Lingchen Zhao,Qian Wang,Qin Zou,Yan Zhang,Yanjiao Chen

DOI: https://doi.org/10.1109/tifs.2019.2939713

2018-01-01

Abstract:With powerful parallel computing GPUs and massive user data, neural-network-based deep learning can well exert its strong power in problem modeling and solving, and has archived great success in many applications such as image classification, speech recognition and machine translation etc. While deep learning has been increasingly popular, the problem of privacy leakage becomes more and more urgent. Given the fact that the training data may contain highly sensitive information, e.g., personal medical records, directly sharing them among the users (i.e., participants) or centrally storing them in one single location may pose a considerable threat to user privacy. In this paper, we present a practical privacy-preserving collaborative deep learning system that allows users to cooperatively build a collective deep learning model with data of all participants, without direct data sharing and central data storage. In our system, each participant trains a local model with their own data and only shares model parameters with the others. To further avoid potential privacy leakage from sharing model parameters, we use functional mechanism to perturb the objective function of the neural network in the training process to achieve $\epsilon $ -differential privacy. In particular, for the first time, we consider the existence of unreliable participants , i.e., the participants with low-quality data, and propose a solution to reduce the impact of these participants while protecting their privacy. We evaluate the performance of our system on two well-known real-world datasets for regression and classification tasks. The results demonstrate that the proposed system is robust against unreliable participants, and achieves high accuracy close to the model trained in a traditional centralized manner while ensuring rigorous privacy protection.

Meng Hao,Hongwei Li,Guowen Xu,Sen Liu,Haomiao Yang

DOI: https://doi.org/10.1109/icc.2019.8761267

2019-05-01

Abstract:Deep learning has been applied in many areas, such as computer vision, natural language processing and emotion analysis. Differing from the traditional deep learning that collects users’ data centrally, federated deep learning requires participants to train the networks on private datasets and share the training results, and hence has more gratifying efficiency and stronger security. However, it still presents some privacy issues since adversaries can deduce users’ privacy from local outputs, such as gradients. While the problem of private federated deep learning has been an active research issue, the latest research findings are still inadequate in terms of security, accuracy and efficiency. In this paper, we propose an efficient and privacy-preserving federated deep learning protocol based on stochastic gradient descent method by integrating the additively homomorphic encryption with differential privacy. Specifically, users add noises to each local gradients before encrypting them to obtain the optical performance and security. Moreover, our scheme is secure to honest-but-curious server setting even if the cloud server colludes with multiple users. Besides, our scheme supports federated learning for large-scale users scenarios and extensive experiments demonstrate our scheme has high efficiency and high accuracy compared with non-private model.

TANG Ling-tao,WANG Di,ZHANG Lu-fei,LIU Sheng-yun

DOI: https://doi.org/10.11896/jsjkx.210800108

2022-01-01

Computer Science

Abstract:Federated learning provides a novel solution to collaborative learning among untrusted entities. Through a local-trai-ning-and-central-aggregation pattern,the federated learning algorithm trains a global model while protects local data privacy of each entity. However,recent studies show that local models uploaded by clients and global models produced by the server may still leak users' private information. Secure multi-party computation and differential privacy are two mainstream privacy-preserving techniques,which are used to protect the privacy of computation process and computation outputs respectively. There are few works that exploit the benefits of these two techniques at the same time. This paper proposes a privacy-preserving federated learning scheme for deep learning by combining secure multi-party computation and differential privacy. Clients add noise to local models,and secret share them to multiple servers. Servers aggregate these model shares by secure multi-party computation to obtain a private global model. The proposed scheme not only protects the privacy of local model updates uploaded by clients,but also prevents adversaries from inferring sensitive information from globally shared data such as aggregated models. The scheme also allows dropout of unstable clients and is compatible with complex aggregation functions. In addition,it can be naturally extended to the decentralized setting for real-world applications where no trusted centers exist. We implement our system in Python and Pytorch. Experiments validate that the proposed scheme achieves the same level of efficiency and accuracy as plaintext fede-rated learning.

