Lingchen Zhao,Qian Wang,Qin Zou,Yan Zhang,Yanjiao Chen

DOI: https://doi.org/10.1109/tifs.2019.2939713

2018-01-01

Abstract:With powerful parallel computing GPUs and massive user data, neural-network-based deep learning can well exert its strong power in problem modeling and solving, and has archived great success in many applications such as image classification, speech recognition and machine translation etc. While deep learning has been increasingly popular, the problem of privacy leakage becomes more and more urgent. Given the fact that the training data may contain highly sensitive information, e.g., personal medical records, directly sharing them among the users (i.e., participants) or centrally storing them in one single location may pose a considerable threat to user privacy. In this paper, we present a practical privacy-preserving collaborative deep learning system that allows users to cooperatively build a collective deep learning model with data of all participants, without direct data sharing and central data storage. In our system, each participant trains a local model with their own data and only shares model parameters with the others. To further avoid potential privacy leakage from sharing model parameters, we use functional mechanism to perturb the objective function of the neural network in the training process to achieve $\epsilon $ -differential privacy. In particular, for the first time, we consider the existence of unreliable participants , i.e., the participants with low-quality data, and propose a solution to reduce the impact of these participants while protecting their privacy. We evaluate the performance of our system on two well-known real-world datasets for regression and classification tasks. The results demonstrate that the proposed system is robust against unreliable participants, and achieves high accuracy close to the model trained in a traditional centralized manner while ensuring rigorous privacy protection.

Cheng Zhuo,Di Gao,Liangwei Liu

DOI: https://doi.org/10.1109/tbdata.2022.3216566

2024-01-01

IEEE Transactions on Big Data

Abstract:The deployment of deep learning applications has to address the increasing privacy concerns when using private and sensitive data for training. A conventional deep learning model is prone to privacy attacks that can recover the sensitive information from either model parameters or accesses to the inference model. Recently, differential privacy (DP) has been proposed to offer provable privacy guarantees by randomizing the training process of neural networks. However, many approaches tend to provide the worst case privacy protection for model publishing, inevitably impairing the accuracy of the trained models. Thus, we present a novel private knowledge transfer strategy, where the private teacher trained on sensitive data is not publicly accessible but the student models can be released with privacy guarantees. In this paper, a three-player (teacher-student-discriminator) learning framework, Private Knowledge Distillation with Generative Adversarial Networks (PKDGAN), is proposed, where the student acquires the distilled knowledge from the teacher and is trained with the discriminator to generate similar outputs as the teacher. Moreover, a cooperative learning strategy is also suggested to support the collective training of multiple students against the discriminator when each student is with insufficient unlabelled training data. To enforce rigorous privacy guarantees, PKDGAN applies a Rényi differential privacy mechanism throughout the training process, and use it with a moment accountant technique to track the privacy cost. PKDGAN allows students to be trained with unlabelled public data and very few epochs, which avoids the exposure of training data while ensuring model performance. In the experiments, PKDGAN is found to have consistently good performance on various datasets (MNIST, SVHN, CIFAR-10, and Market-1501). When compared to prior works [1], [2], PKDGAN exhibits 5-82% accuracy loss improvement without compromising any privacy guarantee.

Longfei Zheng,Chaochao Chen,Yingting Liu,Bingzhe Wu,Xibin Wu,Li Wang,Lei Wang,Jun Zhou,Shuang Yang

2020-01-01

Abstract:Deep Neural Network (DNN) has been showing great potential in kinds of real-world applications such as fraud detection and distress prediction. Meanwhile, data isolation has become a serious problem currently, i.e., different parties cannot share data with each other. To solve this issue, most research leverages cryptographic techniques to train secure DNN models for multi-parties without compromising their private data. Although such methods have strong security guarantee, they are difficult to scale to deep networks and large datasets due to its high communication and computation complexities. To solve the scalability of the existing secure Deep Neural Network (DNN) in data isolation scenarios, in this paper, we propose an industrial scale privacy preserving neural network learning paradigm, which is secure against semi-honest adversaries. Our main idea is to split the computation graph of DNN into two parts, i.e., the computations related to private data are performed by each party using cryptographic techniques, and the rest computations are done by a neutral server with high computation ability. We also present a defender mechanism for further privacy protection. We conduct experiments on real-world fraud detection dataset and financial distress prediction dataset, the encouraging results demonstrate the practicalness of our proposal.

