Lingchen Zhao,Qian Wang,Qin Zou,Yan Zhang,Yanjiao Chen

DOI: https://doi.org/10.1109/tifs.2019.2939713

2018-01-01

Abstract:With powerful parallel computing GPUs and massive user data, neural-network-based deep learning can well exert its strong power in problem modeling and solving, and has archived great success in many applications such as image classification, speech recognition and machine translation etc. While deep learning has been increasingly popular, the problem of privacy leakage becomes more and more urgent. Given the fact that the training data may contain highly sensitive information, e.g., personal medical records, directly sharing them among the users (i.e., participants) or centrally storing them in one single location may pose a considerable threat to user privacy. In this paper, we present a practical privacy-preserving collaborative deep learning system that allows users to cooperatively build a collective deep learning model with data of all participants, without direct data sharing and central data storage. In our system, each participant trains a local model with their own data and only shares model parameters with the others. To further avoid potential privacy leakage from sharing model parameters, we use functional mechanism to perturb the objective function of the neural network in the training process to achieve $\epsilon $ -differential privacy. In particular, for the first time, we consider the existence of unreliable participants , i.e., the participants with low-quality data, and propose a solution to reduce the impact of these participants while protecting their privacy. We evaluate the performance of our system on two well-known real-world datasets for regression and classification tasks. The results demonstrate that the proposed system is robust against unreliable participants, and achieves high accuracy close to the model trained in a traditional centralized manner while ensuring rigorous privacy protection.

Qiao Zhang,Cong Wang,Hongyi Wu,Chunsheng Xin,Tran V. Phuong

DOI: https://doi.org/10.24963/ijcai.2018/547

2018-01-01

Abstract:Privacy is a fundamental challenge for a variety of smart applications that depend on data aggregation and collaborative learning across different entities. In this paper, we propose a novel privacy-preserved architecture where clients can collaboratively train a deep model while preserving the privacy of each client's data. Our main strategy is to carefully partition a deep neural network to two non-colluding parties. One party performs linear computations on encrypted data utilizing a less complex homomorphic cryptosystem, while the other executes non-polynomial computations in plaintext but in a privacy-preserved manner. We analyze security and compare the communication and computation complexity with the existing approaches. Our extensive experiments on different datasets demonstrate not only stable training without accuracy loss, but also 14 to 35 times speedup compared to the state-of-the-art system.

Wei Gao,Shangwei Guo,Tianwei Zhang,Han Qiu,Yonggang Wen,Yang Liu

DOI: https://doi.org/10.1109/cvpr46437.2021.00018

2021-01-01

Abstract:Collaborative learning has gained great popularity due to its benefit of data privacy protection: participants can jointly train a Deep Learning model without sharing their training sets. However, recent works discovered that an adversary can fully recover the sensitive training samples from the shared gradients. Such reconstruction attacks pose severe threats to collaborative learning. Hence, effective mitigation solutions are urgently desired. In this paper, we propose to leverage data augmentation to defeat reconstruction attacks: by preprocessing sensitive images with carefully-selected transformation policies, it becomes infeasible for the adversary to extract any useful information from the corresponding gradients. We design a novel search method to automatically discover qualified policies. We adopt two new metrics to quantify the impacts of transformations on data privacy and model usability, which can significantly accelerate the search speed. Comprehensive evaluations demonstrate that the policies discovered by our method can defeat existing reconstruction attacks in collaborative learning, with high efficiency and negligible impact on the model performance.