Zhen Liu,Changsong Yang,Yong Ding,Hai Liang,Yujue Wang

DOI: https://doi.org/10.1109/jiot.2024.3478208

IF: 10.6

2024-01-01

IEEE Internet of Things Journal

Abstract:The emergence of Big Data and Artificial Intelligence (AI) marks a significant milestone in technological advancement, impacting various sectors and transforming the essence of public and personal activities. Traditional machine learning, known as centralized learning, involves collecting data from multiple sources for model development, which poses significant privacy risks. To address the conflict between the need for data sharing and the protection of privacy, federated learning has emerged as a promising solution. This approach allows for the continuous sharing of model updates between a central server and numerous local devices, fostering collaborative model development. However, it also brings about considerable communication costs and raises privacy concerns due to the potential for sensitive information leakage from the central server and local devices. To address these issues, we propose a lightweight and accuracy-lossless privacy-preserving federated learning scheme based on gradient clipping. The central server introduces noise to the global model to prevent clients from extracting valuable information, and then the local devices train these models using their data. To reduce the communication load, parameters with less impact on the model are removed using the Fisher information matrix. Additionally, to enhance privacy protection, the client-computed parameters are perturbed using the Diffie-Hellman key exchange method. Our experiments show that this approach greatly reduces the communication load for clients and the server, while effectively safeguarding client privacy and maintaining the model’s accuracy.

Yong Li,Gaochao Xu,Xutao Meng,Wei Du,Xianglin Ren

DOI: https://doi.org/10.3390/e26050353

IF: 2.738

2024-04-24

Entropy

Abstract:In the realm of federated learning (FL), the exchange of model data may inadvertently expose sensitive information of participants, leading to significant privacy concerns. Existing FL privacy-preserving techniques, such as differential privacy (DP) and secure multi-party computing (SMC), though offering viable solutions, face practical challenges including reduced performance and complex implementations. To overcome these hurdles, we propose a novel and pragmatic approach to privacy preservation in FL by employing localized federated updates (LF3PFL) aimed at enhancing the protection of participant data. Furthermore, this research refines the approach by incorporating cross-entropy optimization, carefully fine-tuning measurement, and improving information loss during the model training phase to enhance both model efficacy and data confidentiality. Our approach is theoretically supported and empirically validated through extensive simulations on three public datasets: CIFAR-10, Shakespeare, and MNIST. We evaluate its effectiveness by comparing training accuracy and privacy protection against state-of-the-art techniques. Our experiments, which involve five distinct local models (Simple-CNN, ModerateCNN, Lenet, VGG9, and Resnet18), provide a comprehensive assessment across a variety of scenarios. The results clearly demonstrate that LF3PFL not only maintains competitive training accuracies but also significantly improves privacy preservation, surpassing existing methods in practical applications. This balance between privacy and performance underscores the potential of localized federated updates as a key component in future FL privacy strategies, offering a scalable and effective solution to one of the most pressing challenges in FL.

physics, multidisciplinary

Lifeng Liu,Yifan Hu,Jiawei Yu,Fengda Zhang,Gang Huang,Jun Xiao,Chao Wu

DOI: https://doi.org/10.1145/3387168.3387211

2019-01-01

Abstract:Currently, training neural networks often requires a large corpus of data from multiple parties. However, data owners are reluctant to share their sensitive data to third parties for modelling in many cases. Therefore, Federated Learning (FL) has arisen as an alternative to enable collaborative training of models without sharing raw data, by distributing modelling tasks to multiple data owners. Based on FL, we premodel sent a novel and decentralized approach to training encrypted models with privacy-preserved data on Blockchain. In our approach, Blockchain is adopted as the machine learning environment where different actors (i.e., the model provider, the data provider) collaborate on the training task. During the training process, an encryption algorithm is used to protect the privacy of data and the trained model. Our experiments demonstrate that our approach is practical in real-world applications.

