Yingting Liu,Chaochao Chen,Longfei Zheng,Li Wang,Jun Zhou,Guiquan Liu,Shuang Yang

DOI: https://doi.org/10.48550/arxiv.2002.02091

2020-01-01

Abstract:In this paper, we present a general multiparty modeling paradigm with PrivacyPreserving Principal Component Analysis (PPPCA) for horizontally partitioneddata. PPPCA can accomplish multiparty cooperative execution of PCA under thepremise of keeping plaintext data locally. We also propose implementationsusing two techniques, i.e., homomorphic encryption and secret sharing. Theoutput of PPPCA can be sent directly to data consumer to build any machinelearning models. We conduct experiments on three UCI benchmark datasets and areal-world fraud detection dataset. Results show that the accuracy of the modelbuilt upon PPPCA is the same as the model with PCA that is built based oncentralized plaintext data.

Xiong Li,Jiabei He,Pandi Vijayakumar,Xiaosong Zhang,Victor Chang,P. Vijayakumar

DOI: https://doi.org/10.1109/tii.2021.3110808

IF: 12.3

2021-01-01

IEEE Transactions on Industrial Informatics

Abstract:As a highly integrated industrial system, human cyber-physical systems (HCPSs) provide accurate and high-quality services for Industry 5.0. In HCPSs, machine learning (ML) prediction provides reliable prediction results for users based on matured models, while security and privacy protection are considerable issues. In this article, based on the modified Okamoto–Uchiyama homomorphic encryption, we propose a verifiable privacy-preserving machine learning prediction scheme for the edge-enhanced HCPSs, which outputs the verifiable prediction results for users without privacy leakage. Specifically, a batch of prediction results can be verified at one time, which improves the efficiency of verification. Security analysis shows that our scheme protects the privacy of inputs, ML model, and prediction results. The experiment results demonstrate that the edge computing architecture remarkably alleviates the computational burden of the cloud server. Furthermore, compared with other related schemes, our scheme shows the best execution efficiency, and batch verification optimizes the performance by about 15% compared with single verification on the same scale.

automation & control systems,computer science, interdisciplinary applications,engineering, industrial

Payman Mohassel,Yupeng Zhang

DOI: https://doi.org/10.1109/sp.2017.12

2017-05-01

Abstract:Machine learning is widely used in practice to produce predictive models for applications such as image processing, speech and text recognition. These models are more accurate when trained on large amount of data collected from different sources. However, the massive data collection raises privacy concerns. In this paper, we present new and efficient protocols for privacy preserving machine learning for linear regression, logistic regression and neural network training using the stochastic gradient descent method. Our protocols fall in the two-server model where data owners distribute their private data among two non-colluding servers who train various models on the joint data using secure two-party computation (2PC). We develop new techniques to support secure arithmetic operations on shared decimal numbers, and propose MPC-friendly alternatives to nonlinear functions such as sigmoid and softmax that are superior to prior work. We implement our system in C++. Our experiments validate that our protocols are several orders of magnitude faster than the state of the art implementations for privacy preserving linear and logistic regressions, and scale to millions of data samples with thousands of features. We also implement the first privacy preserving system for training neural networks.

Chenfei Hu,Chuan Zhang,Dian Lei,Tong Wu,Ximeng Liu,Liehuang Zhu

DOI: https://doi.org/10.1109/TIFS.2023.3283104

2023-01-01

Abstract:With the proliferation of machine learning, the cloud server has been employed to collect massive data and train machine learning models. Several privacy-preserving machine learning schemes have been suggested recently to guarantee data and model privacy in the cloud. However, these schemes either mandate the involvement of the data owner in model training or utilize high-cost cryptographic techniques, resulting in excessive computational and communication overheads. Furthermore, none of the existing work considers the malicious behavior of the cloud server during model training. In this paper, we propose the first privacy-preserving and verifiable support vector machine training scheme by employing a two-cloud platform. Specifically, based on the homomorphic verification tag, we design a verification mechanism to enable verifiable machine learning training. Meanwhile, to improve the efficiency of model training, we combine homomorphic encryption and data perturbation to design an efficient multiplication operation for the encryption domain. A rigorous theoretical analysis demonstrates the security and reliability of our scheme. The experimental results indicate that our scheme can reduce computational and communication overheads by at least 43.94% and 99.58%, respectively, compared to state-of-the-art SVM training methods.

