Chengcheng Zhu,Jiale Zhang,Xiang Cheng,Weitong Chen,Xiaobing Sun

DOI: https://doi.org/10.1007/978-3-031-31420-9_9

2023-01-01

Abstract:Federated learning has achieved significant success in both academia and industry scenarios since it can train a joint model among unbalanced datasets while protecting the training data privacy. Recent research has shown that, by inferring whether a given data record belongs to the model’s training dataset, the membership information could be leaked by malicious participants. However, when deploying member inference attacks in federated learning, the core problem is how to obtain the membership inference attack data with the same distribution as the training data. In this paper, to tackle this problem, we mainly focus on exploring membership inference attacks in federated learning based on the data augmentation method. Specifically, we present two types of membership inference attacks based on the generative adversarial nets, in which a class-level attack aims to infer the global model and a user-level attack tries to focus on a specific victim. We conduct extensive experiments to evaluate the effectiveness of our proposed two types of membership inference attacks on two benchmark datasets. The experimental results have shown that both class-level and user-level attacks can achieve extraordinary attack accuracy on federated learning.

Peng Jiang,Yimin Liu,Liehuang Zhu

DOI: https://doi.org/10.1109/TIFS.2023.3318950

IF: 7.231

IEEE Transactions on Information Forensics and Security

Abstract:Federated learning (FL) models are vulnerable to membership inference attacks (MIAs), and the requirement of individual privacy motivates the protection of subjects where the individual data is distributed across multiple users in the cross-silo FL setting. In this paper, we propose a subject-level membership inference attack based on data augmentation and model discrepancy. It can effectively infer whether the data distribution of the target subject has been sampled and used for training by specific federated users, even if other users (also) may sample from the same subject and use it as part of their training set. Specifically, the adversary uses a generative adversarial network (GAN) to perform data augmentation on a small amount of priori federation-associated information known in advance. Subsequently, the adversary merges two different outputs from the global and tested user models using an optimal feature construction method. We simulate a controlled federation configuration and conduct extensive experiments on real datasets that include both image and categorical data. Results show that the area under the curve (AUC) is improved by 12.6% to 16.8% compared to the classical membership inference attack. This is at the expense of the test accuracy of the data augmented with GAN, which is at most 3.5% lower than the real test data. We also explore the degree of privacy leakage between overfitted models and well-generalized models in the cross-silo FL setting and conclude experimentally that the former is more likely to leak individual privacy with a subject-level degradation rate of up to 0.43. Finally, we present two possible defense mechanisms to attenuate this newly discovered privacy risk.

Computer Science

Hao Sui,Xiaobing Sun,Jiale Zhang,Bing Chen,Wenjuan Li

DOI: https://doi.org/10.1007/s00521-023-08593-y

2023-04-20

Neural Computing and Applications

Abstract:In recent years, federated learning has been widely used in various fields, such as smart healthcare and financial forecast, due to its ability to protect the privacy of user secret data. Although federated learning has the capability of protecting users’ data privacy, recent research results demonstrated that federated learning still suffers from many privacy attacks. Among them, membership inference attacks are the most common privacy attacks in which attackers infer whether the record belongs to a member message or not. However, the current studies are unable to provide further depth to infer membership information, meaning that existing attack methods have difficulty deducing specifically which user the record belongs to. Moreover, there is a lack of training data in the training process which seriously impacts the effectiveness of membership inference attacks. In this paper, from the perspective of inferring both model-level and user-level membership information, we not only infer whether a record belongs to members but furthermore identify which member the record belongs to. In addition, we augment the training dataset by leveraging the generative adversarial networks (GANs) approach and address the lack of labeling of the newly generated data with the aid of the active learning approach. To demonstrate the effectiveness of our method, we implement our proposed methods on the five benchmark datasets. Extensive experimental results demonstrate that both model-level and user-level membership inference attacks can be achieved with good effectiveness.

computer science, artificial intelligence

Truc Nguyen,Phung Lai,Khang Tran,NhatHai Phan,My T. Thai

2023-07-25

Abstract:Federated learning (FL) was originally regarded as a framework for collaborative learning among clients with data privacy protection through a coordinating server. In this paper, we propose a new active membership inference (AMI) attack carried out by a dishonest server in FL. In AMI attacks, the server crafts and embeds malicious parameters into global models to effectively infer whether a target data sample is included in a client's private training data or not. By exploiting the correlation among data features through a non-linear decision boundary, AMI attacks with a certified guarantee of success can achieve severely high success rates under rigorous local differential privacy (LDP) protection; thereby exposing clients' training data to significant privacy risk. Theoretical and experimental results on several benchmark datasets show that adding sufficient privacy-preserving noise to prevent our attack would significantly damage FL's model utility.

