Jie Fu,Zhili Chen,Xiao Han

DOI: https://doi.org/10.1109/trustcom56396.2022.00094

2022-01-01

Abstract:Federated learning seeks to address the issue of isolated data islands by making clients disclose only their local training models. However, it was demonstrated that private information could still be inferred by analyzing local model parameters, such as deep neural network model weights. Recently, differential privacy has been applied to federated learning to protect data privacy, but the noise added may degrade the learning performance much. Typically, in previous work, training parameters were clipped equally and noises were added uniformly. The heterogeneity and convergence of training parameters were simply not considered. In this paper, we propose a differentially private scheme for federated learning with adaptive noise (Adap DP-FL). Specifically, due to the gradient heterogeneity, we conduct adaptive gradient clipping for different clients and different rounds; due to the gradient convergence, we add decreasing noises accordingly. Extensive experiments on real-world datasets demonstrate that our Adap DP-FL outperforms previous methods significantly.

Mahtab Talaei,Iman Izadi

2024-01-04

Abstract:Federated learning (FL) as one of the novel branches of distributed machine learning (ML), develops global models through a private procedure without direct access to local datasets. However, access to model updates (e.g. gradient updates in deep neural networks) transferred between clients and servers can reveal sensitive information to adversaries. Differential privacy (DP) offers a framework that gives a privacy guarantee by adding certain amounts of noise to parameters. This approach, although being effective in terms of privacy, adversely affects model performance due to noise involvement. Hence, it is always needed to find a balance between noise injection and the sacrificed accuracy. To address this challenge, we propose adaptive noise addition in FL which decides the value of injected noise based on features' relative importance. Here, we first propose two effective methods for prioritizing features in deep neural network models and then perturb models' weights based on this information. Specifically, we try to figure out whether the idea of adding more noise to less important parameters and less noise to more important parameters can effectively save the model accuracy while preserving privacy. Our experiments confirm this statement under some conditions. The amount of noise injected, the proportion of parameters involved, and the number of global iterations can significantly change the output. While a careful choice of parameters by considering the properties of datasets can improve privacy without intense loss of accuracy, a bad choice can make the model performance worse.

Cryptography and Security,Distributed, Parallel, and Cluster Computing,Machine Learning

Mahtab Talaei,Iman Izadi

2024-06-27

Abstract:Federated learning (FL), a novel branch of distributed machine learning (ML), develops global models through a private procedure without direct access to local datasets. However, it is still possible to access the model updates (gradient updates of deep neural networks) transferred between clients and servers, potentially revealing sensitive local information to adversaries using model inversion attacks. Differential privacy (DP) offers a promising approach to addressing this issue by adding noise to the parameters. On the other hand, heterogeneities in data structure, storage, communication, and computational capabilities of devices can cause convergence problems and delays in developing the global model. A personalized weighted averaging of local parameters based on the resources of each device can yield a better aggregated model in each round. In this paper, to efficiently preserve privacy, we propose a personalized DP framework that injects noise based on clients' relative impact factors and aggregates parameters while considering heterogeneities and adjusting properties. To fulfill the DP requirements, we first analyze the convergence boundary of the FL algorithm when impact factors are personalized and fixed throughout the learning process. We then further study the convergence property considering time-varying (adaptive) impact factors.

Machine Learning,Cryptography and Security,Distributed, Parallel, and Cluster Computing

Shengnan Guo,Xibin Wang,Shigong Long,Hai Liu,Liu Hai,Toong Hai Sam

DOI: https://doi.org/10.1049/cit2.12187

IF: 7.985

2023-01-01

CAAI Transactions on Intelligence Technology

Abstract:Federated learning is a widely used distributed learning approach in recent years, however, despite model training from collecting data become to gathering parameters, privacy violations may occur when publishing and sharing models. A dynamic approach is proposed to add Gaussian noise more effectively and apply differential privacy to federal deep learning. Concretely, it is abandoning the traditional way of equally distributing the privacy budget epsilon $\mathbf{{\epsilon}}$ and adjusting the privacy budget to accommodate gradient descent federation learning dynamically, where the parameters depend on computation derived to avoid the impact on the algorithm that hyperparameters are created manually. It also incorporates adaptive threshold cropping to control the sensitivity, and finally, moments accountant is used to counting the epsilon $\mathbf{{\epsilon}}$ consumed on the privacy-preserving, and learning is stopped only if the epsilon total ${\mathbf{{\epsilon}}}_{total}$ by clients setting is reached, this allows the privacy budget to be adequately explored for model training. The experimental results on real datasets show that the method training has almost the same effect as the model learning of non-privacy, which is significantly better than the differential privacy method used by TensorFlow.