Benxin Yin,Hanlin Zhang,Jie Lin,Fanyu Kong,Leyun Yu

DOI: https://doi.org/10.1016/j.cose.2024.103700

IF: 5.105

2024-01-11

Computers & Security

Abstract:Machine learning has been applied in a wide range of various fields. To train more effective control models, it is a trend for organizations holding their private data to collaborate with others, which raises privacy problems. Federated learning allows multiple participants to train learning models collaboratively without sharing their private training data but only the gradient. Nonetheless, recent researches show that sharing the gradient can also cause the original data leakage. To eliminate the data leakage of federated learning, in this paper, we propose a secure multiparty federated learning control system, including a secure training process and a secure prediction process. In the training process, data providers train the learning model collaboratively without disclosing local data. The trained model can be verified by participants. The data providers can then provide users with prediction services based on the trained model. In the prediction process, data providers cannot access the user data, and users cannot obtain the model. Also, the prediction result can be verified by users. We carry out comprehensive experiments to demonstrate the effectiveness of our proposed scheme.

computer science, information systems

Chengkun Wei,Minghu Zhao,Zhikun Zhang,Min Chen,Wenlong Meng,Bo Liu,Yuan Fan,Wenzhi Chen

DOI: https://doi.org/10.1145/3576915.3616593

2023-01-01

Abstract:Differential privacy (DP), as a rigorous mathematical definition quantifying privacy leakage, has become a well-accepted standard for privacy protection. Combined with powerful machine learning (ML) techniques, differentially private machine learning (DPML) is increasingly important. As the most classic DPML algorithm, DP-SGD incurs a significant loss of utility, which hinders DPML's deployment in practice. Many studies have recently proposed improved algorithms based on DP-SGD to mitigate utility loss. However, these studies are isolated and cannot comprehensively measure the performance of improvements proposed in algorithms. More importantly, there is a lack of comprehensive research to compare improvements in these DPML algorithms across utility, defensive capabilities, and generalizability. We fill this gap by performing a holistic measurement of improved DPML algorithms on utility and defense capability against membership inference attacks (MIAs) on image classification tasks. We first present a taxonomy of where improvements are located in the ML life cycle. Based on our taxonomy, we jointly perform an extensive measurement study of the improved DPML algorithms, over twelve algorithms, four model architectures, four datasets, two attacks, and various privacy budget configurations. We also cover state-of-the-art label differential privacy (Label DP) algorithms in the evaluation. According to our empirical results, DP can effectively defend against MIAs, and sensitivity-bounding techniques such as per-sample gradient clipping play an important role in defense. We also explore some improvements that can maintain model utility and defend against MIAs more effectively. Experiments show that Label DP algorithms achieve less utility loss but are fragile to MIAs. ML practitioners may benefit from these evaluations to select appropriate algorithms. To support our evaluation, we implement a modular re-usable software, DPMLBench,(1) which enables sensitive data owners to deploy DPML algorithms and serves as a benchmark tool for researchers and practitioners.

Mingyun Bian,Yanli Ren,Gang He,Guorui Feng,Xinpeng Zhang

DOI: https://doi.org/10.1016/j.ins.2024.120547

IF: 8.1

2024-01-01

Information Sciences

Abstract:Transformer is emerging as a promising model with intrinsic traits in various multi-modal applications. Edge computing has provided an efficient platform for computationally-weak clients, but this entails risks to confidential data and proprietary models. Prior works on the privacy-preserving transformer-based inference only process a single modal data and protect confidential data or model parameters, or approximate non-linear functions with utility degradation. To mitigate the aforementioned issues, we propose the first verifiable outsourcing framework for multi-modal multi-task prediction (VMMP) via the additive secret sharing technique in an edge computing paradigm, which not only ensures the confidentiality of local data and model parameters but also guarantees the verifiability of prediction results. The security analysis and computational consumption reveal that VMMP can save the time costs of clients by 87%, 30%, and 40% compared to the original model on three types of cross-modal tasks and achieves significant time cost savings on the client side compared to the previous works in a secure manner. To evaluate the effective utility, VMMP is examined on three public datasets across visual and language modalities. Extensive evaluations indicate that VMMP outperforms the related works without utility degradation.