Guanghui He,Yanli Ren,Jingyuan Jiang,Guorui Feng,Xinpeng Zhang

DOI: https://doi.org/10.1109/tetci.2024.3502434

2024-01-01

IEEE Transactions on Emerging Topics in Computational Intelligence

Abstract:Graph neural networks (GNNs) have become a powerful tool for processing and learning graph data. However, due to the existence of data silos, the privacy of data and the processing result is an important concern. Meanwhile, the malicious example will result in the incorrect output of the model. For the above concerns, this paper proposes privacy-enhanced federated graph network inference against adversarial example attack. Specifically, we adopt secret sharing and homomorphic encryption to ensure the privacy of graph data, where the user can get the final inference, and the server holds nothing except the model parameters. Moreover, in order to prevent malicious users from interfering with the accuracy of the model, an adversarial example detection mechanism on the ciphertext is designed to identify local embedding submitted by malicious users. During the whole process, both local and global embedding are both protected. The experimental results show that the model accuracy is about 69% and 66% with malicious samples on Cora and Citeseer in the domain of ciphertext respectively and they are nearly same as 70% and 69% in the domain of plaintext, which shows the effectiveness of our protocol.

Di Gao,Cheng Zhuo

DOI: https://doi.org/10.3233/FAIA200294

2020-01-01

Abstract:The deployment of deep learning applications has to address the growing privacy concerns when using private and sensitive data for training. A conventional deep learning model is prone to privacy attacks that can recover the sensitive information of individuals from either model parameters or accesses to the target model. Recently, differential privacy that offers provable privacy guarantees has been proposed to train neural networks in a privacy-preserving manner to protect training data. However, many approaches tend to provide the worst case privacy guarantees for model publishing, inevitably impairing the accuracy of the trained models. In this paper, we present a novel private knowledge transfer strategy, where the private teacher trained on sensitive data is not publicly accessible but teaches a student to be publicly released. In particular, a three-player (teacher-student-discriminator) learning framework is proposed to achieve trade-off between utility and privacy, where the student acquires the distilled knowledge from the teacher and is trained with the discriminator to generate similar outputs as the teacher. We then integrate a differential privacy protection mechanism into the learning procedure, which enables a rigorous privacy budget for the training. The framework eventually allows student to be trained with only unlabelled public data and very few epochs, and hence prevents the exposure of sensitive training data, while ensuring model utility with a modest privacy budget. The experiments on MNIST, SVHN and CIFAR-10 datasets show that our students obtain the accuracy losses w.r.t teachers of 0.89%, 2.29%, 5.16%, respectively with the privacy bounds of (1.93, 10(-5)), (5.02, 10(-6)), (8.81, 10(-6)). When compared with the existing works [15, 20], the proposed work can achieve 582% accuracy loss improvement.

Chuan Zhang,Chenfei Hu,Tong Wu,Liehuang Zhu,Ximeng Liu

DOI: https://doi.org/10.1109/TDSC.2022.3208706

2023-01-01

IEEE Transactions on Dependable and Secure Computing

Abstract:The neural network has been widely used to train predictive models for applications such as image processing, disease prediction, and face recognition. To produce more accurate models, powerful third parties (e.g., clouds) are usually employed to collect data from a large number of users, which however may raise concerns about user privacy. In this paper, we propose an Efficient and Privacy-preserving Neural Network scheme, named EPNN, to deal with the privacy issues in cloud-based neural networks. EPNN is designed based on a two-cloud model and techniques of data perturbation and additively homomorphic cryptosystem. This scheme enables two clouds to cooperatively perform neural network training and prediction in a privacy-preserving manner and significantly reduces the computation and communication overhead among participating entities. Through a detailed analysis, we demonstrate the security of EPNN. Extensive experiments based on real-world datasets show EPNN is more efficient than existing schemes in terms of computational costs and communication overhead.