Zengwang Jin,Yanning Zhang,Yanyan Hu,Changyin Sun,Chenhao Xu

DOI: https://doi.org/10.1109/YAC59482.2023.10401762

2023-08-27

Abstract:Deep learning provides better personalized services by training specific models through massive amounts of data. However, due to the problem of gradient leakage during model training, the original data uploaded by the users is restored and privacy leakage occurs. In order to prevent data leakage, this paper introduces a federated learning method to deal with the privacy issues brought by multi-user joint modeling. Gradients generated by the user’s local model training are uploaded to the aggregation server without being trained directly using the original user data. Under such a framework setting, the users’ original data still has a certain risk of being leaked. In order to strengthen the protection of users’ privacy, the training process is encrypted by combining the differential privacy mechanism and the federated learning system. The model parameters are stochastic to ensure that they cannot be acquired by adversaries. By adding Gaussian mechanism and Laplace mechanism, the influence of differential privacy on the convergence of federated learning model is analyzed. The Laplace mechanism is a strict definition of differential privacy, while the Gaussian mechanism is a relaxed definition and allows adding less noise for privacy protection. The simulation results show that both mechanisms can achieve good model convergence effect and verify that differential privacy can produce better privacy protection effect with lower communication cost.

Computer Science

Rui Xue,Kaiping Xue,Bin Zhu,Xinyi Luo,Tianwei Zhang,Qibin Sun,Jun Lu

DOI: https://doi.org/10.1109/tifs.2023.3318944

IF: 7.231

2024-01-01

IEEE Transactions on Information Forensics and Security

Abstract:Federated Learning (FL) enables multiple distributed clients to collaboratively train a model with owned datasets. To avoid the potential privacy threat in FL, researchers propose the DP-FL strategy, which utilizes differential privacy (DP) to add elaborate noise to the exchanged parameters to hide privacy information. DP-FL guarantees the privacy of FL at the cost of model performance degradation. To balance the trade-off between model accuracy and security, we propose a differentially private federated learning scheme with an adaptive noise mechanism. This is challenging, as the distributed nature of FL makes it difficult to appropriately estimate sensitivity, where sensitivity is a concept in DP that determines the scale of noise. To resolve this, we design a generic method for sensitivity estimates based on local and global historical information. We also provide instances on four commonly used optimizers to verify its effectiveness. The experiments on MNIST, FMNIST and CIFAR-10 convincingly prove that our proposed scheme achieves higher accuracy while keeping high-level privacy protection compared to prior works.

Jinguo Li,Mengli Lu,Jin Zhang,Jing Wu

DOI: https://doi.org/10.1007/s10207-024-00933-w

2024-11-13

International Journal of Information Security

Abstract:Federated learning offers an effective solution for safeguarding data privacy in the Internet of Things ecosystem among diverse stakeholders. To enhance data usability for sharing and collaboration, the integration of differential privacy (DP) techniques into federated learning becomes crucial, providing essential support for system sustainability. In fact, differential privacy-based federated learning (DPFL) has gained widespread application across various domains, including healthcare, finance, and smart homes. However, traditional DPFL faces challenges, such as potential privacy leakage due to the plaintext transmission of intermediate content between the central server and clients, as well as the adverse impact of DP on model accuracy. In this article, we propose ALDP, a federated learning-based adaptive local differential privacy mechanism for IoT, which aims to address the privacy leakage and model accuracy degradation problems encountered by traditional DPFL. Specifically, we employ a SAM optimizer to mitigate the negative impact of DP through perceptual tuning and gradient normalization. We further implement an effective threshold cropping technique to manage gradient explosion and sparsity, and apply hierarchical adaptive noise to ensure balanced privacy protection across both data and participants. Experimental results demonstrate that our scheme maintains high model accuracy while preserving privacy. Compared to existing methods, our ALDP mechanism achieves a training and testing accuracy difference of only 8.47% on the EMNIST dataset, significantly outperforming other benchmark methods.

