Qiao Zhang,Cong Wang,Hongyi Wu,Chunsheng Xin,Tran V. Phuong

DOI: https://doi.org/10.24963/ijcai.2018/547

2018-01-01

Abstract:Privacy is a fundamental challenge for a variety of smart applications that depend on data aggregation and collaborative learning across different entities. In this paper, we propose a novel privacy-preserved architecture where clients can collaboratively train a deep model while preserving the privacy of each client's data. Our main strategy is to carefully partition a deep neural network to two non-colluding parties. One party performs linear computations on encrypted data utilizing a less complex homomorphic cryptosystem, while the other executes non-polynomial computations in plaintext but in a privacy-preserved manner. We analyze security and compare the communication and computation complexity with the existing approaches. Our extensive experiments on different datasets demonstrate not only stable training without accuracy loss, but also 14 to 35 times speedup compared to the state-of-the-art system.

Yang Yang,Ke Mu,Robert H. Deng

DOI: https://doi.org/10.1109/tifs.2022.3156818

IF: 7.231

2022-01-01

IEEE Transactions on Information Forensics and Security

Abstract:Generative adversarial network (GAN) has excellent performance for data generation and is widely used in image synthesis. Outsourcing GAN to cloud platform is a popular way to save local computation resources and improve the efficiency, but it still faces the privacy leakage concerns: (1) the sensitive information of the training dataset may be disclosed in the cloud; (2) the trained model may reveal the privacy of training samples since it extracts the characteristics from the data. In this paper, we propose a lightweight privacy-preserving GAN framework (LP-GAN) for model training and image synthesis based on secret sharing scheme. Specifically, we design a series of efficient secure interactive protocols for different layers (convolution, batch normalization, ReLU, Sigmoid) of neural network (NN) used in GAN. Our protocols are scalable to build secure training or inference tasks for NN-based applications. We utilize edge computing to reduce the latency and all the protocols are executed on two edge servers collaboratively. Compared with the existing schemes, the proposed solution greatly improves efficiency, reduces communication overhead, and guarantees the privacy. We prove the correctness and security of LP-GAN by theoretical analysis. Extensive experiments on different real-world datasets demonstrate the effectiveness, accuracy, and efficiency of our scheme.

computer science, theory & methods,engineering, electrical & electronic

Cheng Zhuo,Di Gao,Liangwei Liu

DOI: https://doi.org/10.1109/tbdata.2022.3216566

2024-01-01

IEEE Transactions on Big Data

Abstract:The deployment of deep learning applications has to address the increasing privacy concerns when using private and sensitive data for training. A conventional deep learning model is prone to privacy attacks that can recover the sensitive information from either model parameters or accesses to the inference model. Recently, differential privacy (DP) has been proposed to offer provable privacy guarantees by randomizing the training process of neural networks. However, many approaches tend to provide the worst case privacy protection for model publishing, inevitably impairing the accuracy of the trained models. Thus, we present a novel private knowledge transfer strategy, where the private teacher trained on sensitive data is not publicly accessible but the student models can be released with privacy guarantees. In this paper, a three-player (teacher-student-discriminator) learning framework, Private Knowledge Distillation with Generative Adversarial Networks (PKDGAN), is proposed, where the student acquires the distilled knowledge from the teacher and is trained with the discriminator to generate similar outputs as the teacher. Moreover, a cooperative learning strategy is also suggested to support the collective training of multiple students against the discriminator when each student is with insufficient unlabelled training data. To enforce rigorous privacy guarantees, PKDGAN applies a Rényi differential privacy mechanism throughout the training process, and use it with a moment accountant technique to track the privacy cost. PKDGAN allows students to be trained with unlabelled public data and very few epochs, which avoids the exposure of training data while ensuring model performance. In the experiments, PKDGAN is found to have consistently good performance on various datasets (MNIST, SVHN, CIFAR-10, and Market-1501). When compared to prior works [1], [2], PKDGAN exhibits 5-82% accuracy loss improvement without compromising any privacy guarantee.