Dian Lei,Jinwen Liang,Chuan Zhang,Ximeng Liu,Daojing He,Liehuang Zhu,Song Guo

DOI: https://doi.org/10.1109/jiot.2023.3326358

IF: 10.6

2023-01-01

IEEE Internet of Things Journal

Abstract:In cloud-based health monitoring services, healthcare centers often outsource SVM-based clinical decision models to provide remote users with clinical decisions. During service provisioning, authorized external organizations like insurance companies aim to verify decision correctness to prevent fraudulent medical reimbursements. However, existing verifiable and secure SVM classification schemes have predominantly focused on user self-verification, thereby introducing potential risks of privacy leakage (such as input data exposure) in publicly verifiable scenarios. To address the aforementioned limitation, we propose a publicly verifiable and secure SVM classification scheme (PVSSVM) for cloud-based health monitoring services in a malicious setting, which can accommodate the verification needs of users or authorized external organizations with respect to potential malicious results returned by cloud servers. Specifically, we utilize homomorphic encryption and secret sharing to protect the model and data confidentiality in the cloud server, respectively. Based on a multi-server verifiable computation framework, PVSSVM achieves public verification of predicted results. Additionally, we further investigate its performance. Experimental evaluations demonstrate that PVSSVM outperforms existing state-of-the-art solutions in terms of computation and communication overhead. Notably, in the verification scenario of large-scale predictions, the proposed scheme achieves a reduction of approximately 83.71% in computation overhead through batch verification, as compared to one-by-one verification.

Fei Zheng,Chaochao Chen,Xiaolin Zheng,Mingjie Zhu

DOI: https://doi.org/10.1016/j.knosys.2022.108609

IF: 8.139

2022-01-01

Knowledge-Based Systems

Abstract:With the increasing demand for privacy protection, privacy-preserving machine learning has been drawing much attention from both academia and industry. However, most existing methods have their limitations in practical applications. On the one hand, although most cryptographic methods are provable secure, they bring heavy computation and communication. On the other hand, the security of many relatively efficient privacy-preserving techniques (e.g., federated learning and split learning) is being questioned, since they are non-provable secure. Inspired by previous work on privacy-preserving machine learning, we build a privacy-preserving machine learning framework by combining random permutation and arithmetic secret sharing via our compute-after-permutation technique. Our method is more efficient than existing cryptographic methods, since it can reduce the cost of element-wise function computation. Moreover, by adopting distance correlation as a metric for evaluating privacy leakage, we demonstrate that our method is more secure than previous non-provable secure methods. Overall, our proposal achieves a good balance between security and efficiency. Experimental results show that our method not only is up to 5 × faster and reduces up to 80% network traffic compared with state-of-the-art cryptographic methods, but also leaks less privacy during the training process compared with non-provable secure methods.

Tianpei Lu,Bingsheng Zhang,Lichun Li,Kui Ren

2024-11-14

Abstract:With the increasing emphasis on privacy regulations, such as GDPR, protecting individual privacy and ensuring compliance have become critical concerns for both individuals and organizations. Privacy-preserving machine learning (PPML) is an innovative approach that allows for secure data analysis while safeguarding sensitive information. It enables organizations to extract valuable insights from data without compromising privacy. Secure multi-party computation (MPC) is a key tool in PPML, as it allows multiple parties to jointly compute functions without revealing their private inputs, making it essential in multi-server environments. We address the performance overhead of existing maliciously secure protocols, particularly in finite rings like $\mathbb{Z}_{2^\ell}$, by introducing an efficient protocol for secure linear function evaluation. We implement our maliciously secure MPC protocol on GPUs, significantly improving its efficiency and scalability. We extend the protocol to handle linear and non-linear layers, ensuring compatibility with a wide range of machine-learning models. Finally, we comprehensively evaluate machine learning models by integrating our protocol into the workflow, enabling secure and efficient inference across simple and complex models, such as convolutional neural networks (CNNs).