Machine Learning,Artificial Intelligence,Cryptography and Security

Qi Tan,Qi Li,Yi Zhao,Zhuotao Liu,Xiaobing Guo,Ke Xu

2024-03-03

Abstract:Federated Learning (FL) trains a black-box and high-dimensional model among different clients by exchanging parameters instead of direct data sharing, which mitigates the privacy leak incurred by machine learning. However, FL still suffers from membership inference attacks (MIA) or data reconstruction attacks (DRA). In particular, an attacker can extract the information from local datasets by constructing DRA, which cannot be effectively throttled by existing techniques, e.g., Differential Privacy (DP).

Machine Learning,Cryptography and Security,Distributed, Parallel, and Cluster Computing

Zhibo Wang,Mengkai Song,Zhifei Zhang,Yang Song,Qian Wang,Hairong Qi

DOI: https://doi.org/10.48550/arXiv.1812.00535

2018-12-05

Abstract:Federated learning, i.e., a mobile edge computing framework for deep learning, is a recent advance in privacy-preserving machine learning, where the model is trained in a decentralized manner by the clients, i.e., data curators, preventing the server from directly accessing those private data from the clients. This learning mechanism significantly challenges the attack from the server side. Although the state-of-the-art attacking techniques that incorporated the advance of Generative adversarial networks (GANs) could construct class representatives of the global data distribution among all clients, it is still challenging to distinguishably attack a specific client (i.e., user-level privacy leakage), which is a stronger privacy threat to precisely recover the private data from a specific client. This paper gives the first attempt to explore user-level privacy leakage against the federated learning by the attack from a malicious server. We propose a framework incorporating GAN with a multi-task discriminator, which simultaneously discriminates category, reality, and client identity of input samples. The novel discrimination on client identity enables the generator to recover user specified private data. Unlike existing works that tend to interfere the training process of the federated learning, the proposed method works "invisibly" on the server side. The experimental results demonstrate the effectiveness of the proposed attacking approach and the superior to the state-of-the-art.

Machine Learning,Cryptography and Security,Computer Vision and Pattern Recognition

Yuefeng Peng,Ali Naseh,Amir Houmansadr

2024-09-21

Abstract:Deep learning models, while achieving remarkable performances, are vulnerable to membership inference attacks (MIAs). Although various defenses have been proposed, there is still substantial room for improvement in the privacy-utility trade-off. In this work, we introduce a novel defense framework against MIAs by leveraging generative models. The key intuition of our defense is to remove the differences between member and non-member inputs, which is exploited by MIAs, by re-generating input samples before feeding them to the target model. Therefore, our defense, called DIFFENCE, works pre inference, which is unlike prior defenses that are either training-time or post-inference time. A unique feature of DIFFENCE is that it works on input samples only, without modifying the training or inference phase of the target model. Therefore, it can be cascaded with other defense mechanisms as we demonstrate through experiments. DIFFENCE is designed to preserve the model's prediction labels for each sample, thereby not affecting accuracy. Furthermore, we have empirically demonstrated it does not reduce the usefulness of confidence vectors. Through extensive experimentation, we show that DIFFENCE can serve as a robust plug-n-play defense mechanism, enhancing membership privacy without compromising model utility. For instance, DIFFENCE reduces MIA accuracy against an undefended model by 15.8\% and attack AUC by 14.0\% on average across three datasets, all without impacting model utility. By integrating DIFFENCE with prior defenses, we can achieve new state-of-the-art performances in the privacy-utility trade-off. For example, when combined with the state-of-the-art SELENA defense it reduces attack accuracy by 9.3\%, and attack AUC by 10.0\%. DIFFENCE achieves this by imposing a negligible computation overhead, adding only 57ms to the inference time per sample processed on average.

Cryptography and Security,Computer Vision and Pattern Recognition,Machine Learning

Yanchao Zhao,Jiale Chen,Jiale Zhang,Zilu Yang,Huawei Tu,Hao Han,Kun Zhu,Bing Chen

DOI: https://doi.org/10.1155/2021/5534270

2021-10-19

Wireless Communications and Mobile Computing

Abstract:With the rise of privacy concerns in traditional centralized machine learning services, federated learning, which incorporates multiple participants to train a global model across their localized training data, has lately received significant attention in both industry and academia. Bringing federated learning into a wireless network scenario is a great move. The combination of them inspires tremendous power and spawns a number of promising applications. Recent researches reveal the inherent vulnerabilities of the various learning modes for the membership inference attacks that the adversary could infer whether a given data record belongs to the model’s training set. Although the state-of-the-art techniques could successfully deduce the membership information from the centralized machine learning models, it is still challenging to infer the member data at a more confined level, the user level. It is exciting that the common wireless monitor technique in the wireless network environment just provides a good ground for fine-grained membership inference. In this paper, we novelly propose and define a concept of user-level inference attack in federated learning. Specifically, we first give a comprehensive analysis of active and targeted membership inference attacks in the context of federated learning. Then, by considering a more complicated scenario that the adversary can only passively observe the updating models from different iterations, we incorporate the generative adversarial networks into our method, which can enrich the training set for the final membership inference model. In the end, we comprehensively research and implement inferences launched by adversaries of different roles, which makes the attack scenario complete and realistic. The extensive experimental results demonstrate the effectiveness of our proposed attacking approach in the case of single label and multilabel.