Bingzhe Wu,Shiwan Zhao,ChaoChao Chen,Haoyang Xu,Li Wang,Xiaolu Zhang,Guangyu Sun,Jun Zhou

DOI: https://doi.org/10.48550/arxiv.1908.07882

2019-01-01

Abstract:In this paper, we aim to understand the generalization properties of generative adversarial networks (GANs) from a new perspective of privacy protection. Theoretically, we prove that a differentially private learning algorithm used for training the GAN does not overfit to a certain degree, i.e., the generalization gap can be bounded. Moreover, some recent works, such as the Bayesian GAN, can be re-interpreted based on our theoretical insight from privacy protection. Quantitatively, to evaluate the information leakage of well-trained GAN models, we perform various membership attacks on these models. The results show that previous Lipschitz regularization techniques are effective in not only reducing the generalization gap but also alleviating the information leakage of the training dataset.

Jinke Ren,Chonghe Liu,Guanding Yu,Dongning Guo

2021-01-01

Abstract: Generative adversarial networks (GANs) are emerging machine learning models for generating synthesized data similar to real data by jointly training a generator and a discriminator. In many applications, data and computational resources are distributed over many devices, so centralized computation with all data in one location is infeasible due to privacy and/or communication constraints. This paper proposes a new framework for training GANs in a distributed fashion: Each device computes a local discriminator using local data; a single server aggregates their results and computes a global GAN. Specifically, in each iteration, the server sends the global GAN to the devices, which then update their local discriminators; the devices send their results to the server, which then computes their average as the global discriminator and updates the global generator accordingly. Two different update schedules are designed with different levels of parallelism between the devices and the server. Numerical results obtained using three popular datasets demonstrate that the proposed framework can outperform a state-of-the-art framework in terms of convergence speed.

Chengchao Shen,Youtan Yin,Xinchao Wang,Xubin LI,Jie Song,Mingli Song

DOI: https://doi.org/10.1109/CVPR46437.2021.00336

2021-01-01

Abstract:Generative Adversarial Networks (GANs) have demonstrated unprecedented success in various image generation tasks. The encouraging results, however, come at the price of a cumbersome training process, during which the generator and discriminator are alternately updated in two stages. In this paper, we investigate a general training scheme that enables training GANs efficiently in only one stage. Based on the adversarial losses of the generator and discriminator, we categorize GANs into two classes, Symmetric GANs and Asymmetric GANs, and introduce a novel gradient decomposition method to unify the two, allowing us to train both classes in one stage and hence alleviate the training effort. We also computationally analyze the efficiency of the proposed method, and empirically demonstrate that, the proposed method yields a solid 1.5x acceleration across various datasets and network architectures. Furthermore, we show that the proposed method is readily applicable to other adversarial-training scenarios, such as data-free knowledge distillation. The code is available at https://github.com/zju-vipa/OSGAN.

Yayuan Xiong,Fengyuan Xu,Sheng Thong

DOI: https://doi.org/10.1109/icc40277.2020.9149430

2020-01-01

Abstract:Distributed learning unleashes the power of training collaboration among multiple parties who have different training data. While participants enjoy mutually beneficial outcomes of the distributed learning, which cannot be achieved by single party, they also worry about the risk of privacy leaking. In fact, recent work shows that a malicious participant is able to leverage a Generative Adversarial Network (GAN) to steal sensitive information of training data owned by others through shared gradient updates. However, existed countermeasures, such as the differential privacy or cryptographic methods, could disturb the training in terms of model accuracy or computation overhead. In this paper, we seek to mitigate this privacy issue in a non-intrusive manner. Instead of passive protection, we propose to actively detect such GAN-based attackers at the very beginning of training. Our detection only utilizes the gradient updates uploaded by participants during the training, so it is transparent to participants and does not require protocol changes. We demonstrate the effectiveness of our detection through extensive experiments in different settings and attack scenarios.

