abstract:In recent years, more and more mobile applications adopt deep learning technologies, especially CNN-based image recognition. To protect service providers’ interests, the CNN models are usually deployed on the cloud, and the users are required to upload raw images, which cause serious privacy concerns since images may contain sensitive information unrelated to the desired recognition tasks. The previous solution off-loads the shallow portions of the CNN to the clients, and thus the uploaded data becomes the extracted lower-level features rather than the raw images. Nevertheless, although service providers are prevented from obtaining the original images, it is still probably for them to perform some sensitive recognition tasks other than the desired one on the lower-lever features (even after being perturbed to satisfy Differential Privacy). Different from such solution, in this paper, we propose an independent local CNN, which is dedicated for the image perturbation on the clients. It is co-trained with the cloud CNN to learn to intelligently allocate diverse noises among pixels depending on their significance to the desired recognition service. Extensive experiments demonstrate that our mechanism can well prevent curious service providers from performing undesired recognition tasks while maintaining the high accuracy of the desired one.

Sicong Liu,Yingyan Lin,Zimu Zhou,Kaiming Nan,Hui Liu,Junzhao Du

DOI: https://doi.org/10.1145/3210240.3210337

2018-01-01

Abstract:Recent research has demonstrated the potential of deploying deep neural networks (DNNs) on resource-constrained mobile platforms by trimming down the network complexity using different compression techniques. The current practice only investigate stand-alone compression schemes even though each compression technique may be well suited only for certain types of DNN layers. Also, these compression techniques are optimized merely for the inference accuracy of DNNs, without explicitly considering other application-driven system performance (e.g. latency and energy cost) and the varying resource availabilities across platforms (e.g. storage and processing capability). In this paper, we explore the desirable tradeoff between performance and resource constraints by user-specified needs, from a holistic system-level viewpoint. Specifically, we develop a usage-driven selection framework, referred to as AdaDeep, to automatically select a combination of compression techniques for a given DNN, that will lead to an optimal balance between user-specified performance goals and resource constraints. With an extensive evaluation on five public datasets and across twelve mobile devices, experimental results show that AdaDeep enables up to 9.8x latency reduction, 4.3x energy efficiency improvement, and 38x storage reduction in DNNs while incurring negligible accuracy loss. AdaDeep also uncovers multiple effective combinations of compression techniques unexplored in existing literature.

Liyao Xiang,Shuang Zhang,Quanshi Zhang

DOI: https://doi.org/10.1109/tmc.2023.3340338

IF: 6.075

2024-01-01

IEEE Transactions on Mobile Computing

Abstract:Powered by machine learning services in the cloud, numerous learning-driven mobile applications are gaining popularity in the market. As deep learning tasks are mostly computation-intensive, it has become a trend to process raw data on devices and send the deep neural network (DNN) features to the cloud, where the features are further processed to return final results. However, there is always an unexpected leakage with the release of features, by which an adversary could infer much information on the original data. We propose a privacy-preserving framework on top of the mobile cloud infrastructure from the perspective of DNN structures. Our framework aims to learn a policy to modify the base DNNs to prevent information leakage while maintaining high inference accuracy. The policy can also be readily transferred to large-size DNNs and large-scale datasets to speed up learning. Extensive evaluations on a variety of DNNs have shown that our framework successfully finds privacy-preserving DNN structures to defend privacy attacks.

Warit Sirichotedumrong,Takahiro Maekawa,Yuma Kinoshita,Hitoshi Kiya

DOI: https://doi.org/10.1109/icip.2019.8804201

2019-09-01

Abstract:We present a novel privacy-preserving scheme for deep neural networks (DNNs) that enables us not to only apply images without visual information to DNNs for both training and testing but to also consider data augmentation in the encrypted domain for the first time. In this paper, a novel pixel-based image encryption method is first proposed for privacy-preserving DNNs. In addition, a novel adaptation network is considered that reduces the influence of image encryption. In an experiment, the proposed method is applied to a well-known network, ResNet-18, for image classification. The experimental results demonstrate that conventional privacy-preserving machine learning methods including the state-of-the-arts cannot be applied to data augmentation in the encrypted domain and that the proposed method outperforms them in terms of classification accuracy.