computer science, information systems, theory & methods, software engineering

Zhiyan Chen,Hong Zheng,Gang Liu

DOI: https://doi.org/10.3390/electronics13193959

IF: 2.9

2024-10-10

Electronics

Abstract:Data security and user privacy concerns are receiving increasing attention. Federated learning models based on differential privacy offer a distributed machine learning framework that protects data privacy. However, the noise introduced by the differential privacy mechanism may affect the model's usability, especially when reasonable gradient clipping is absent. Fluctuations in the gradients can lead to issues like gradient explosion, compromising training stability and potentially leaking privacy. Therefore, gradient clipping has become a crucial method for protecting both model performance and data privacy. To balance privacy protection and model performance, we propose the Adaptive Weight-Based Differential Privacy Federated Learning (AWDP-FL) framework, which processes model gradient parameters at the neural network layer level. First, by designing and recording the change trends of two-layer historical gradient sequences, we analyze and predict gradient variations in the current iteration and calculate the corresponding weight values. Then, based on these weights, we perform adaptive gradient clipping for each data point in each training batch, which is followed by gradient momentum updates based on the third moment. Before uploading the parameters, Gaussian noise is added to protect privacy while maintaining model accuracy. Theoretical analysis and experimental results validate the effectiveness of this framework under strong privacy constraints.

engineering, electrical & electronic,computer science, information systems,physics, applied

Dongtai Tang,Yaling Zhang

DOI: https://doi.org/10.1109/CIS58238.2022.00033

2022-12-01

Abstract:Federated Learning (FL) is a special distributed machine learning environment. It is jointly trained by many clients under the coordination of a central server. And differential privacy can provide privacy guarantee for FL. While, federated learning, compared with centralized learning, converges at slower speed. And differential privacy exacerbates this trend. In this paper, we propose a novel FL algorithm named DP-FedADMM to solve these problems. We merge differential privacy (DP) into the FedADMM algorithm and propose a method to handle noisy gradients. Under the guidance of the help of the latest results in differential privacy theory, we provide a privacy proof of DP-FedADMM. Through extensive experiments on datasets, it is demonstrated that DP-FedADMM outperforms the currently popular DP-FedAvg algorithm in terms of model convergence speed.

Computer Science

Shuo Wang,Zhengkang Fang,Keke Gai

DOI: https://doi.org/10.1109/cscloud62866.2024.00038

2024-01-01

Abstract:Federated learning realizes distributed machine learning training by sharing the model rather than sharing the local dataset. However, the local dataset may be leaked during model training. While differential privacy techniques can mitigate privacy leakage to some extent, the noise tends to have a significant negative impact on model accuracy. To minimize the impact of noise on model accuracy and protect the privacy of the original data, we propose an Layer-wise Relevance Propagation-based Adaptive Federated Learning (LRPAFL). To ensure local data privacy, we inject adaptive noises that satisfy DP into the training sample according to the correlation between local training data features and the model. Specifically, we set a correlation boundary ct. We only inject an adaptive amount of noise when the correlation between the feature and the model is greater than or equal to ct. Furthermore, to evaluate the performance of our approach, we propose a relationship between privacy budget and accuracy. We theoretically and experimentally analyze the performance of this model. Compared with the baseline method, our method has a better performance and the proposed model reduces the impact of noise on model accuracy while protecting data. For example, compared with the state-of-the-art scheme, the accuracy of RASFL is increased by 2% when $\epsilon=1$

Zhiqiang Wang,Xinyue Yu,Qianli Huang,Yongguang Gong

2024-08-13

Abstract:Differential privacy is one of the methods to solve the problem of privacy protection in federated learning. Setting the same privacy budget for each round will result in reduced accuracy in training. The existing methods of the adjustment of privacy budget consider fewer influencing factors and tend to ignore the boundaries, resulting in unreasonable privacy budgets. Therefore, we proposed an adaptive differential privacy method based on federated learning. The method sets the adjustment coefficient and scoring function according to accuracy, loss, training rounds, and the number of datasets and clients. And the privacy budget is adjusted based on them. Then the local model update is processed according to the scaling factor and the noise. Fi-nally, the server aggregates the noised local model update and distributes the noised global model. The range of parameters and the privacy of the method are analyzed. Through the experimental evaluation, it can reduce the privacy budget by about 16%, while the accuracy remains roughly the same.