Jiacheng Zhao,Xiuming Zhao,Zhihua Gan,Xiuli Chai,Tianfeng Ma,Zhen Chen

DOI: https://doi.org/10.1007/s00530-024-01425-6

IF: 3.9

2024-01-01

Multimedia Systems

Abstract:The rise of online sharing platforms has provided people with diverse and convenient ways to share images. However, a substantial amount of sensitive user information is contained within these images, which can be easily captured by malicious neural networks. To ensure the secure utilization of authorized protected data, reversible adversarial attack techniques have emerged. Existing algorithms for generating adversarial examples do not strike a good balance between visibility and attack capability. Additionally, the network oscillations generated during the training process affect the quality of the final examples. To address these shortcomings, we propose a novel reversible adversarial network based on generative adversarial networks (RA-RevGAN). In this paper, the generator is used for noise generation to map features into perturbations of the image, while the region selection module confines these perturbations to specific areas that significantly affect classification. Furthermore, a robust attack mechanism is integrated into the discriminator to stabilize the network’s training by optimizing convergence speed and minimizing time cost. Extensive experiments have demonstrated that the proposed method ensures a high image generation rate, excellent attack capability, and superior visual quality while maintaining high classification accuracy in image restoration.

Jiaxin Zhang,Liang Zhao,Keping Yu,Geyong Min,Ahmed Y. Al-Dubai,Albert Y. Zomaya

DOI: https://doi.org/10.1109/tmc.2023.3278668

IF: 6.075

2023-01-01

IEEE Transactions on Mobile Computing

Abstract:Generative adversarial networks (GANs) have been advancing and gaining tremendous interests from both academia and industry. With the development of wireless technologies, a huge amount of data generated at the network edge provides an unprecedented opportunity to develop GANs applications. However, due to the constraints such as bandwidth, privacy, and legal issues, it is inappropriate to collect and send all data to the cloud or servers for analysis, training, and mining. Thus, deploying and training GANs at the edge becomes a promising alternative solution. The instability of GANs introduced by non-independent and identical data (Non-IID) poses significant challenges to training GANs. To address these challenges, this paper presents a novel federated learning framework for GANs, namely, Collaborated gAme Parallel Learning (CAP). CAP supports parallel training of data and models for GANs, breaking the isolated training among generators that exists in the previous distributed algorithms, and achieving collaborative learning among cloud, edge servers, and devices. Then, to further enhance the ability of CAP-GAN for addressing Non-IID issues, we propose a Mix-Generator module (Mix-G) which divides a generator into the sharing layer and personalizing layer. The Mix-G module extracts the generic and personalization features and improves the performance of CAP-GAN on extremely personalizing datasets. Experimental results and analysis substantiate the usefulness and superiority of our proposed CAP-GAN scheme which can achieve better results in the Non-IID scenarios compared with the state-of-the-art algorithms.

computer science, information systems,telecommunications

Zepeng Jiang,Weiwei Ni,Yifan Zhang

2024-04-19

Abstract:Conditional Generative Adversarial Networks (CGANs) exhibit significant potential in supervised learning model training by virtue of their ability to generate realistic labeled images. However, numerous studies have indicated the privacy leakage risk in CGANs models. The solution DPCGAN, incorporating the differential privacy framework, faces challenges such as heavy reliance on labeled data for model training and potential disruptions to original gradient information due to excessive gradient clipping, making it difficult to ensure model accuracy. To address these challenges, we present a privacy-preserving training framework called PATE-TripleGAN. This framework incorporates a classifier to pre-classify unlabeled data, establishing a three-party min-max game to reduce dependence on labeled data. Furthermore, we present a hybrid gradient desensitization algorithm based on the Private Aggregation of Teacher Ensembles (PATE) framework and Differential Private Stochastic Gradient Descent (DPSGD) method. This algorithm allows the model to retain gradient information more effectively while ensuring privacy protection, thereby enhancing the model's utility. Privacy analysis and extensive experiments affirm that the PATE-TripleGAN model can generate a higher quality labeled image dataset while ensuring the privacy of the training data.