Wen Huang,Ganglin Zhang,Yongjian Liao,Jian Peng,Feihu Huang,Jvlong Yang

DOI: https://doi.org/10.1109/tsc.2023.3332744

IF: 11.019

2023-01-01

IEEE Transactions on Services Computing

Abstract:With the popularity of artificial intelligence and cloud computing, many neural network models can be placed on the cloud server as an open service, such as Google Goggles and the online face recognition system of Baidu. The data owner sends his data to the cloud server to get the prediction result of data. Obviously, the cloud service provider can access model parameters and private data if there is no additional protection mechanism. On the one hand, if the adversary can access private data, they can freely use the artificial intelligence model and Big Data technologies to analyze the data owner. On the other hand, when the adversary can access model parameters, the interest of model owner would be harmed. Thus, preserving model parameters (model privacy) and private data (data privacy) becomes the key for applying neural network models as open cloud services. In this paper, to protect the model privacy and data privacy in neural network prediction even when a cloud service provider colludes with the data owner or the model owner, we first propose a new system model with two no-colluding cloud servers and a corresponding security model. Then, we propose a new non-interactive outsourcing scheme, which can protect model privacy together with data privacy. Our scheme is able to resist collusive attacks of one server and the data owner as well as collusive attacks of one server and the model owner. At last, the security analyses indicate that our scheme just needs no collusion between cloud servers. The performance analyses indicate that our scheme is very lightweight for the data owner, and it is about tens of milliseconds for a neural network model with 1000 parameters.

computer science, information systems, software engineering

Zhengqiang Ge,Zhipeng Zhou,Dong Guo,Qiang Li

DOI: https://doi.org/10.48550/arXiv.2104.04709

2021-04-10

Cryptography and Security

Abstract:Neural networks, with the capability to provide efficient predictive models, have been widely used in medical, financial, and other fields, bringing great convenience to our lives. However, the high accuracy of the model requires a large amount of data from multiple parties, raising public concerns about privacy. Privacy-preserving neural network based on multi-party computation is one of the current methods used to provide model training and inference under the premise of solving data privacy. In this study, we propose a new two-party privacy-preserving neural network training and inference framework in which privacy data is distributed to two non-colluding servers. We construct a preprocessing protocol for mask generation, support and realize secret sharing comparison on 2PC, and propose a new method to further reduce the communication rounds. Based on the comparison protocol, we construct building blocks such as division and exponential, and realize the process of training and inference that no longer needs to convert between different types of secret sharings and is entirely based on arithmetic secret sharing. Compared with the previous works, our work obtains higher accuracy, which is very close to that of plaintext training. While the accuracy has been improved, the runtime is reduced, considering the online phase, our work is 5x faster than SecureML, 4.32-5.75x faster than SecureNN, and is very close to the current optimal 3PC implementation, FALCON. For secure inference, as far as known knowledge is concerned, we should be the current optimal 2PC implementation, which is 4-358x faster than other works.

Qiushi Li,Ju Ren,Yuezhi Zhou,Yaoxue Zhang

DOI: https://doi.org/10.1109/icc45855.2022.9839218

2022-01-01

Abstract:Today's intelligent services are built on well-trained deep neural network (DNN) models, which usually require large private datasets along with a high cost for model training. It consequently makes the model providers cherish the pre-trained DNN models and only distribute them to authorized users. However, malicious users can steal these valuable models for abuse, illegal copy and redistribution. Attackers can also extract private features from even authorized models to leak partial training datasets. They both violate privacy. Existing techniques from secure community attempt to avoid parameter leakage during model authorization but yet cannot solve privacy issues sufficiently. In this paper, we propose a privacy-preserving model authorization approach, AgAuth, to resist the aforementioned privacy threats. We devise a novel scheme called Information-Agnostic Conversion (IAC) for forwarding procedure to eliminate residual features in model parameters. Based on it, we then propose Inference-on-Ciphertext (CiFer) mechanism for DNN reasoning, which includes three stages in each forwarding. The Encrypt phase first converts the proprietary model parameters to demonstrate uniform distribution. The Forward stage performs forwarding function without decryption at authorized side. Specifically, this stage just computes over ciphertext. The Decrypt phase finally recovers the information-agnostic outputs to informative output tensor for real-world services. In addition, we implement a prototype and conduct extensive experiments to evaluate its performance. The qualitative and quantitative results demonstrate that our solution AgAuth is privacy-preserving to defend against model theft and feature leakage, without accuracy loss or notable performance decrease.

Weiheng Chai,Brian Testa,Huantao Ren,Asif Salekin,Senem Velipasalar

2024-02-15

Abstract:Deep neural networks are extensively applied to real-world tasks, such as face recognition and medical image classification, where privacy and data protection are critical. Image data, if not protected, can be exploited to infer personal or contextual information. Existing privacy preservation methods, like encryption, generate perturbed images that are unrecognizable to even humans. Adversarial attack approaches prohibit automated inference even for authorized stakeholders, limiting practical incentives for commercial and widespread adaptation. This pioneering study tackles an unexplored practical privacy preservation use case by generating human-perceivable images that maintain accurate inference by an authorized model while evading other unauthorized black-box models of similar or dissimilar objectives, and addresses the previous research gaps. The datasets employed are ImageNet, for image classification, Celeba-HQ dataset, for identity classification, and AffectNet, for emotion classification. Our results show that the generated images can successfully maintain the accuracy of a protected model and degrade the average accuracy of the unauthorized black-box models to 11.97%, 6.63%, and 55.51% on ImageNet, Celeba-HQ, and AffectNet datasets, respectively.