Cryptography and Security

Xin Wang,Hideaki Ishii,Linkang Du,Peng Cheng,Jiming Chen

DOI: https://doi.org/10.1109/cdc40024.2019.9029938

2019-01-01

Abstract:Distributed machine learning (DML) has received widespread attentions, where a shared prediction model is collaboratively learned by multiple servers. However, since the data used for model training often contains users' sensitive information, DML faces potential risks of privacy disclosure. Particularly, when servers are untrustworthy, it is critical while challenging to guarantee users to obtain privacy preservation that is self-controllable and does not weaken in strength during the whole DML process. In this paper, we propose a privacy-preserving solution for DML, where privacy protection is achieved through data randomization at the users' side and a modified alternating direction method of multipliers (ADMM) algorithm is designed for servers to mitigate the effect of data perturbation. We prove that this solution provides differential privacy guarantee and preserves the convergence property of a general ADMM paradigm. Also, we provide extensive theoretical analysis about the performance of the trained model. Numerical experiments using standard classification datasets are finally conducted to validate the theoretical results.

Runhua Xu,Nathalie Baracaldo,James Joshi

DOI: https://doi.org/10.48550/arXiv.2108.04417

IF: 5.414

2021-08-10

Machine Learning

Abstract:Machine learning (ML) is increasingly being adopted in a wide variety of application domains. Usually, a well-performing ML model relies on a large volume of training data and high-powered computational resources. Such a need for and the use of huge volumes of data raise serious privacy concerns because of the potential risks of leakage of highly privacy-sensitive information; further, the evolving regulatory environments that increasingly restrict access to and use of privacy-sensitive data add significant challenges to fully benefiting from the power of ML for data-driven applications. A trained ML model may also be vulnerable to adversarial attacks such as membership, attribute, or property inference attacks and model inversion attacks. Hence, well-designed privacy-preserving ML (PPML) solutions are critically needed for many emerging applications. Increasingly, significant research efforts from both academia and industry can be seen in PPML areas that aim toward integrating privacy-preserving techniques into ML pipeline or specific algorithms, or designing various PPML architectures. In particular, existing PPML research cross-cut ML, systems and applications design, as well as security and privacy areas; hence, there is a critical need to understand state-of-the-art research, related challenges and a research roadmap for future research in PPML area. In this paper, we systematically review and summarize existing privacy-preserving approaches and propose a Phase, Guarantee, and Utility (PGU) triad based model to understand and guide the evaluation of various PPML solutions by decomposing their privacy-preserving functionalities. We discuss the unique characteristics and challenges of PPML and outline possible research directions that leverage as well as benefit multiple research communities such as ML, distributed systems, security and privacy.

Matthew Wicker,Philip Sosnin,Igor Shilov,Adrianna Janik,Mark N. Müller,Yves-Alexandre de Montjoye,Adrian Weller,Calvin Tsay

2024-10-31

Abstract:Differential privacy upper-bounds the information leakage of machine learning models, yet providing meaningful privacy guarantees has proven to be challenging in practice. The private prediction setting where model outputs are privatized is being investigated as an alternate way to provide formal guarantees at prediction time. Most current private prediction algorithms, however, rely on global sensitivity for noise calibration, which often results in large amounts of noise being added to the predictions. Data-specific noise calibration, such as smooth sensitivity, could significantly reduce the amount of noise added, but were so far infeasible to compute exactly for modern machine learning models. In this work we provide a novel and practical approach based on convex relaxation and bound propagation to compute a provable upper-bound for the local and smooth sensitivity of a prediction. This bound allows us to reduce the magnitude of noise added or improve privacy accounting in the private prediction setting. We validate our framework on datasets from financial services, medical image classification, and natural language processing and across models and find our approach to reduce the noise added by up to order of magnitude.