Computer Vision and Pattern Recognition,Cryptography and Security,Machine Learning

Zhipeng Cai,Zuobin Xiong,Honghui Xu,Peng Wang,Wei Li,Yi Pan

DOI: https://doi.org/10.1145/3459992

IF: 16.6

2021-01-01

ACM Computing Surveys

Abstract:Generative Adversarial Networks (GANs) have promoted a variety of applications in computer vision and natural language processing, among others, due to its generative model's compelling ability to generate realistic examples plausibly drawn from an existing distribution of samples. GAN not only provides impressive performance on data generation-based tasks but also stimulates fertilization for privacy and security oriented research because of its game theoretic optimization strategy. Unfortunately, there are no comprehensive surveys on GAN in privacy and security, which motivates this survey to summarize systematically. The existing works are classified into proper categories based on privacy and security functions, and this survey conducts a comprehensive analysis of their advantages and drawbacks. Considering that GAN in privacy and security is still at a very initial stage and has imposed unique challenges that are yet to be well addressed, this article also sheds light on some potential privacy and security applications with GAN and elaborates on some future research directions.

Manil Shrestha,Yashodha Ravichandran,Edward Kim

2024-09-28

Abstract:As usage of generative AI tools skyrockets, the amount of sensitive information being exposed to these models and centralized model providers is alarming. For example, confidential source code from Samsung suffered a data leak as the text prompt to ChatGPT encountered data leakage. An increasing number of companies are restricting the use of LLMs (Apple, Verizon, JPMorgan Chase, etc.) due to data leakage or confidentiality issues. Also, an increasing number of centralized generative model providers are restricting, filtering, aligning, or censoring what can be used. Midjourney and RunwayML, two of the major image generation platforms, restrict the prompts to their system via prompt filtering. Certain political figures are restricted from image generation, as well as words associated with women's health care, rights, and abortion. In our research, we present a secure and private methodology for generative artificial intelligence that does not expose sensitive data or models to third-party AI providers. Our work modifies the key building block of modern generative AI algorithms, e.g. the transformer, and introduces confidential and verifiable multiparty computations in a decentralized network to maintain the 1) privacy of the user input and obfuscation to the output of the model, and 2) introduce privacy to the model itself. Additionally, the sharding process reduces the computational burden on any one node, enabling the distribution of resources of large generative AI processes across multiple, smaller nodes. We show that as long as there exists one honest node in the decentralized computation, security is maintained. We also show that the inference process will still succeed if only a majority of the nodes in the computation are successful. Thus, our method offers both secure and verifiable computation in a decentralized network.

Cryptography and Security,Artificial Intelligence

Chonghe Liu,Jinke Ren,Guanding Yu

DOI: https://doi.org/10.1109/vtc2022-spring54318.2022.9860610

2022-01-01

Abstract:The deployment of generative adversarial networks (GANs) in wireless networks faces three key challenges of limited devices’ computational capability, scarce communication resources, and severe data privacy leakage. To address these issues, this paper proposes a new distributed framework for training GANs based on ensemble learning. First, multiple discriminators are trained at many devices using their local datasets. A generator is then trained at a central server by aggregating devices’ discriminators in an ensemble manner. The per-round training time is established. Finally, simulation results show that the proposed framework can simultaneously reduce the training time and improve the learning performance as compared with an existing framework.

Kang Liu,Benjamin Tan,Siddharth Garg

DOI: https://doi.org/10.48550/arXiv.2009.09283

2020-09-20

Abstract:Unprecedented data collection and sharing have exacerbated privacy concerns and led to increasing interest in privacy-preserving tools that remove sensitive attributes from images while maintaining useful information for other tasks. Currently, state-of-the-art approaches use privacy-preserving generative adversarial networks (PP-GANs) for this purpose, for instance, to enable reliable facial expression recognition without leaking users' identity. However, PP-GANs do not offer formal proofs of privacy and instead rely on experimentally measuring information leakage using classification accuracy on the sensitive attributes of deep learning (DL)-based discriminators. In this work, we question the rigor of such checks by subverting existing privacy-preserving GANs for facial expression recognition. We show that it is possible to hide the sensitive identification data in the sanitized output images of such PP-GANs for later extraction, which can even allow for reconstruction of the entire input images, while satisfying privacy checks. We demonstrate our approach via a PP-GAN-based architecture and provide qualitative and quantitative evaluations using two public datasets. Our experimental results raise fundamental questions about the need for more rigorous privacy checks of PP-GANs, and we provide insights into the social impact of these.