Computer Vision and Pattern Recognition,Machine Learning

Meng Li,Liangzhen Lai,Naveen Suda,Vikas Chandra,David Z. Pan

DOI: https://doi.org/10.48550/arxiv.1709.06161

2017-01-01

Abstract:Massive data exist among user local platforms that usually cannot support deep neural network (DNN) training due to computation and storage resource constraints. Cloud-based training schemes provide beneficial services but suffer from potential privacy risks due to excessive user data collection. To enable cloud-based DNN training while protecting the data privacy simultaneously, we propose to leverage the intermediate representations of the data, which is achieved by splitting the DNNs and deploying them separately onto local platforms and the cloud. The local neural network (NN) is used to generate the feature representations. To avoid local training and protect data privacy, the local NN is derived from pre-trained NNs. The cloud NN is then trained based on the extracted intermediate representations for the target learning task. We validate the idea of DNN splitting by characterizing the dependency of privacy loss and classification accuracy on the local NN topology for a convolutional NN (CNN) based image classification task. Based on the characterization, we further propose PrivyNet to determine the local NN topology, which optimizes the accuracy of the target learning task under the constraints on privacy loss, local computation, and storage. The efficiency and effectiveness of PrivyNet are demonstrated with the CIFAR-10 dataset.

Yuke Zhang,Dake Chen,Souvik Kundu,Haomei Liu,Ruiheng Peng,Peter A. Beerel

2023-04-26

Abstract:Recently, private inference (PI) has addressed the rising concern over data and model privacy in machine learning inference as a service. However, existing PI frameworks suffer from high computational and communication costs due to the expensive multi-party computation (MPC) protocols. Existing literature has developed lighter MPC protocols to yield more efficient PI schemes. We, in contrast, propose to lighten them by introducing an empirically-defined privacy evaluation. To that end, we reformulate the threat model of PI and use inference data privacy attacks (IDPAs) to evaluate data privacy. We then present an enhanced IDPA, named distillation-based inverse-network attack (DINA), for improved privacy evaluation. Finally, we leverage the findings from DINA and propose C2PI, a two-party PI framework presenting an efficient partitioning of the neural network model and requiring only the initial few layers to be performed with MPC protocols. Based on our experimental evaluations, relaxing the formal data privacy guarantees C2PI can speed up existing PI frameworks, including Delphi [1] and Cheetah [2], up to 2.89x and 3.88x under LAN and WAN settings, respectively, and save up to 2.75x communication costs.

Cryptography and Security

Minghui Li,Yuejing Yan,Qian Wang,Minxin Du,Zhan Qin,Cong Wang

DOI: https://doi.org/10.1109/mnet.011.2000293

IF: 10.294

2021-01-01

IEEE Network

Abstract:Neural networks have attracted much attention due to their excellent performance in providing insightful predictions. The trained neural network models usually have millions of parameters requiring massive storage resources, which motivates the model owner to deploy their models to cloud servers for relieving the storage burden. The client can also directly enjoy the prediction service provided by the cloud server. Albeit convenient, untrusted cloud servers may violate the privacy of the model owners and the clients, which hinders the wide applications of such a prediction service. This survey reviews various privacy-preserving neural network prediction services, which protect the privacy of the model and the query. Many protocols are in the basic secure two-party computation (S2C) setting, which protects the secret of the querier and the model owner against the counterparty. Secure outsourcing further protects the privacy of the model against the cloud hosting it for the prediction service. We compare the existing approaches in terms of security, accuracy, and efficiency. We then propose an optimized neural network prediction scheme in the outsourcing setting, which simultaneously achieves high accuracy, model privacy, and low overheads, and conduct an experimental evaluation for computation time and communication costs. Finally, we highlight several future research directions and provide new insights into open problems in strengthening security and improving efficiency.

computer science, information systems,telecommunications,engineering, electrical & electronic, hardware & architecture