Machine Learning,Artificial Intelligence

Arman Riasi,Jorge Guajardo,Thang Hoang

2024-11-12

Abstract:Machine learning has revolutionized data analysis and pattern recognition, but its resource-intensive training has limited accessibility. Machine Learning as a Service (MLaaS) simplifies this by enabling users to delegate their data samples to an MLaaS provider and obtain the inference result using a pre-trained model. Despite its convenience, leveraging MLaaS poses significant privacy and reliability concerns to the client. Specifically, sensitive information from the client inquiry data can be leaked to an adversarial MLaaS provider. Meanwhile, the lack of a verifiability guarantee can potentially result in biased inference results or even unfair payment issues. While existing trustworthy machine learning techniques, such as those relying on verifiable computation or secure computation, offer solutions to privacy and reliability concerns, they fall short of simultaneously protecting the privacy of client data and providing provable inference verifiability. In this paper, we propose vPIN, a privacy-preserving and verifiable CNN inference scheme that preserves privacy for client data samples while ensuring verifiability for the inference. vPIN makes use of partial homomorphic encryption and commit-and-prove succinct non-interactive argument of knowledge techniques to achieve desirable security properties. In vPIN, we develop various optimization techniques to minimize the proving circuit for homomorphic inference evaluation thereby, improving the efficiency and performance of our technique. We fully implemented and evaluated our vPIN scheme on standard datasets (e.g., MNIST, CIFAR-10). Our experimental results show that vPIN achieves high efficiency in terms of proving time, verification time, and proof size, while providing client data privacy guarantees and provable verifiability.

Cryptography and Security,Machine Learning

Chuhan Wu,Fangzhao Wu,Tao Qi,Yongfeng Huang,Xing Xie

DOI: https://doi.org/10.21203/rs.3.rs-1682972/v1

2022-01-01

Abstract:Abstract Privacy protection is critical for responsible artificial intelligence. Federated learning is a privacy-aware machine learning paradigm, which is often combined with differential privacy to guarantee privacy protection. Unfortunately, existing methods cannot achieve a satisfactory tradeoff between privacy and utility when the models are large, and their computation and communication costs are also huge. Here, we present a differentially private, efficient, and effective machine learning method named FedPrompt to learn big models in a federated way via prompt tuning. It only learns, perturbs, and exchanges the small prompt models injected into the big models. FedPrompt is validated on five datasets. The results show FedPrompt can achieve 0.5%~34.7% better performance than standard federated learning under same privacy budgets, meanwhile saving 99% of communication cost, 75% of memory, and 64% of training time. FedPrompt offers a new direction to efficiently and effectively distributed machine learning with privacy guarantees.

James Flemings,Meisam Razaviyayn,Murali Annavaram

2024-10-03

Abstract:As Large Language Models (LLMs) proliferate, developing privacy safeguards for these models is crucial. One popular safeguard involves training LLMs in a differentially private manner. However, such solutions are shown to be computationally expensive and detrimental to the utility of these models. Since LLMs are deployed on the cloud and thus only accessible via an API, a Machine Learning as a Service (MLaaS) provider can protect its downstream data by privatizing the predictions during the decoding process. However, the practicality of such solutions still largely lags behind DP training methods. One recent promising approach, Private Mixing of Ensemble Distributions (PMixED), avoids additive noise by sampling from the output distributions of private LLMs mixed with the output distribution of a public model. Yet, PMixED must satisfy a fixed privacy level for a given number of queries, which is difficult for an analyst to estimate before inference and, hence, does not scale. To this end, we relax the requirements to a more practical setting by introducing Adaptive PMixED (AdaPMixED), a private decoding framework based on PMixED that is adaptive to the private and public output distributions evaluated on a given input query. In this setting, we introduce a noisy screening mechanism that filters out queries with potentially expensive privacy loss, and a data-dependent analysis that exploits the divergence of the private and public output distributions in its privacy loss calculation. Our experimental evaluations demonstrate that our mechanism and analysis can reduce the privacy loss by 16x while preserving the utility over the original PMixED. Furthermore, performing 100K predictions with AdaPMixED still achieves strong utility and a reasonable data-dependent privacy loss of 5.25.

Machine Learning,Cryptography and Security

Wei Du,Ang Li,Qinghua Li

DOI: https://doi.org/10.48550/arXiv.1810.02400

2018-10-05

Abstract:In recent years, machine learning techniques are widely used in numerous applications, such as weather forecast, financial data analysis, spam filtering, and medical prediction. In the meantime, massive data generated from multiple sources further improve the performance of machine learning tools. However, data sharing from multiple sources brings privacy issues for those sources since sensitive information may be leaked in this process. In this paper, we propose a framework enabling multiple parties to collaboratively and accurately train a learning model over distributed datasets while guaranteeing the privacy of data sources. Specifically, we consider logistic regression model for data training and propose two approaches for perturbing the objective function to preserve {\epsilon}-differential privacy. The proposed solutions are tested on real datasets, including Bank Marketing and Credit Card Default prediction. Experimental results demonstrate that the proposed multiparty learning framework is highly efficient and accurate.