Yipeng Dong,Lei Zhang,Lin Xu

DOI: https://doi.org/10.1007/978-981-97-0834-5_9

2024-01-01

Abstract:Federated learning enables collaborative training of the global model by participants with diverse data sources while preserving data privacy. However, the traditional federated learning architecture faces some challenges, including single-point of server failure and privacy disclosure. To address these challenges, this paper proposes a distributed federated learning scheme based on multi-key homomorphic encryption, which fundamentally solves the problems of server single-point failure and malicious behavior, while effectively protecting the data privacy of participants. The trusted execution environment (TEE) is used to detect the quality of the models and to prevent some malicious participants from executing malicious behavior. Furthermore, an incentive mechanism is designed to encourage participants to actively and honestly perform training tasks. Our scheme satisfies privacy, robustness, and fairness criteria, as demonstrated in our analysis.

Yan Hong,Zhiqing Huang,Chenyang Zhang

DOI: https://doi.org/10.1117/12.2684744

2023-01-01

Abstract:Federated learning is a new privacy protection framework for machine learning. The central server aggregates multiple participants to decentralized optimized parameters, then distributes the generated model to the client, and finally converges the global model. The model obtained by performance approaching centralized data training is trained under the condition that the data is not leave local. However, many studies have shown that this centralized federation system is vulnerable to confidentiality attacks by "honest but curious" attackers, using the gradient parameter information transmitted during federation model training to carry out reconstruction attacks or inference attacks, obtain the privacy data of participants or deduce some member information, which poses a severe challenge to the privacy protection of federated learning. In this paper, a hybrid defense strategy based on confusion self-encoder combined with localized differential privacy is proposed. On the one hand, the labels of the participants' local data are confused through the self-encoder network, so as to cut off the relationship between the gradient information and the original data. On the other hand, the localized differential privacy mechanism is used to disturb the transmitted gradient parameter information, and a model performance loss constraint mechanism is designed to reduce the impact of noise addition on the model performance. Experiments show that the hybrid defense strategy proposed in this paper can effectively resist reconstruction attacks and inference attacks in the process of federated learning model training, and achieve a better balance among computing overhead, model performance and privacy security.

Xue Yang,Yan Feng,Weijun Fang,Jun Shao,Xiaohu Tang,Shu-Tao Xia,Rongxing Lu

2020-01-01

Abstract:Although cross-silo federated learning improves privacy of training data by exchanging model updates rather than raw data, sharing updates (e.g., local gradients or parameters) may still involve risks. To ensure no updates are revealed to the server, industrial FL schemes allow clients (e.g., financial or medical) to mask local gradients by homomorphic encryption (HE). In this case, the server cannot obtain the updates, but the curious clients can obtain this information to infer other clients' private data. To alleviate this situation, the most direct idea is to let clients train deep models on encrypted domain. Unfortunately, the resulting solution is of poor accuracy and high cost, since the existing advanced HE is incompatible with non-linear activation functions and inefficient in terms of computational cost. In this paper, we propose a \emph{computational-efficient deep model training scheme for ciphertext-based cross-silo federated learning} to comprehensively guarantee privacy. First, we customize \emph{a novel one-time-pad-style model encryption method} to directly supports non-linear activation functions and decimal arithmetic operations on the encrypted domain. Then, we design a hybrid privacy-preserving scheme by combining our model encryption method with secret sharing techniques to keep updates secret from the clients and prevent the server from obtaining local gradients of each client. Extensive experiments demonstrate that for both regression and classification tasks, our scheme achieves the same accuracy as non-private approaches and outperforms the state-of-the-art HE-based scheme. Besides, training time of our scheme is almost the same as non-private approaches and much more efficient than HE-based schemes. Our scheme trains a $9$-layer neural network on the MNIST dataset in less than one hour.