Di Gao,Cheng Zhuo

DOI: https://doi.org/10.3233/FAIA200294

2020-01-01

Abstract:The deployment of deep learning applications has to address the growing privacy concerns when using private and sensitive data for training. A conventional deep learning model is prone to privacy attacks that can recover the sensitive information of individuals from either model parameters or accesses to the target model. Recently, differential privacy that offers provable privacy guarantees has been proposed to train neural networks in a privacy-preserving manner to protect training data. However, many approaches tend to provide the worst case privacy guarantees for model publishing, inevitably impairing the accuracy of the trained models. In this paper, we present a novel private knowledge transfer strategy, where the private teacher trained on sensitive data is not publicly accessible but teaches a student to be publicly released. In particular, a three-player (teacher-student-discriminator) learning framework is proposed to achieve trade-off between utility and privacy, where the student acquires the distilled knowledge from the teacher and is trained with the discriminator to generate similar outputs as the teacher. We then integrate a differential privacy protection mechanism into the learning procedure, which enables a rigorous privacy budget for the training. The framework eventually allows student to be trained with only unlabelled public data and very few epochs, and hence prevents the exposure of sensitive training data, while ensuring model utility with a modest privacy budget. The experiments on MNIST, SVHN and CIFAR-10 datasets show that our students obtain the accuracy losses w.r.t teachers of 0.89%, 2.29%, 5.16%, respectively with the privacy bounds of (1.93, 10(-5)), (5.02, 10(-6)), (8.81, 10(-6)). When compared with the existing works [15, 20], the proposed work can achieve 582% accuracy loss improvement.

Hongyang Yan,Li Hu,Xiaoyu Xiang,Zheli Liu,Xu Yuan

DOI: https://doi.org/10.1016/j.ins.2020.09.064

IF: 8.1

2021-02-01

Information Sciences

Abstract:<p>Collaborative learning and related techniques such as federated learning, allow multiple clients to train a model jointly while keeping their datasets at local. <em>Secure Aggregation</em> in most existing works focus on protecting model gradients from the server. However, an dishonest user could still easily get the privacy information from the other users. It remains a challenge to propose an effective solution to prevent information leakage against dishonest users.</p><p>To tackle this challenge, we propose a novel and effective privacy-preserving collaborative machine learning scheme, targeting at preventing information leakage agains adversaries. Specifically, we first propose a privacy-preserving network transformation method by utilizing Random-Permutation in Software Guard Extensions(SGX), which protects the model parameters from being inferred by a curious server and dishonest clients. Then, we apply Partial-Random Uploading mechanism to mitigate the information inference through visualizations. To further enhance the efficiency, we introduce network pruning operation and employ it to accelerate the convergence of training. We present the formal security analysis to demonstrate that our proposed scheme can preserve privacy while ensuring the convergence and accuracy of secure aggregation. We conduct experiments to show the performance of our solution in terms of accuracy and efficiency. The experimental results show that the proposed scheme is practical.</p>

computer science, information systems

Wei Gao,Xu Zhang,Shangwei Guo,Tianwei Zhang,Tao Xiang,Han Qiu,Yonggang Wen,Yang Liu

DOI: https://doi.org/10.1109/tpami.2023.3262813

IF: 23.6

2023-01-01

IEEE Transactions on Pattern Analysis and Machine Intelligence

Abstract:Collaborative learning has gained great popularity due to its benefit of data privacy protection: participants can jointly train a Deep Learning model without sharing their training sets. However, recent works discovered that an adversary can fully recover the sensitive training samples from the shared gradients. Such reconstruction attacks pose severe threats to collaborative learning. Hence, effective mitigation solutions are urgently desired. In this paper, we systematically analyze existing reconstruction attacks and propose to leverage data augmentation to defeat these attacks: by preprocessing sensitive images with carefully-selected transformation policies, it becomes infeasible for the adversary to extract training samples from the corresponding gradients. We first design two new metrics to quantify the impacts of transformations on data privacy and model usability. With the two metrics, we design a novel search method to automatically discover qualified policies from a given data augmentation library. Our defense method can be further combined with existing collaborative training systems without modifying the training protocols. We conduct comprehensive experiments on various system settings. Evaluation results demonstrate that the policies discovered by our method can defeat state-of-the-art reconstruction attacks in collaborative learning, with high efficiency and negligible impact on the model performance.