Li Minghui,Chow Sherman S. M.,Hu Shengshan,Yan Yuejing,Du Minxin,Wang Zhibo

2020-01-01

Abstract: Neural networks provide better prediction performance than previous techniques. Prediction-as-a-service thus becomes popular, especially in the outsourced setting since it involves extensive computation. Recent researches focus on the privacy of the query and results, but they do not provide model privacy against the model-hosting server and may leak partial information about the results. Some of them further require frequent interactions with the querier or heavy computation overheads. This paper proposes a new scheme for privacy-preserving neural network prediction in the outsourced setting, i.e., the server cannot learn the query, (intermediate) results, and the model. Similar to SecureML (S\&P'17), a representative work which provides model privacy, we leverage two non-colluding servers with secret sharing and triplet generation to minimize the usage of heavyweight cryptography. Further, we adopt asynchronous computation to improve the throughput, and design garbled circuits for the non-polynomial activation function to keep the same accuracy as the underlying network (instead of approximating it). Our experiments on four neural network architectures show that our scheme achieves an average of 282 times improvements in reducing latency compared to SecureML. Compared to MiniONN (CCS'17) and EzPC (EuroS\&P'19), both without model privacy, our scheme also has 18 times and 10 times lower latency, respectively. For the communication costs, our scheme outperforms SecureML by 122 times, MiniONN by 49 times, and EzPC by 38 times.

Zhibo Wang,Mengkai Song,Siyan Zheng,Zhifei Zhang,Yang Song,Qian Wang

DOI: https://doi.org/10.1109/tdsc.2019.2929047

2019-01-01

Abstract:Y Recent studies demonstrated that deep neural networks (DNNs) are vulnerable to adversarial examples, which would seriously threaten security-sensitive applications. Existing works synthesized the adversarial examples by perturbing the original/benign images by leveraging the L-p-norm to penalize the perturbations, which restricts the pixel-wise distance between the adversarial images and correspondingly benign images. However, they added perturbations globally to the benign images without explicitly considering their content/spacial structure, resulting in noticeable artifacts especially in those originally clean regions, e.g., sky and smooth surface. In this paper, we propose an invisible adversarial attack, which synthesizes adversarial examples that are visually indistinguishable from benign ones. We adaptively distribute the perturbation according to human sensitivity to a local stimulus in the benign image, i.e., the higher insensitivity, the more perturbation. Two types of adaptive adversarial attacks are proposed: 1) coarse-grained and 2) fine-grained. The former conducts L-p-norm regularized by the novel spatial constraints, which utilizes the rich information of the cluttered regions to mask perturbation. The latter, called Just Noticeable Distortion (JND)-based adversarial attack, utilizes the proposed JND(p) metric for better measuring the perceptual similarity, and adaptively sets penalty by weighting the pixel-wise perceptual redundancy of an image. We conduct extensive experiments on the MNIST, CIFAR-10 and ImageNet datasets and a comprehensive user study with 50 participants. The experimental results demonstrate that JND(p) is a better metric for measuring the perceptual similarity than L-p-norm, and the proposed adaptive adversarial attacks can synthesize indistinguishable adversarial examples from benign ones and outperform the state-of-the-art methods.

Ardhendu Tripathy,Ye Wang,Prakash Ishwar

DOI: https://doi.org/10.48550/arXiv.1712.07008

2019-06-12

Abstract:We propose a data-driven framework for optimizing privacy-preserving data release mechanisms to attain the information-theoretically optimal tradeoff between minimizing distortion of useful data and concealing specific sensitive information. Our approach employs adversarially-trained neural networks to implement randomized mechanisms and to perform a variational approximation of mutual information privacy. We validate our Privacy-Preserving Adversarial Networks (PPAN) framework via proof-of-concept experiments on discrete and continuous synthetic data, as well as the MNIST handwritten digits dataset. For synthetic data, our model-agnostic PPAN approach achieves tradeoff points very close to the optimal tradeoffs that are analytically-derived from model knowledge. In experiments with the MNIST data, we visually demonstrate a learned tradeoff between minimizing the pixel-level distortion versus concealing the written digit.

Information Theory,Cryptography and Security,Computer Science and Game Theory,Machine Learning

Pengtao Xie,Misha Bilenko,Tom Finley,Ran Gilad-Bachrach,Kristin Lauter,Michael Naehrig

DOI: https://doi.org/10.48550/arXiv.1412.6181

2014-12-24

Abstract:The problem we address is the following: how can a user employ a predictive model that is held by a third party, without compromising private information. For example, a hospital may wish to use a cloud service to predict the readmission risk of a patient. However, due to regulations, the patient's medical files cannot be revealed. The goal is to make an inference using the model, without jeopardizing the accuracy of the prediction or the privacy of the data. To achieve high accuracy, we use neural networks, which have been shown to outperform other learning models for many tasks. To achieve the privacy requirements, we use homomorphic encryption in the following protocol: the data owner encrypts the data and sends the ciphertexts to the third party to obtain a prediction from a trained model. The model operates on these ciphertexts and sends back the encrypted prediction. In this protocol, not only the data remains private, even the values predicted are available only to the data owner. Using homomorphic encryption and modifications to the activation functions and training algorithms of neural networks, we show that it is protocol is possible and may be feasible. This method paves the way to build a secure cloud-based neural network prediction services without invading users' privacy.