Xianglong Zhang,Anmin Fu,Huaqun Wang,Chunyi Zhou,Zhenzhu Chen

DOI: https://doi.org/10.1109/icc40277.2020.9148628

2020-01-01

Abstract:Due to the complexity of the data environment, many organizations prefer to train deep learning models together by sharing training sets. However, this process is always accompanied by the restriction of distributed storage and privacy. Federated learning addresses this challenge by only sharing gradients with the server without revealing training sets. Unfortunately, existing research has shown that the server could extract information of the training sets from shared gradients. Besides, the server may falsify the calculated result to affect the accuracy of the trained model. To solve the above problems, we propose a privacy-preserving and verifiable federated learning scheme. Our scheme focuses on processing shared gradients by combining the Chinese Remainder Theorem and the Paillier homomorphic encryption, which can realize privacy-preserving federated learning with low computation and communication costs. In addition, we introduce the bilinear aggregate signature technology into federated learning, which effectively verifies the correctness of aggregated gradient. Moreover, the experiment shows that even with the added verification function, our scheme still has high accuracy and efficiency.

Hangyu Zhu,Rui Wang,Yaochu Jin,Kaitai Liang,Jianting Ning

DOI: https://doi.org/10.1016/j.neucom.2021.08.062

IF: 6

2021-11-01

Neurocomputing

Abstract:Homomorphic encryption is a very useful gradient protection technique used in privacy preserving federated learning. However, existing encrypted federated learning systems need a trusted third party to generate and distribute key pairs to connected participants, making them unsuited for federated learning and vulnerable to security risks. Moreover, encrypting all model parameters is computationally intensive, especially for large machine learning models such as deep neural networks. In order to mitigate these issues, we develop a practical, computationally efficient encryption based protocol for federated deep learning, where the key pairs are collaboratively generated without the help of a trusted third party. By quantization of the model parameters on the clients and an approximated aggregation on the server, the proposed method avoids encryption and decryption of the entire model. In addition, a threshold based secret sharing technique is designed so that no one can hold the global private key for decryption, while aggregated ciphertexts can be successfully decrypted by a threshold number of clients even if some clients are offline. Our experimental results confirm that the proposed method significantly reduces the communication costs and computational complexity compared to existing encrypted federated learning without compromising the performance and security.

computer science, artificial intelligence

Xiuting Gu,Zhu Tianqing,Jie Li,Tao Zhang,Wei Ren,Kim-Kwang Raymond Choo

DOI: https://doi.org/10.1016/j.cose.2022.102907

2022-11-01

Abstract:As applications of machine learning become increasingly widespread, the need to ensure model accuracy and fairness while protecting the privacy of user data becomes more pronounced. On this note, this paper introduces a federated learning training model, which allow clients to simultaneously learn their model and update the associated parameters on a centralized server. In our approach, we seek to achieve an acceptable trade-off between privacy, accuracy, and model fairness by using differential privacy (DP), which also helps to minimize privacy risks by protecting the presence of a specific sample in the training data. Machine learning models can, however, exhibit unintended behaviors, such as unfairness, which result in groups with certain sensitive characteristics (e.g., gender) receiving different patterns of outcomes. Hence, we discuss the fairness and privacy effect of local DP and global DP when applied to federated learning by designing a fair and privacy quantification mechanism. In doing so, we can achieve an acceptable trade-off between accuracy, privacy, and model fairness. We quantify the level of fairness based on the constraints of three definitions of fairness, including demographic parity, equal odds, and equality of opportunity. Finally, findings from our extensive experiments conducted on three real-world datasets with class imbalance demonstrate the positive effect of local and global DP on fairness. Our study also shows that privacy can come at the cost of fairness, as stricter privacy can intensify discrimination. Hence, we posit that careful parameter selection can potentially help achieve a more effective trade-off between utility, bias, and privacy.

computer science, information systems

Wenqiang Yang,Bin Liu,Changlei Lu,Nenghai Yu

DOI: https://doi.org/10.1145/3393527.3393533

2020-01-01

Abstract:Federated learning provides a framework in which many participants join together to train a deep learning model. Although data is not directly transmitted in federated learning in order to protect privacy, recent researches show that transmitted parameters also lead to information leakage, which violates participants' privacy. In this paper, we combine cryptographic tools (additively homomorphic encryption, AES and RSA) with federated learning to design privacy-preserving protocols, which protect every participant's parameters' information. Results of experiments show that the proposed cryptographic methods can protect single participant's uploaded parameters with acceptable computation overhead increasing.