computer science, artificial intelligence,engineering, electrical & electronic

Fabian Perez,Jhon Lopez,Henry Arguello

DOI: https://doi.org/10.1109/ICASSP48485.2024.10446218

2024-04-09

Abstract:In the era of cloud computing and data-driven applications, it is crucial to protect sensitive information to maintain data privacy, ensuring truly reliable systems. As a result, preserving privacy in deep learning systems has become a critical concern. Existing methods for privacy preservation rely on image encryption or perceptual transformation approaches. However, they often suffer from reduced task performance and high computational costs. To address these challenges, we propose a novel Privacy-Preserving framework that uses a set of deformable operators for secure task learning. Our method involves shuffling pixels during the analog-to-digital conversion process to generate visually protected data. Those are then fed into a well-known network enhanced with deformable operators. Using our approach, users can achieve equivalent performance to original images without additional training using a secret key. Moreover, our method enables access control against unauthorized users. Experimental results demonstrate the efficacy of our approach, showcasing its potential in cloud-based scenarios and privacy-sensitive applications.

Computer Vision and Pattern Recognition,Cryptography and Security,Image and Video Processing

Hongfu Liu,Bin Li,Changlong Gao,Pei Xie,Chenglin Zhao

DOI: https://doi.org/10.1109/tifs.2023.3309095

IF: 7.231

2023-01-01

IEEE Transactions on Information Forensics and Security

Abstract:Federated learning (FL) enables multiple local clients to collaboratively train a global model, which can reduce privacy leakage by sharing model parameters instead of private datasets. However, recent works have revealed that gradient-based data reconstruction attacks, e.g., deep leakage from gradients (DLG), improved DLG (iDLG), and inverting gradients (IG), may still reveal private information by exploiting model parameters from a local client. Current privacy-preserving FL strategies, e.g., differential privacy or gradient compression, can handle such attacks to some extent, but seriously sacrifice their model accuracy. In this work, we propose a novel privacy-preserving FL method, named privacy-encoded FL (PEFL), to combat such data reconstruction attacks without degrading the model performance. The key concept of PEFL is that each large weight matrix of the neural network model is decomposed into multiple cascading sub-matrices, which thus establishes a novel privacy-encoded mechanism by introducing an entangling nonlinear mapping between model gradients and raw data. As such, multiple sub-matrices are directly trained in parallel at the local clients, but only partial sub-matrices are reported to a global server, which suffices to reconstruct the global model whilst increasing the complexity of the coupling between the model parameters and raw data. We provide a detailed analysis of the accuracy, security, and complexity of our method. As shown, it breaks the limit of classical defensive methods, by significantly reducing the risk of data reconstruction attacks yet not degrading the model performance. Compared to classical defenses, the proposed PEFL decreases the peak-signal-to-noise ratio (PSNR) between the reconstructed data and the raw data by ~ 20dB, without sacrificing the test accuracy. As a new paradigm for privacy-preserving FL, our proposed method has great potential in privacy-demanding learning applications.

Xiaoyu Kou,Fengwei Wang,Hui Zhu,Yandong Zheng,Xiaopeng Yang,Zhe Liu

DOI: https://doi.org/10.1007/s12083-024-01718-7

IF: 3.488

2024-05-23

Peer-to-Peer Networking and Applications

Abstract:With the widespread use of the internet and advancements in computing and data storage technologies, large amounts of data can be collected and analyzed to explore hidden knowledge and patterns in various areas. Among different data types, images have become an increasingly important information carrier, especially in computer vision research. However, the image data often contains valuable sensitive information of users, such as personal identifiers and biometric information. During the transmission process, once adversaries obtain the image data, it may lead to severe consequences. To solve the image data leakage problem, a lot of image privacy-preserving schemes are proposed. Nevertheless, in most existing schemes, the utility of an image will also be broken while ensuring data privacy. Meanwhile, how to balance privacy and utility is always a nerve-wracking challenge in image privacy protection. In this paper, we focus on designing a privacy-preserving scheme that protects the visual content of an image while retaining its availability for convolutional neural networks (CNN) training and prediction. Specifically, we first use the edge detection technique to discover original image features. Then, we carefully design a noise generation method in which the generated noises can guarantee distance-based indistinguishability while minimally affecting image features. Therefore, with the proposed scheme, the visual content of an image can be protected, and it can still be used for CNN training and prediction. Moreover, we empirically evaluate our proposed scheme with various evaluation criteria. The results demonstrate that the visual content of an image is indeed protected while the accuracy of the trained CNN model is available.