Cryptography and Security,Artificial Intelligence,Distributed, Parallel, and Cluster Computing

Shiwei Lu,Ruihu Li,Wenbin Liu

DOI: https://doi.org/10.1007/s11704-023-2283-x

IF: 2.6688

2024-01-23

Frontiers of Computer Science

Abstract:Federated learning (FL) has emerged to break data-silo and protect clients' privacy in the field of artificial intelligence. However, deep leakage from gradient (DLG) attack can fully reconstruct clients' data from the submitted gradient, which threatens the fundamental privacy of FL. Although cryptology and differential privacy prevent privacy leakage from gradient, they bring negative effect on communication overhead or model performance. Moreover, the original distribution of local gradient has been changed in these schemes, which makes it difficult to defend against adversarial attack. In this paper, we propose a novel federated learning framework with model decomposition, aggregation and assembling (FedDAA), along with a training algorithm, to train federated model, where local gradient is decomposed into multiple blocks and sent to different proxy servers to complete aggregation. To bring better privacy protection performance to FedDAA, an indicator is designed based on image structural similarity to measure privacy leakage under DLG attack and an optimization method is given to protect privacy with the least proxy servers. In addition, we give defense schemes against adversarial attack in FedDAA and design an algorithm to verify the correctness of aggregated results. Experimental results demonstrate that FedDAA can reduce the structural similarity between the reconstructed image and the original image to 0.014 and remain model convergence accuracy as 0.952, thus having the best privacy protection performance and model training effect. More importantly, defense schemes against adversarial attack are compatible with privacy protection in FedDAA and the defense effects are not weaker than those in the traditional FL. Moreover, verification algorithm of aggregation results brings about negligible overhead to FedDAA.

computer science, information systems, theory & methods, software engineering

Xia Wu,Lei Xu,Liehuang Zhu

DOI: https://doi.org/10.3390/app13074168

2023-01-01

Applied Sciences

Abstract:Federated learning is a distributed machine learning paradigm, which utilizes multiple clients’ data to train a model. Although federated learning does not require clients to disclose their original data, studies have shown that attackers can infer clients’ privacy by analyzing the local models shared by clients. Local differential privacy (LDP) can help to solve the above privacy issue. However, most of the existing federated learning studies based on LDP, rarely consider the diverse privacy requirements of clients. In this paper, we propose an LDP-based federated learning framework, that can meet the personalized privacy requirements of clients. We consider both independent identically distributed (IID) datasets and non-independent identically distributed (non-IID) datasets, and design model perturbation methods, respectively. Moreover, we propose two model aggregation methods, namely weighted average method and probability-based selection method. The main idea, is to weaken the impact of those privacy-conscious clients, who choose relatively small privacy budgets, on the federated model. Experiments on three commonly used datasets, namely MNIST, Fashion-MNIST, and forest cover-types, show that the proposed aggregation methods perform better than the classic arithmetic average method, in the personalized privacy preserving scenario.

Xinpeng Ling,Jie Fu,Kuncan Wang,Huifa Li,Tong Cheng,Zhili Chen

2024-08-19

Abstract:Federated learning (FL) is a new machine learning paradigm to overcome the challenge of data silos and has garnered significant attention. However, federated learning faces challenges in fairness and data privacy. To address both of the above challenges simultaneously, we first propose a fairness-aware federated learning algorithm, termed FedFair. Then based on FedFair, we introduce differential privacy protection to form the FedFDP algorithm to address the trade-offs among fairness, privacy protection, and model performance. In FedFDP, we designed an fairness-aware gradient clipping technique to identify the relationship between fairness and differential privacy. Through convergence analysis, we determined the optimal fairness adjustment parameters to simultaneously achieve the best model performance and fairness. Additionally, for the extra uploaded loss values, we present an adaptive clipping method to minimize privacy budget consumption. Extensive experimental results demonstrate that FedFDP significantly outperforms state-of-the-art solutions in terms of model performance and fairness. Codes and datasets will be made public after acceptance.