Zhaosen Shi,Zeyu Yang,Alzubair Hassan,Fagen Li,Xuyang Ding

DOI: https://doi.org/10.1007/s11235-022-00982-3

2022-12-09

Telecommunication Systems

Abstract:The performance of machine learning models largely depends on the amount of data. However, with the improvement of privacy awareness, data sharing has become more and more difficult. Federated learning provides a solution for joint machine learning, which alleviates this difficulty. Although it works by sharing parameters instead of data, privacy threats like inference attacks still exist owing to the exposed parameters or updates. In this paper, we propose a privacy preserving scheme for federated learning by combining the homomorphism of both secret sharing and encryption. Our scheme ensures the confidentiality of local parameters and tolerates collusion threats under a certain range. Our scheme also tolerates dropping of some clients, performs aggregation without sharing keys and has simple interaction process. Meantime, we use the automatic protocol tool ProVerif to verify its cryptographic functionality, analyze its theoretical complexity and compare them with similar schemes. We verify our scheme by experiment to show that it has less running time compared with some schemes.

telecommunications

Changxu Wan,Ying Wang,Jianbo Xu,Junjie Wu,Tiantian Zhang,Yulong Wang

DOI: https://doi.org/10.3390/electronics13040679

IF: 2.9

2024-02-07

Electronics

Abstract:Traditional federated learning addresses the data security issues arising from the need to centralize client datasets on a central server for model training. However, this approach still poses privacy protection risks. For instance, central servers cannot verify privacy leaks resulting from poisoning attacks by malicious clients. Additionally, adversarial sample attacks can infer specific samples from the original data by testing the local models on client devices. This paper proposes a federated learning privacy protection method combining distillation defense technology with blockchain architecture. The method utilizes distillation defense technology to reduce the sensitivity of client devices participating in federated learning to perturbations and enhance their ability to resist adversarial sample attacks locally. This not only reduces communication overhead and improves learning efficiency but also enhances the model's generalization ability. Furthermore, the method leverages the "decentralized" nature of blockchain architecture as a trusted record-keeping mechanism to audit information interactions among clients and shared model parameters. This addresses privacy leakage issues resulting from poisoning attacks by some clients during the model construction process. Simulation experiment results demonstrate that the proposed method, compared with traditional federated learning, ensures model convergence, detects malicious clients, and improves the participation level of highly reputable clients. Moreover, by reducing the sensitivity of local clients to perturbations, it enhances their ability to effectively resist adversarial sample attacks.

engineering, electrical & electronic,computer science, information systems,physics, applied

Zheng Yuan,Youliang Tian,Jinbo Xiong,Linjie Wang

DOI: https://doi.org/10.1109/nana63151.2024.00009

2024-01-01

Abstract:Federated learning has garnered considerable attention for its capacity to aggregate efficient and accurate models while preserving user’s data privacy. Nonetheless, conventional federated learning frameworks remain susceptible to malicious threats like collusion and inference attacks. We design a robust and resilient enhancing privacy-preserving federated learning framework based on blockchain (EPFL) to address these threats. Initially, we meticulously design a two-round encryption scheme that allows users to upload encryption gradients while the server can still perform aggregation. Subsequently, a secure communication protocol termed the “server-blockchain-user” is devised based on blockchain architecture. This protocol guarantees the openness, transparency, and traceability of the entire training process, while also offering resilience in users’ drop-out and joining that may arise during the aggregation process. Finally, experimental assessments are conducted to appraise the robustness and accuracy of EPFL. The empirical findings demonstrate that EPFL not only demonstrates robustness against collusion and inference attacks, but also adeptly handles user exits and entries without compromising the confidentiality of user keys. Moreover, EPFL attains model accuracy commensurate with the FedAvg.