computer science, information systems,telecommunications

Arnaud Grivet Sébert,Rafael Pinot,Martin Zuber,Cédric Gouy-Pailler,Renaud Sirdey

DOI: https://doi.org/10.1007/s10994-021-05970-3

2021-03-27

Abstract:We introduce a deep learning framework able to deal with strong privacy constraints. Based on collaborative learning, differential privacy and homomorphic encryption, the proposed approach advances state-of-the-art of private deep learning against a wider range of threats, in particular the honest-but-curious server assumption. We address threats from both the aggregation server, the global model and potentially colluding data holders. Building upon distributed differential privacy and a homomorphic argmax operator, our method is specifically designed to maintain low communication loads and efficiency. The proposed method is supported by carefully crafted theoretical results. We provide differential privacy guarantees from the point of view of any entity having access to the final model, including colluding data holders, as a function of the ratio of data holders who kept their noise secret. This makes our method practical to real-life scenarios where data holders do not trust any third party to process their datasets nor the other data holders. Crucially the computational burden of the approach is maintained reasonable, and, to the best of our knowledge, our framework is the first one to be efficient enough to investigate deep learning applications while addressing such a large scope of threats. To assess the practical usability of our framework, experiments have been carried out on image datasets in a classification context. We present numerical results that show that the learning procedure is both accurate and private.

Cryptography and Security,Machine Learning

Bardia Azizian,Ivan V. Bajic

2024-09-05

Abstract:Privacy is a crucial concern in collaborative machine vision where a part of a Deep Neural network (DNN) model runs on the edge, and the rest is executed on the cloud. In such applications, the machine vision model does not need the exact visual content to perform its task. Taking advantage of this potential, private information could be removed from the data insofar as it does not significantly impair the accuracy of the machine vision system. In this paper, we present an autoencoder-style network integrated within an object detection pipeline, which generates a latent representation of the input image that preserves task-relevant information while removing private information. Our approach employs an adversarial training strategy that not only removes private information from the bottleneck of the autoencoder but also promotes improved compression efficiency for feature channels coded by conventional codecs like VVC-Intra. We assess the proposed system using a realistic evaluation framework for privacy, directly measuring face and license plate recognition accuracy. Experimental results show that our proposed method is able to reduce the bitrate significantly at the same object detection accuracy compared to coding the input images directly, while keeping the face and license plate recognition accuracy on the images recovered from the bottleneck features low, implying strong privacy protection. Our code is available at <a class="link-external link-https" href="https://github.com/bardia-az/ppa-code" rel="external noopener nofollow">this https URL</a>.

Image and Video Processing

Zhen Liu,Changsong Yang,Yong Ding,Hai Liang,Yujue Wang

DOI: https://doi.org/10.1109/jiot.2024.3478208

IF: 10.6

2024-01-01

IEEE Internet of Things Journal

Abstract:The emergence of Big Data and Artificial Intelligence (AI) marks a significant milestone in technological advancement, impacting various sectors and transforming the essence of public and personal activities. Traditional machine learning, known as centralized learning, involves collecting data from multiple sources for model development, which poses significant privacy risks. To address the conflict between the need for data sharing and the protection of privacy, federated learning has emerged as a promising solution. This approach allows for the continuous sharing of model updates between a central server and numerous local devices, fostering collaborative model development. However, it also brings about considerable communication costs and raises privacy concerns due to the potential for sensitive information leakage from the central server and local devices. To address these issues, we propose a lightweight and accuracy-lossless privacy-preserving federated learning scheme based on gradient clipping. The central server introduces noise to the global model to prevent clients from extracting valuable information, and then the local devices train these models using their data. To reduce the communication load, parameters with less impact on the model are removed using the Fisher information matrix. Additionally, to enhance privacy protection, the client-computed parameters are perturbed using the Diffie-Hellman key exchange method. Our experiments show that this approach greatly reduces the communication load for clients and the server, while effectively safeguarding client privacy and maintaining the model’s accuracy.