Cryptography and Security

Zitao Chen,Karthik Pattabiraman

2023-07-04

Abstract:Machine learning (ML) models are vulnerable to membership inference attacks (MIAs), which determine whether a given input is used for training the target model. While there have been many efforts to mitigate MIAs, they often suffer from limited privacy protection, large accuracy drop, and/or requiring additional data that may be difficult to acquire. This work proposes a defense technique, HAMP that can achieve both strong membership privacy and high accuracy, without requiring extra data. To mitigate MIAs in different forms, we observe that they can be unified as they all exploit the ML model's overconfidence in predicting training samples through different proxies. This motivates our design to enforce less confident prediction by the model, hence forcing the model to behave similarly on the training and testing samples. HAMP consists of a novel training framework with high-entropy soft labels and an entropy-based regularizer to constrain the model's prediction while still achieving high accuracy. To further reduce privacy risk, HAMP uniformly modifies all the prediction outputs to become low-confidence outputs while preserving the accuracy, which effectively obscures the differences between the prediction on members and non-members. We conduct extensive evaluation on five benchmark datasets, and show that HAMP provides consistently high accuracy and strong membership privacy. Our comparison with seven state-of-the-art defenses shows that HAMP achieves a superior privacy-utility trade off than those techniques.

Cryptography and Security,Artificial Intelligence,Machine Learning

Jeyamohan Neera,Xiaomin Chen,Nauman Aslam,Kezhi Wang,Zhan Shu

DOI: https://doi.org/10.48550/arXiv.2102.13453

IF: 5.414

2021-02-26

Machine Learning

Abstract:Recommendation systems rely heavily on users behavioural and preferential data (e.g. ratings, likes) to produce accurate recommendations. However, users experience privacy concerns due to unethical data aggregation and analytical practices carried out by the Service Providers (SP). Local differential privacy (LDP) based perturbation mechanisms add noise to users data at user side before sending it to the SP. The SP then uses the perturbed data to perform recommendations. Although LDP protects the privacy of users from SP, it causes a substantial decline in predictive accuracy. To address this issue, we propose an LDP-based Matrix Factorization (MF) with a Gaussian Mixture Model (MoG). The LDP perturbation mechanism, Bounded Laplace (BLP), regulates the effect of noise by confining the perturbed ratings to a predetermined domain. We derive a sufficient condition of the scale parameter for BLP to satisfy $\epsilon$ LDP. At the SP, The MoG model estimates the noise added to perturbed ratings and the MF algorithm predicts missing ratings. Our proposed LDP based recommendation system improves the recommendation accuracy without violating LDP principles. The empirical evaluations carried out on three real world datasets, i.e., Movielens, Libimseti and Jester, demonstrate that our method offers a substantial increase in predictive accuracy under strong privacy guarantee.

Maksim Tsikhanovich,Malik Magdon-Ismail,Muhammad Ishaq,Vassilis Zikas

DOI: https://doi.org/10.48550/arXiv.1901.07986

IF: 5.414

2019-01-23

Machine Learning

Abstract:Privacy is a major issue in learning from distributed data. Recently the cryptographic literature has provided several tools for this task. However, these tools either reduce the quality/accuracy of the learning algorithm---e.g., by adding noise---or they incur a high performance penalty and/or involve trusting external authorities. We propose a methodology for {\sl private distributed machine learning from light-weight cryptography} (in short, PD-ML-Lite). We apply our methodology to two major ML algorithms, namely non-negative matrix factorization (NMF) and singular value decomposition (SVD). Our resulting protocols are communication optimal, achieve the same accuracy as their non-private counterparts, and satisfy a notion of privacy---which we define---that is both intuitive and measurable. Our approach is to use lightweight cryptographic protocols (secure sum and normalized secure sum) to build learning algorithms rather than wrap complex learning algorithms in a heavy-cost MPC framework. We showcase our algorithms' utility and privacy on several applications: for NMF we consider topic modeling and recommender systems, and for SVD, principal component regression, and low rank approximation.