Cryptography and Security

Sanxiu Jiao,Lecai Cai,Jintao Meng,Yue Zhao,Kui Cheng

DOI: https://doi.org/10.32604/csse.2023.040194

IF: 4.397

2024-01-01

Computer Systems Science and Engineering

Abstract:Federated learning is a distributed machine learning framework that solves data security and data island problems faced by artificial intelligence. However, federated learning frameworks are not always secure, and attackers can attack customer privacy information by analyzing parameters in the training process of federated learning models. To solve the problems of data security and availability during federated learning training, this paper proposes an Efficient Differential Privacy Federated Learning Algorithm based on early stopping mechanism (Efficient DP-FL). This method inherits the advantages of differential privacy and federated learning and improves the performance of model training while protecting the parameter information uploaded by the client during the training process. Specifically, in the federated learning framework, this article uses an adaptive DP-FL method for gradient descent training, which makes the model converge faster than traditional stochastic gradient descent. In addition, due to model convergence, noise should be reduced accordingly. This paper introduces an early stopping mechanism to improve data availability. This paper demonstrates the performance improvement of the Efficient DP-FL algorithm through simulation experiments on real MNIST and Fashion-MNIST datasets. Experimental show that the efficient DP-FL algorithm is significantly superior to other algorithms.

computer science, theory & methods, hardware & architecture

Xiuting Gu,Zhu Tianqing,Jie Li,Tao Zhang,Wei Ren,Kim-Kwang Raymond Choo

DOI: https://doi.org/10.1016/j.cose.2022.102907

2022-11-01

Abstract:As applications of machine learning become increasingly widespread, the need to ensure model accuracy and fairness while protecting the privacy of user data becomes more pronounced. On this note, this paper introduces a federated learning training model, which allow clients to simultaneously learn their model and update the associated parameters on a centralized server. In our approach, we seek to achieve an acceptable trade-off between privacy, accuracy, and model fairness by using differential privacy (DP), which also helps to minimize privacy risks by protecting the presence of a specific sample in the training data. Machine learning models can, however, exhibit unintended behaviors, such as unfairness, which result in groups with certain sensitive characteristics (e.g., gender) receiving different patterns of outcomes. Hence, we discuss the fairness and privacy effect of local DP and global DP when applied to federated learning by designing a fair and privacy quantification mechanism. In doing so, we can achieve an acceptable trade-off between accuracy, privacy, and model fairness. We quantify the level of fairness based on the constraints of three definitions of fairness, including demographic parity, equal odds, and equality of opportunity. Finally, findings from our extensive experiments conducted on three real-world datasets with class imbalance demonstrate the positive effect of local and global DP on fairness. Our study also shows that privacy can come at the cost of fairness, as stricter privacy can intensify discrimination. Hence, we posit that careful parameter selection can potentially help achieve a more effective trade-off between utility, bias, and privacy.

computer science, information systems

Yufeng Wang,Jianhua Ma,Xu Zhang,Qun Jin

DOI: https://doi.org/10.1002/cpe.7429

2022-11-01

Abstract:As a distributed learning framework, Federated Learning (FL) allows different local learners/participants to collaboratively train a joint model without exposing their own localdata,andoffersafeasiblesolutiontolegallyresolvedataislands.However,among them, the data privacy and model security are two challenges. The former means that, if original data are used for trained FL models, various methods can be used to deduce the original data samples, thereby causing the leakage of data. The latter implies that unreliable/malicious participants may affect or destroy the joint FL model, through uploading wrong local model parameters. Therefore, this paper proposes a novel distributed FL training framework, namely LDP-Fed + , which takes into account differential privacy protection and model security defense. Specifically, firstly, a local perturbationmoduleisaddedatthelocallearnerside,whichperturbstheoriginaldata of local learners through feature extraction, binary encoding and decoding, and random response. Then, through using the perturbed data, local neural network model is trained to obtain the network parameters that meet local differential protection, to effectively deal with model inversion attacks. Secondly, a security defense module is added on the server side, which uses the auxiliary model and differential index mechanismtoselectanappropriatenumberoflocaldisturbanceparametersforaggre-gationtoenhancemodelsecuritydefenseanddealwithmembershipinferenceattacks. The experimental results show that, compared with other federated learning models based on differential privacy, LDP-Fed + has stronger robustness for model security and higher accuracy for model training while ensuring strict privacy protection.