Shilu Wang,Junhong Wang,Xiangjun Li,Lizhen Hong

DOI: https://doi.org/10.1109/iciscae55891.2022.9927588

2022-01-01

Abstract:To address the 3 major problems of gradient privacy leakage during local model gradient collection and global model gradient aggregation update, the non-verifiability of aggregation results, and the huge overhead of applying homomorphic encryption techniques in existing federal learning techniques. In this paper, an efficient and verifiable privacy-preserving federal learning framework is investigated and proposed by combining neural networks, batch encryption techniques and aggregation principles. The iterative algorithm in this model training process uses stochastic gradient descent + extreme value convergence method. In each iteration, the weights of each data source are first trained locally using fully connected network, Alexnet, and LSTM, and then the weights of each data source are encrypted using batch crypt technology (BatchCrypt) and delivered to the cloud server, which aggregates the encrypted weights received from all clients using the average aggregation principle and then distributes the latest The cloud server uses the average aggregation principle to aggregate the encrypted weights received from all clients and then distributes the latest encrypted weights to each client, and each client decrypts the weights using the corresponding keys to obtain the weights and update the weights of the overall model. Our BatchCrypt encryption framework greatly reduces the encryption and decryption time consumption compared with Tencent's mainstream solutions, and the cost difference between Loss and Accuracy under different Epochs is very small, and the security and stability are higher under the “poison test”. The security and stability are higher under the “poison test”.

Fengyi Tang,Wei Wu,Jian Liu,Huimei Wang,Ming Xian

DOI: https://doi.org/10.3390/electronics8040411

IF: 2.9

2019-01-01

Electronics

Abstract:The flourishing deep learning on distributed training datasets arouses worry about data privacy. The recent work related to privacy-preserving distributed deep learning is based on the assumption that the server and any learning participant do not collude. Once they collude, the server could decrypt and get data of all learning participants. Moreover, since the private keys of all learning participants are the same, a learning participant must connect to the server via a distinct TLS/SSL secure channel to avoid leaking data to other learning participants. To fix these problems, we propose a privacy-preserving distributed deep learning scheme with the following improvements: (1) no information is leaked to the server even if any learning participant colludes with the server; (2) learning participants do not need different secure channels to communicate with the server; and (3) the deep learning model accuracy is higher. We achieve them by introducing a key transform server and using homomorphic re-encryption in asynchronous stochastic gradient descent applied to deep learning. We show that our scheme adds tolerable communication cost to the deep learning system, but achieves more security properties. The computational cost of learning participants is similar. Overall, our scheme is a more secure and more accurate deep learning scheme for distributed learning participants.

Yuexin Xiang,Tiantian Li,Wei Ren,Tianqing Zhu,Kim-Kwang Raymond Choo

DOI: https://doi.org/10.1016/j.engappai.2023.107180

2021-05-19

Abstract:To ensure the privacy of sensitive data used in the training of deep learning models, a number of privacy-preserving methods have been designed by the research community. However, existing schemes are generally designed to work with textual data, or are not efficient when a large number of images is used for training. Hence, in this paper we propose a lightweight and efficient approach to preserve image privacy while maintaining the availability of the training set. Specifically, we design the pixel block mixing algorithm for image classification privacy preservation in deep learning. To evaluate its utility, we use the mixed training set to train the ResNet50, VGG16, InceptionV3 and DenseNet121 models on the WIKI dataset and the CNBC face dataset. Experimental findings on the testing set show that our scheme preserves image privacy while maintaining the availability of the training set in the deep learning models. Additionally, the experimental results demonstrate that we achieve good performance for the VGG16 model on the WIKI dataset and both ResNet50 and DenseNet121 on the CNBC dataset. The pixel block algorithm achieves fairly high efficiency in the mixing of the images, and it is computationally challenging for the attackers to restore the mixed training set to the original training set. Moreover, data augmentation can be applied to the mixed training set to improve the training's effectiveness.