Yunlong Mao,Shanhe Yi,Qun Li,Jinghao Feng,Fengyuan Xu,Sheng Zhong

2018-01-01

Abstract:Deep convolutional neural networks (DNNs) have brought significant performance improvements to face recognition. However the training can hardly be carried out on mobile devices because the training of these models requires much computational power. An individual user with the demand of deriving DNN models from her own datasets usually has to outsource the training procedure onto a cloud or edge server. However this outsourcing method violates privacy because it exposes the users' data to curious service providers. In this paper, we utilize the differentially private mechanism to enable the privacy-preserving edge based training of DNN face recognition models. During the training, DNN is split between the user device and the edge server in a way that both private data and model parameters are protected, with only a small cost of local computations. We show that our mechanism is capable of training models in different scenarios, eg, from scratch, or through fine-tuning over existed models.

Meng Li,Liangzhen Lai,Naveen Suda,Vikas Chandra,David Z. Pan

DOI: https://doi.org/10.48550/arxiv.1709.06161

2017-01-01

Abstract:Massive data exist among user local platforms that usually cannot support deep neural network (DNN) training due to computation and storage resource constraints. Cloud-based training schemes provide beneficial services but suffer from potential privacy risks due to excessive user data collection. To enable cloud-based DNN training while protecting the data privacy simultaneously, we propose to leverage the intermediate representations of the data, which is achieved by splitting the DNNs and deploying them separately onto local platforms and the cloud. The local neural network (NN) is used to generate the feature representations. To avoid local training and protect data privacy, the local NN is derived from pre-trained NNs. The cloud NN is then trained based on the extracted intermediate representations for the target learning task. We validate the idea of DNN splitting by characterizing the dependency of privacy loss and classification accuracy on the local NN topology for a convolutional NN (CNN) based image classification task. Based on the characterization, we further propose PrivyNet to determine the local NN topology, which optimizes the accuracy of the target learning task under the constraints on privacy loss, local computation, and storage. The efficiency and effectiveness of PrivyNet are demonstrated with the CIFAR-10 dataset.

Wei Du,Ang Li,Pan Zhou,Ben Niu,Dapeng Wu

DOI: https://doi.org/10.1109/tmc.2021.3050458

IF: 6.075

2021-01-01

IEEE Transactions on Mobile Computing

Abstract:Large volumes of video data recorded by the increasing mobile devices and embedded sensors can be leveraged to answer queries of our lives, physical world and our evolving society. Especially, the rapid development of convolutional neural networks (CNNs) in the past few years offers the great advantage for multiple tasks in video analysis. However, adopting running CNNs directly on mobile devices and embedded sensors for video analytics brings heavy burden due to their limited capacity, especially for learning a large volume of data. A promising approach is to outsource the computation-intensive part of CNN to cloud. However, the reveal of data to cloud may cause privacy leakage. In addition, the cloud-assisted approach may also bring some communication efficiency challenges for large volume of data. To address both privacy and efficiency issues, we design a privacy-preserving and computationally efficient framework for mobile video analytics. To protect the private information, we split the CNN model into two subnetworks, and first part is used as a feature extractor deployed in the mobile side and the second part is utilized as a classifier deployed in the cloud side. A specific-designed adversarial training process is adopted in order to extract features for normal task classification while hiding the features for sensitive task. In addition, to improve video process efficiency, we design a two-stage framework. The first stage is to extract key frames and necessary intermediate frames, while skipping redundant ones. The second stage is to extract the features of key frames by CNN-based feature extractor but apply optical-flow-based feature propagation algorithm to obtain the features of intermediate frames. Extensive experiments demonstrate our proposed system PrivacyEye can effectively protect private information while keep the accuracy of the normal tasks with less than 2 percent drop, and it saves up to 82.9 percent execution time and 78.8 percent energy consumption.

Ruiyuan Gao,Hailong Yang,Shaohan Huang,Ming Dun,Mingzhen Li,Zerong Luan,Zhongzhi Luan,Depei Qian

DOI: https://doi.org/10.1109/ccgrid51090.2021.00043

2021-01-01

Abstract:The huge computation demand for deep learning models and limited computation resources on the edge devices calls for the cooperation between the edge device and cloud service. On a typical edge-cloud system accommodating DNN inference, a deep model is split into two partial models running on the edge device and the cloud service, respectively. The two partial models collaborate closely to satisfy the DNN inference requested by the user. However, user's privacy is vulnerable when transferring the intermediate results generated by the partial model at edge device to cloud service. Existing research works rely on metrics that are either impractical or insufficient to measure the effectiveness of privacy protection methods in the above scenario, especially from a single input aspect. In this paper, we first thoroughly analyze the state-of-the-art methods and drawbacks of existing methods from the aspects of both evaluation metrics and proposed techniques. Then, we propose a new metric system, including privacy accuracy (PA) and privacy index (PI), that can accurately measure the effectiveness of privacy protection methods. Furthermore, we propose PriPro, a privacy protection method that can dynamically inject noise to the intermediate results at various layers regarding the input features through the self-attention mechanism. The experiment results demonstrate our method outperforms existing methods for protecting user privacy on deep models such as AlexNet, VGG, and ResNet.