computer science, information systems,telecommunications,engineering, electrical & electronic

Jiahui Hu,Jiacheng Du,Zhibo Wang,Xiaoyi Pang,Yajie Zhou,Peng Sun,Kui Ren

DOI: https://doi.org/10.1109/tmc.2024.3417930

IF: 6.075

2024-01-01

IEEE Transactions on Mobile Computing

Abstract:Federated Learning (FL) is susceptible to the gradient leakage attack (GLA), which can recover local private training data from the shared gradients or model updates. To ensure privacy, differential privacy is applied in FL by clipping and adding noise to local gradients (i.e., Local Differential Privacy (LDP)) or the global model update (i.e., Central Differential Privacy (CDP)). However, the effectiveness of DP in defending GLAs needs to be thoroughly investigated since some works briefly verify that DP can guard FL against GLAs while others question its defense capability. In this paper, we empirically evaluate CDP and LDP on the resistance of GLAs, and pay close attention to the trade-offs between privacy and utility in FL. Our findings reveal that 1) existing GLAs can be defended by CDP using a per-layer clipping strategy and LDP with a reasonable privacy guarantee; 2) both CDP and LDP ensure the trade-off between privacy and utility in training shallow model, but cannot guarantee this trade-off in deeper model training (e.g., ResNets). Triggered by the crucial role of clipping operation for DP, we propose an improved attack that incorporates the clipping operation into existing GLAs without requiring additional information. The experimental results show our attack can destruct the protection of CDP and weaken the effectiveness of LDP. Overall, our work validates the effectiveness as well as reveals the vulnerability of DP under GLAs. We hope this work can provide guidance on utilizing DP for defending against GLA in FL and inspire the design of future privacy-preserving FL.

Linghui Zhu,Xinyi Liu,Yiming Li,Xue Yang,Shu-Tao Xia,Rongxing Lu

DOI: https://doi.org/10.1109/jiot.2021.3131258

IF: 10.6

2022-01-01

IEEE Internet of Things Journal

Abstract:Federated learning (FL) enables data owners to train a global model with shared gradients while keeping private training data locally. However, recent research demonstrated that the adversary may infer private training data of clients from the exchanged local gradients, e.g., having deep leakage from gradients (DLGs). Many existing privacy-preserving approaches take usage of differential privacy (DP) to guarantee privacy. Nevertheless, the widely used privacy budget of DP (e.g., evenly distribution) leads to a sharp decline of model accuracy. To improve the model accuracy, some schemes only consider allocating the privacy budget to the fully connected layers. However, we reveal that the adversary may still reconstruct the private training data by adopting the DLG attack with the gradients of convolutional layers. In this article, we propose a fine-grained DP federated learning (DPFL) scheme, which guarantees privacy and remains high model performance simultaneously. Specifically, inspired by the methods that measure the importance of layers in deep learning, we propose a fine-grained method to allocate noise according to the importance value of layers in order to remain high model performance. Besides, we combine an active client selection strategy with DPFL and perform fine-tuning with a public data set on the server to further ensure the model performance. We evaluate DPFL under both independent and identically distributed (i.i.d) and non-i.i.d data settings to show that our method can achieve similar accuracy as the plain FL (e.g., FedAvg). We also demonstrate that our DPFL can resist the DLG attack to verify its privacy guarantee.