Computer Vision and Pattern Recognition,Artificial Intelligence,Cryptography and Security,Machine Learning

Zhenyu Jiang,Changli Zhou,Hui Tian,Zikang Chen

DOI: https://doi.org/10.3390/electronics13173423

IF: 2.9

2024-09-01

Electronics

Abstract:Differential privacy techniques have shown excellent performance in protecting sensitive information during GAN model training. However, with the increasing attention to data privacy issues, ensuring high-quality output of generative models and the efficiency of federated learning while protecting privacy has become a pressing challenge. To address these issues, this paper proposes a One-shot Federated Personalized Protection–Generative Adversarial Network (OFPP-GAN). Firstly, this scheme employs dual personalized differential privacy to achieve privacy protection. It adjusts the noise scale and clipping threshold based on the gradient changes during model training in a personalized manner, thereby enhancing the performance of the generative model while protecting privacy. Additionally, the scheme adopts the one-shot federated learning paradigm, where each client uploads their local model containing private information only once throughout the training process. This approach not only reduces the risk of privacy leakage but also decreases the communication overhead of the entire system. Finally, we validate the effectiveness of the proposed method through theoretical analysis and experiments. Compared with existing methods, the generative model trained with OFPP-GAN demonstrates superior security, efficiency, and robustness.

engineering, electrical & electronic,computer science, information systems,physics, applied

Zhipeng Cai,Zuobin Xiong,Honghui Xu,Peng Wang,Wei Li,Yi Pan

DOI: https://doi.org/10.48550/arXiv.2106.03785

IF: 5.414

2021-06-07

Machine Learning

Abstract:Generative Adversarial Networks (GAN) have promoted a variety of applications in computer vision, natural language processing, etc. due to its generative model's compelling ability to generate realistic examples plausibly drawn from an existing distribution of samples. GAN not only provides impressive performance on data generation-based tasks but also stimulates fertilization for privacy and security oriented research because of its game theoretic optimization strategy. Unfortunately, there are no comprehensive surveys on GAN in privacy and security, which motivates this survey paper to summarize those state-of-the-art works systematically. The existing works are classified into proper categories based on privacy and security functions, and this survey paper conducts a comprehensive analysis of their advantages and drawbacks. Considering that GAN in privacy and security is still at a very initial stage and has imposed unique challenges that are yet to be well addressed, this paper also sheds light on some potential privacy and security applications with GAN and elaborates on some future research directions.

Chugui Xu,Ju Ren,Deyu Zhang,Yaoxue Zhang,Zhan Qin,Kui Ren

DOI: https://doi.org/10.1109/tifs.2019.2897874

IF: 7.231

2019-01-01

IEEE Transactions on Information Forensics and Security

Abstract:By learning generative models of semantic-rich data distributions from samples, generative adversarial network (GAN) has recently attracted intensive research interests due to its excellent empirical performance as a generative model. The model is used to estimate the underlying distribution of a dataset and randomly generate realistic samples according to their estimated distribution. However, GANs can easily remember training samples due to the high model complexity of deep networks. When GANs are applied to private or sensitive data, the concentration of distribution may divulge some critical information. It consequently requires new technological advances to mitigate the information leakage under GANs. To address this issue, we propose GANobfuscator, a differentially private GAN, which can achieve differential privacy under GANs by adding carefully designed noise to gradients during the learning procedure. With GANobfuscator, analysts are able to generate an unlimited amount of synthetic data for arbitrary analysis tasks without disclosing the privacy of training data. Moreover, we theoretically prove that GANobfuscator can provide strict privacy guarantee with differential privacy. In addition, we develop a gradient-pruning strategy for GANobfuscator to improve the scalability and stability of data training. Through extensive experimental evaluation on benchmark datasets, we demonstrate that GANobfuscator can produce high-quality generated data and retain desirable utility under practical privacy budgets.