Machine Learning,Cryptography and Security,Neural and Evolutionary Computing

Wenzhuo Yang,Yipeng Zhou,Miao Hu,Di Wu,Xi Zheng,Jessie Hui Wang,Song Guo,Chao Li

DOI: https://doi.org/10.1109/jiot.2021.3102030

IF: 10.6

2021-01-01

IEEE Internet of Things Journal

Abstract:Federated learning (FL) is an emerging paradigm through which decentralized devices can collaboratively train a common model. However, a serious concern is the leakage of privacy from exchanged gradient information between clients and the parameter server (PS) in FL. To protect gradient information, clients can adopt differential privacy (DP) to add additional noises and distort original gradients before they are uploaded to the PS. Nevertheless, the model accuracy will be significantly impaired by DP noises, making DP impracticable in real systems. In this work, we propose a novel noise information secretly sharing (NISS) algorithm to alleviate the disturbance of DP noises by sharing negated noises among clients. We theoretically prove that: 1) if clients are trustworthy, DP noises can be perfectly offset on the PS and 2) clients can easily distort negated DP noises to protect themselves in case that other clients are not totally trustworthy, though the cost lowers model accuracy. NISS is particularly applicable for FL across multiple Internet of Things (IoT) systems, in which all IoT devices need to collaboratively train a model. To verify the effectiveness and the superiority of the NISS algorithm, we conduct experiments with the MNIST and CIFAR-10 data sets. The experimental results verify our analysis and demonstrate that NISS can improve model accuracy by 19% on average and obtain better privacy protection if clients are trustworthy.

Sanjay Kariyappa,Ousmane Dia,Moinuddin K Qureshi

DOI: https://doi.org/10.48550/arXiv.2104.02261

2021-04-06

Cryptography and Security

Abstract:User-facing software services are becoming increasingly reliant on remote servers to host Deep Neural Network (DNN) models, which perform inference tasks for the clients. Such services require the client to send input data to the service provider, who processes it using a DNN and returns the output predictions to the client. Due to the rich nature of the inputs such as images and speech, the input often contains more information than what is necessary to perform the primary inference task. Consequently, in addition to the primary inference task, a malicious service provider could infer secondary (sensitive) attributes from the input, compromising the client's privacy. The goal of our work is to improve inference privacy by injecting noise to the input to hide the irrelevant features that are not conducive to the primary classification task. To this end, we propose Adaptive Noise Injection (ANI), which uses a light-weight DNN on the client-side to inject noise to each input, before transmitting it to the service provider to perform inference. Our key insight is that by customizing the noise to each input, we can achieve state-of-the-art trade-off between utility and privacy (up to 48.5% degradation in sensitive-task accuracy with <1% degradation in primary accuracy), significantly outperforming existing noise injection schemes. Our method does not require prior knowledge of the sensitive attributes and incurs minimal computational overheads.

Yamin Sepehri,Pedram Pad,Pascal Frossard,L. Andrea Dunbar

2024-08-09

Abstract:The training phase of deep neural networks requires substantial resources and as such is often performed on cloud servers. However, this raises privacy concerns when the training dataset contains sensitive content, e.g., face images. In this work, we propose a method to perform the training phase of a deep learning model on both an edge device and a cloud server that prevents sensitive content being transmitted to the cloud while retaining the desired information. The proposed privacy-preserving method uses adversarial early exits to suppress the sensitive content at the edge and transmits the task-relevant information to the cloud. This approach incorporates noise addition during the training phase to provide a differential privacy guarantee. We extensively test our method on different facial datasets with diverse face attributes using various deep learning architectures, showcasing its outstanding performance. We also demonstrate the effectiveness of privacy preservation through successful defenses against different white-box and deep reconstruction attacks.

Computer Vision and Pattern Recognition,Cryptography and Security,Distributed, Parallel, and Cluster Computing,Machine Learning,Image and Video Processing