Ji Wang,Jianguo Zhang,Weidong Bao,Xiaomin Zhu,Bokai Cao,Philip S. Yu

DOI: https://doi.org/10.1145/3219819.3220106

2018-01-01

Abstract:The increasing demand for on-device deep learning services calls for a highly efficient manner to deploy deep neural networks (DNNs) on mobile devices with limited capacity. The cloud-based solution is a promising approach to enabling deep learning applications on mobile devices where the large portions of a DNN are offloaded to the cloud. However, revealing data to the cloud leads to potential privacy risk. To benefit from the cloud data center without the privacy risk, we design, evaluate, and implement a cloud-based framework ARDEN which partitions the DNN across mobile devices and cloud data centers. A simple data transformation is performed on the mobile device, while the resource-hungry training and the complex inference rely on the cloud data center. To protect the sensitive information, a lightweight privacy-preserving mechanism consisting of arbitrary data nullification and random noise addition is introduced, which provides strong privacy guarantee. A rigorous privacy budget analysis is given. Nonetheless, the private perturbation to the original data inevitably has a negative impact on the performance of further inference on the cloud side. To mitigate this influence, we propose a noisy training method to enhance the cloud-side network robustness to perturbed data. Through the sophisticated design, ARDEN can not only preserve privacy but also improve the inference performance. To validate the proposed ARDEN, a series of experiments based on three image datasets and a real mobile application are conducted. The experimental results demonstrate the effectiveness of ARDEN. Finally, we implement ARDEN on a demo system to verify its practicality.

Yunlong Mao,Wenbo Hong,Heng Wang,Qun Li,Sheng Zhong

DOI: https://doi.org/10.1109/TPDS.2020.3040734

IF: 5.3

2021-01-01

IEEE Transactions on Parallel and Distributed Systems

Abstract:Deep neural networks (DNNs) have brought significant performance improvements to various real-life applications. However, a DNN training task commonly requires intensive computing resources and a huge data collection, which makes it hard for personal devices to carry out the entire training, especially for mobile devices. The federated learning concept has eased this situation. However, it is still an open problem for individuals to train their own DNN models at an affordable price. In this article, we propose an alternative DNN training strategy for resource-limited users. With the help of an untrusted server, end users can offload their DNN training tasks to the server in a privacy-preserving manner. To this end, we study the possibility of the separation of a DNN. Then we design a differentially private activation algorithm for end users to ensure the privacy of the offloading after model separation. Furthermore, to meet the rising demand for federated learning, we extend the offloading solution to parallel DNN models training with a secure model weights aggregation scheme for the privacy concern. Experimental results prove the feasibility of computation offloading solutions for DNN models in both solo and parallel modes.

Yuwen He,Chunhong Zhang,Xinning Zhu,Yang Ji

DOI: https://doi.org/10.1117/12.2524274

2019-01-01

Abstract:For personal-oriental applications, the outstanding recognition ability has caused great concern for privacy disclosure. Existing methods mainly protect the privacy by adding occlusion or noise to the original images before uploading, which is either impractical or destroying the utility of the photos. In this paper, we propose a Generative Adversarial Network (GAN) based image privacy protection algorithm PriGAN, which generates a privacy image for each original image to fool the recognition networks. When generating the privacy image, we consider the technique of adversarial image perturbations (AIP), which could confuse recognition networks with slight perturbations. That is, the privacy image could protect the privacy information by confusing the neural network hosted by the service providers. Meanwhile, the privacy image appears unmodified compared to the original one for human observers, and thus its utility could be preserved. The advantage of PriGAN is that it provides a general privacy protection framework for personal applications, by which privacy information of images can be protected without destroying the image utility. The experiment shows that the privacy images are misclassified with approximate 82.9% higher than the original images which indicate that our approach can prevent the privacy from leakage with considerable improvement.