Computer Science

Xuezheng Liu,Yipeng Zhou,Di Wu,Miao Hu,Jessie Hui Wang,Mohsen Guizani

DOI: https://doi.org/10.1109/jiot.2024.3421991

IF: 10.6

2024-01-01

IEEE Internet of Things Journal

Abstract:Federated learning (FL) emerges as an attractive collaborative machine learning framework that enables training of models across decentralized devices by merely exposing model parameters. However, malicious attackers can still hijack communicated parameters to expose clients' raw samples resulting in privacy leakage. To defend against such attacks, differentially private FL (DPFL) is devised, which incurs negligible computation overhead in protecting privacy by adding noises. Nevertheless, the low model utility and communication efficiency makes DPFL hard to be deployed in the real environment. To overcome these deficiencies, we propose a novel DPFL algorithm called FedDP-SA (namely, federated learning with differential privacy by splitting Local data sets and averaging parameters). Specifically, FedDP-SA splits a local data set into multiple subsets for parameter updating. Then, parameters averaged over all subsets plus differential privacy (DP) noises are returned to the parameter server. FedDP-SA offers dual benefits: 1) enhancing model accuracy by efficiently lowering sensitivity, thereby reducing noise to ensure DP and 2) improving communication efficiency by communicating model parameters with a lower frequency. These advantages are validated through sensitivity analysis and convergence rate analysis. Finally, we conduct comprehensive experiments to verify the performance of FedDP-SA compared with other state-of-the-art baseline algorithms.

Jianzhe Zhao,Keming Mao,Chenxi Huang,Yuyang Zeng

DOI: https://doi.org/10.1155/2021/3344862

IF: 1.4

2021-01-01

Discrete Dynamics in Nature and Society

Abstract:Secure and trusted cross-platform knowledge sharing is significant for modern intelligent data analysis. To address the trade-off problems between privacy and utility in complex federated learning, a novel differentially private federated learning framework is proposed. First, the impact of data heterogeneity of participants on global model accuracy is analyzed quantitatively based on 1-Wasserstein distance. Then, we design a multilevel and multiparticipant dynamic allocation method of privacy budget to reduce the injected noise, and the utility can be improved efficiently. Finally, they are integrated, and a novel adaptive differentially private federated learning algorithm (A-DPFL) is designed. Comprehensive experiments on redefined non-I.I.D MNIST and CIFAR-10 datasets are conducted, and the results demonstrate the superiority of model accuracy, convergence, and robustness.

Meng Hao,Hongwei Li,Guowen Xu,Sen Liu,Haomiao Yang

DOI: https://doi.org/10.1109/icc.2019.8761267

2019-05-01

Abstract:Deep learning has been applied in many areas, such as computer vision, natural language processing and emotion analysis. Differing from the traditional deep learning that collects users’ data centrally, federated deep learning requires participants to train the networks on private datasets and share the training results, and hence has more gratifying efficiency and stronger security. However, it still presents some privacy issues since adversaries can deduce users’ privacy from local outputs, such as gradients. While the problem of private federated deep learning has been an active research issue, the latest research findings are still inadequate in terms of security, accuracy and efficiency. In this paper, we propose an efficient and privacy-preserving federated deep learning protocol based on stochastic gradient descent method by integrating the additively homomorphic encryption with differential privacy. Specifically, users add noises to each local gradients before encrypting them to obtain the optical performance and security. Moreover, our scheme is secure to honest-but-curious server setting even if the cloud server colludes with multiple users. Besides, our scheme supports federated learning for large-scale users scenarios and extensive experiments demonstrate our scheme has high efficiency and high accuracy compared with non-private model.