Computer Vision and Pattern Recognition,Image and Video Processing

Ben Niu,Likun Zhang,Yahong Chen,Ang Li,Wei Du,Jin Cao,Fenghua Li

DOI: https://doi.org/10.1109/GLOBECOM42002.2020.9322322

2020-01-01

Abstract:Suffered from the contradiction between the limited capacity of local devices and large size of DNN models, a practical solution is transferring the heavy computational tasks from the local to the server side such as cloud. However, the untrusted server naturally requires all the user data to train neural networks and infer results, which causes the asset loss of the local and raises serious privacy concerns on user's sensitive information. To solve this problem in scenarios of machine learning as a service, we propose a general framework to balance the user privacy, model accuracy and training efficiency, simultaneously. Specifically, our representative subset selection algorithm takes the training value of data into account, selecting the most representative subset from the training data, in order to mitigate the loss of data assets, lower down the transmission overhead from the local to the server and lessen the training burden on the server at the same time. We also design a noisy representation transformation algorithm applying on the features extracted by neural networks to further perturb the data within the selected representative subset. Extensive experiments demonstrate that our framework can run locally with little sacrifice on the computation resource. It can not only protect private data before uploading, but also promote the training efficiency of servers.

Chang Xia,Jingyu Hua,Wei Tong,Yayuan Xiong,Sheng Zhong

DOI: https://doi.org/10.1109/icme46284.2020.9102960

2020-07-01

Abstract:In recent years, more and more mobile applications adopt deep learning technologies, especially CNN-based image recognition. To protect service providers’ interests, the CNN models are usually deployed on the cloud, and the users are required to upload raw images, which cause serious privacy concerns since images may contain sensitive information unrelated to the desired recognition tasks. The previous solution off-loads the shallow portions of the CNN to the clients, and thus the uploaded data becomes the extracted lower-level features rather than the raw images. Nevertheless, although service providers are prevented from obtaining the original images, it is still probably for them to perform some sensitive recognition tasks other than the desired one on the lower-lever features (even after being perturbed to satisfy Differential Privacy). Different from such solution, in this paper, we propose an independent local CNN, which is dedicated for the image perturbation on the clients. It is co-trained with the cloud CNN to learn to intelligently allocate diverse noises among pixels depending on their significance to the desired recognition service. Extensive experiments demonstrate that our mechanism can well prevent curious service providers from performing undesired recognition tasks while maintaining the high accuracy of the desired one.

Meng Hao,Hongwei Li,Guowen Xu,Sen Liu,Haomiao Yang

DOI: https://doi.org/10.1109/icc.2019.8761267

2019-05-01

Abstract:Deep learning has been applied in many areas, such as computer vision, natural language processing and emotion analysis. Differing from the traditional deep learning that collects users’ data centrally, federated deep learning requires participants to train the networks on private datasets and share the training results, and hence has more gratifying efficiency and stronger security. However, it still presents some privacy issues since adversaries can deduce users’ privacy from local outputs, such as gradients. While the problem of private federated deep learning has been an active research issue, the latest research findings are still inadequate in terms of security, accuracy and efficiency. In this paper, we propose an efficient and privacy-preserving federated deep learning protocol based on stochastic gradient descent method by integrating the additively homomorphic encryption with differential privacy. Specifically, users add noises to each local gradients before encrypting them to obtain the optical performance and security. Moreover, our scheme is secure to honest-but-curious server setting even if the cloud server colludes with multiple users. Besides, our scheme supports federated learning for large-scale users scenarios and extensive experiments demonstrate our scheme has high efficiency and high accuracy compared with non-private model.