Yunlong Mao,Shanhe Yi,Qun Li,Jinghao Feng,Fengyuan Xu,Sheng Zhong

DOI: https://doi.org/10.1109/sec.2018.00014

2018-01-01

Abstract:Deep convolutional neural networks (DNNs) have brought significant performance improvements to face recognition. However the training can hardly be carried out on mobile devices because the training of these models requires much computational power. An individual user with the demand of deriving DNN models from her own datasets usually has to outsource the training procedure onto an edge server. However this outsourcing method violates privacy because it exposes the users' data to curious service providers. In this paper, we utilize the differentially private mechanism to enable the privacy-preserving edge based training of DNN face recognition models. During the training, DNN is split between the user device and the edge server in a way that both private data and model parameters are protected, with only a small cost of local computations. We rigorously prove that our approach is privacy preserving. We finally show that our mechanism is capable of training models in different scenarios, e.g., from scratch, or through fine-tuning over existed models.

Yamin Sepehri,Pedram Pad,Pascal Frossard,L. Andrea Dunbar

2024-08-09

Abstract:The training phase of deep neural networks requires substantial resources and as such is often performed on cloud servers. However, this raises privacy concerns when the training dataset contains sensitive content, e.g., face images. In this work, we propose a method to perform the training phase of a deep learning model on both an edge device and a cloud server that prevents sensitive content being transmitted to the cloud while retaining the desired information. The proposed privacy-preserving method uses adversarial early exits to suppress the sensitive content at the edge and transmits the task-relevant information to the cloud. This approach incorporates noise addition during the training phase to provide a differential privacy guarantee. We extensively test our method on different facial datasets with diverse face attributes using various deep learning architectures, showcasing its outstanding performance. We also demonstrate the effectiveness of privacy preservation through successful defenses against different white-box and deep reconstruction attacks.

Computer Vision and Pattern Recognition,Cryptography and Security,Distributed, Parallel, and Cluster Computing,Machine Learning,Image and Video Processing

Wang Xiao,Liu Han

DOI: https://doi.org/10.23919/ccc52363.2021.9549422

2021-01-01

Abstract:Deep neural networks have achieved great success in many fields, but deploying deep neural networks on mobile devices with low memory resources or in applications with strict latency requirements is difficult. The networks are both computationally and memory-intensive, which hinders deployment in mobile computing environments. To address this problem, a new compression method for deep neural networks is proposed in this paper. First, the standard convolution is replaced with depthwise separable convolution to simplify the calculation and decrease the number of parameters of the convolution layers. Then, the deep networks are pruned by removing unimportant connections. Finally, weight quantization is performed to compress the network further based on the weight sharing applied using the shared weights obtained from kernel k-means clustering. Several experiments are completed to verify the viability and effectiveness of the proposed method. The experimental results show that deep neural networks can be compressed effectively with improvement in accuracy. On the MNIST and ImageNet datasets, our method reduces the storage required by the LeNet, AlexNet and VGG-16 networks by 33× to 45×. Reducing the storage requirement makes the deployment of deep neural networks possible on mobile systems where application size and download bandwidth are constrained.

Abdelrhman Hassan,Fei Liu,Fanchuan Wang,Yong Wang

DOI: https://doi.org/10.1016/j.sysarc.2021.102043

IF: 5.836

2021-01-01

Journal of Systems Architecture

Abstract:With the tremendous growth of smart mobile devices, the C ontent- B ased I mage R etrieval (CBIR) becomes popular and has great market potentials. Secure image retrieval has attracted considerable interests recently due to the outsourcing of CBIR onto the cloud. In this paper, we propose and implement a secure CBIR framework that performs image retrieval on the cloud without the user’s interaction. A pre-trained generic DNN model (e.g., VGG-16) is used to extract the feature vectors of an image on the user side. The cloud servers perform secure image inference with a private pre-trained DNN model and execute A pproximate N earest N eighbor (ANN) image retrieval protocols without the user’s anymore interaction. We design and implement a set of protocols for the secure evaluation of the non-linear functions in DNNs. The information about the image contents, the private DNN model parameters, the intermediate and the retrieval results is strictly concealed by the conjunctive use of the lattice-based homomorphic scheme and two-party computation (2-PC) techniques. We further propose a secure image similarity scoring and a result sorting protocols, which enable the cloud servers to compare and sort images without knowing any information about their features or contents. The comprehensive experimental results show that our framework is efficient, accurate and secure.