Tianqi Su,Meiqi Wang,Zhongfeng Wang

DOI: https://doi.org/10.1109/AICAS51828.2021.9458510

2021-01-01

Abstract:Distributed machine learning (ML) and other related techniques such as federated learning are facing a high risk of information leakage. Differential privacy (DP) is commonly used to protect privacy. However, it suffers from low accuracy due to the unbalanced data distribution in federated learning and additional noise brought by DP itself. In this paper, we propose a novel federated learning model that can protect data privacy from the gradient leakage attack and black-box membership inference attack (MIA). The proposed protection scheme makes the data hard to be reproduced and be distinguished from predictions. A small simulated attacker network is embedded as a regularization punishment to defend the malicious attacks. We further introduce a gradient modification method to secure the weight information and remedy the additional accuracy loss. The proposed privacy protection scheme is evaluated on MNIST and CIFAR-10, and compared with state-of-the-art DP-based federated learning models. Experimental results demonstrate that our model can successfully defend diverse external attacks to user-level privacy with negligible accuracy loss.

Xue Yang,Depan Peng,Yan Feng,Xiaohu Tang,Weijun Fang,Jun Shao

2024-12-16

Abstract:Bidirectional privacy-preservation federated learning is crucial as both local gradients and the global model may leak privacy. However, only a few works attempt to achieve it, and they often face challenges such as excessive communication and computational overheads, or significant degradation of model accuracy, which hinders their practical applications. In this paper, we design an efficient and high-accuracy bidirectional privacy-preserving scheme for federated learning to complete secure model training and secure aggregation. To efficiently achieve bidirectional privacy, we design an efficient and accuracy-lossless model perturbation method on the server side (called $\mathbf{MP\_Server}$) that can be combined with local differential privacy (LDP) to prevent clients from accessing the model, while ensuring that the local gradients obtained on the server side satisfy LDP. Furthermore, to ensure model accuracy, we customize a distributed differential privacy mechanism on the client side (called $\mathbf{DDP\_Client}$). When combined with $\mathbf{MP\_Server}$, it ensures LDP of the local gradients, while ensuring that the aggregated result matches the accuracy of central differential privacy (CDP). Extensive experiments demonstrate that our scheme significantly outperforms state-of-the-art bidirectional privacy-preservation baselines (SOTAs) in terms of computational cost, model accuracy, and defense ability against privacy attacks. Particularly, given target accuracy, the training time of SOTAs is approximately $200$ times, or even over $1000$ times, longer than that of our scheme. When the privacy budget is set relatively small, our scheme incurs less than $6\%$ accuracy loss compared to the privacy-ignoring method, while SOTAs suffer up to $20\%$ accuracy loss. Experimental results also show that the defense capability of our scheme outperforms than SOTAs.

Machine Learning,Cryptography and Security

Xudong Zhu,Hui Li

DOI: https://doi.org/10.1145/3472634.3472642

2021-01-01

Abstract:Deep learning has achieved the high-accuracy of state-of-the-art algorithms in long-standing AI tasks. Due to the obvious privacy issues of deep learning, Google proposes Federal Deep Learning (FDL), in which distributed participants only upload local gradients and and a centralized server updates parameters based on the collected gradients. But few users are willing to participate in federated learning due to the lack of contribution evaluation and reward mechanisms. So a decentralized federated deep learning, called DFDL, has been proposed by introducing blockchain to form an effective incentive mechanism for participants. However, DFDL still faces serious privacy issues as blockchain does not guarantee the privacy of training data and model. In this paper, in order to address the aforementioned issues, we propose a new Privacy-preserving DFDL scheme, called PDFDL. With PDFDL, parties can securely learn a global model with their local gradients in the assistance of blockchain, and the parties’ sensitive data and the global model are well protected. Specifically, with a secure multi-party aggregation computing, all local gradients are encrypted by their owners before being sent to the smart contract, and can be directly aggregated without decryption. Detailed security analysis shows that PDFDL can resist various known security threats. Moreover, we give an implementation prototype by integrating deep learning module with a Blockchain development platform (Ethereum V1.6.4). We demonstrate the encryption performance and the training accuracy of our PDFDL on benchmark datasets.