Ke Pan,Maoguo Gong,Yuan Gao

DOI: https://doi.org/10.1016/j.knosys.2023.110576

IF: 8.139

2023-07-01

Knowledge-Based Systems

Abstract:Generative adversarial networks (GANs) have become hugely popular by virtue of their impressive ability to generate realistic samples. Although GANs alleviate the arduous data-collection problem, they are prone to memorize training samples as a result of their complex model structure. Thus, GANs may not provide sufficient privacy guarantees, and there is a considerable chance of inadvertently divulging data privacy. To alleviate this issue, we design a privacy-enhanced GAN based on differential privacy. We first integrate truncated concentrated differential privacy technique into GAN for mitigating privacy leakage with tighter privacy bound. Then, according to different privacy demands of users in real-world scenarios, we design two adaptive noise allocation strategies, which enable us to dynamically inject noise into gradients at each iteration. Different strategies provide us with an intuitive handle to adopt a suitable strategy and achieve an elegant compromise between privacy and utility in distinct scenarios. Furthermore, we offer rigorous illustrations from the perspective of privacy preservation and privacy defense to demonstrate that our algorithm can fulfill differential privacy guarantees. Extensive experiments on real-world datasets manifest that our algorithm can generate high-quality samples while achieving an excellent trade-off between model performance and privacy guarantees.

computer science, artificial intelligence

Mengkai Song,Zhibo Wang,Zhifei Zhang,Yang Song,Qian Wang,Ju Ren,Hairong Qi

DOI: https://doi.org/10.1109/jsac.2020.3000372

IF: 16.4

2020-10-01

IEEE Journal on Selected Areas in Communications

Abstract:Federated learning has emerged as an advanced privacy-preserving learning technique for mobile edge computing, where the model is trained in a decentralized manner by the clients, preventing the server from directly accessing those private data from the clients. This learning mechanism significantly challenges the attack from the server side. Although the state-of-the-art attacking techniques that incorporated the advance of Generative adversarial networks (GANs) could construct class representatives of the global data distribution among all clients, it is still challenging to distinguishably attack a specific client (i.e., user-level privacy leakage), which is a stronger privacy threat to precisely recover the private data from a specific client. To analyze the privacy leakage of federated learning, this paper gives the first attempt to explore user-level privacy leakage by the attack from a malicious server. We propose a framework incorporating GAN with a multi-task discriminator, called multi-task GAN – Auxiliary Identification (mGAN-AI), which simultaneously discriminates category, reality, and client identity of input samples. The novel discrimination on client identity enables the generator to recover user specified private data. Unlike existing works interfering the federated learning process, the proposed method works "invisibly" on the server side. Furthermore, considering the anonymization strategy for mitigating mGAN-AI, we propose a beforehand linkability attack which re-identifies the anonymized updates by associating the client representatives. A novel siamese network fusing the identification and verification models is developed for measuring the similarity of representatives. The experimental results demonstrate the effectiveness of the proposed approaches and the superior to the state-of-the-art.

telecommunications,engineering, electrical & electronic

Xiaodan Yan,Baojiang Cui,Yang Xu,Peilin Shi,Ziqi Wang

DOI: https://doi.org/10.1109/TCBB.2019.2940583

Abstract:Deep learning is widely used in the medical field owing to its high accuracy in medical image classification and biological applications. However, under collaborative deep learning, there is a serious risk of information leakage based on the deep convolutional generation against the network's privacy protection method. Moreover, the risk of such information leakage is greater in the medical field. This paper proposes a deep convolution generative adversarial networks (DCGAN) based privacy protection method to protect the information of collaborative deep learning training and enhance its stability. The proposed method adopts encrypted transmission in the process of deep network parameter transmission. By setting the buried point to detect a generative adversarial network (GAN) attack in the network and adjusting the training parameters, training based on the GAN model attack is forced to be invalid, and the information is effectively protected.