Mengkai Song,Zhibo Wang,Zhifei Zhang,Yang Song,Qian Wang,Ju Ren,Hairong Qi

DOI: https://doi.org/10.1109/jsac.2020.3000372

IF: 16.4

2020-10-01

IEEE Journal on Selected Areas in Communications

Abstract:Federated learning has emerged as an advanced privacy-preserving learning technique for mobile edge computing, where the model is trained in a decentralized manner by the clients, preventing the server from directly accessing those private data from the clients. This learning mechanism significantly challenges the attack from the server side. Although the state-of-the-art attacking techniques that incorporated the advance of Generative adversarial networks (GANs) could construct class representatives of the global data distribution among all clients, it is still challenging to distinguishably attack a specific client (i.e., user-level privacy leakage), which is a stronger privacy threat to precisely recover the private data from a specific client. To analyze the privacy leakage of federated learning, this paper gives the first attempt to explore user-level privacy leakage by the attack from a malicious server. We propose a framework incorporating GAN with a multi-task discriminator, called multi-task GAN – Auxiliary Identification (mGAN-AI), which simultaneously discriminates category, reality, and client identity of input samples. The novel discrimination on client identity enables the generator to recover user specified private data. Unlike existing works interfering the federated learning process, the proposed method works "invisibly" on the server side. Furthermore, considering the anonymization strategy for mitigating mGAN-AI, we propose a beforehand linkability attack which re-identifies the anonymized updates by associating the client representatives. A novel siamese network fusing the identification and verification models is developed for measuring the similarity of representatives. The experimental results demonstrate the effectiveness of the proposed approaches and the superior to the state-of-the-art.

telecommunications,engineering, electrical & electronic

Li Bai,Haibo Hu,Qingqing Ye,Haoyang Li,Leixia Wang,Jianliang Xu

2024-12-09

Abstract:Federated learning is a decentralized machine learning approach where clients train models locally and share model updates to develop a global model. This enables low-resource devices to collaboratively build a high-quality model without requiring direct access to the raw training data. However, despite only sharing model updates, federated learning still faces several privacy vulnerabilities. One of the key threats is membership inference attacks, which target clients' privacy by determining whether a specific example is part of the training set. These attacks can compromise sensitive information in real-world applications, such as medical diagnoses within a healthcare system. Although there has been extensive research on membership inference attacks, a comprehensive and up-to-date survey specifically focused on it within federated learning is still absent. To fill this gap, we categorize and summarize membership inference attacks and their corresponding defense strategies based on their characteristics in this setting. We introduce a unique taxonomy of existing attack research and provide a systematic overview of various countermeasures. For these studies, we thoroughly analyze the strengths and weaknesses of different approaches. Finally, we identify and discuss key future research directions for readers interested in advancing the field.

Cryptography and Security

Yufeng Wang,Jianhua Ma,Xu Zhang,Qun Jin

DOI: https://doi.org/10.1002/cpe.7429

2022-11-01

Abstract:As a distributed learning framework, Federated Learning (FL) allows different local learners/participants to collaboratively train a joint model without exposing their own localdata,andoffersafeasiblesolutiontolegallyresolvedataislands.However,among them, the data privacy and model security are two challenges. The former means that, if original data are used for trained FL models, various methods can be used to deduce the original data samples, thereby causing the leakage of data. The latter implies that unreliable/malicious participants may affect or destroy the joint FL model, through uploading wrong local model parameters. Therefore, this paper proposes a novel distributed FL training framework, namely LDP-Fed + , which takes into account differential privacy protection and model security defense. Specifically, firstly, a local perturbationmoduleisaddedatthelocallearnerside,whichperturbstheoriginaldata of local learners through feature extraction, binary encoding and decoding, and random response. Then, through using the perturbed data, local neural network model is trained to obtain the network parameters that meet local differential protection, to effectively deal with model inversion attacks. Secondly, a security defense module is added on the server side, which uses the auxiliary model and differential index mechanismtoselectanappropriatenumberoflocaldisturbanceparametersforaggre-gationtoenhancemodelsecuritydefenseanddealwithmembershipinferenceattacks. The experimental results show that, compared with other federated learning models based on differential privacy, LDP-Fed + has stronger robustness for model security and higher accuracy for model training while ensuring strict privacy protection.

Computer Science

Zengwang Jin,Yanning Zhang,Yanyan Hu,Changyin Sun,Chenhao Xu

DOI: https://doi.org/10.1109/YAC59482.2023.10401762

2023-08-27

Abstract:Deep learning provides better personalized services by training specific models through massive amounts of data. However, due to the problem of gradient leakage during model training, the original data uploaded by the users is restored and privacy leakage occurs. In order to prevent data leakage, this paper introduces a federated learning method to deal with the privacy issues brought by multi-user joint modeling. Gradients generated by the user’s local model training are uploaded to the aggregation server without being trained directly using the original user data. Under such a framework setting, the users’ original data still has a certain risk of being leaked. In order to strengthen the protection of users’ privacy, the training process is encrypted by combining the differential privacy mechanism and the federated learning system. The model parameters are stochastic to ensure that they cannot be acquired by adversaries. By adding Gaussian mechanism and Laplace mechanism, the influence of differential privacy on the convergence of federated learning model is analyzed. The Laplace mechanism is a strict definition of differential privacy, while the Gaussian mechanism is a relaxed definition and allows adding less noise for privacy protection. The simulation results show that both mechanisms can achieve good model convergence effect and verify that differential privacy can produce better privacy protection effect with lower communication cost.

Computer Science

Shiwei Lu,Ruihu Li,Wenbin Liu

DOI: https://doi.org/10.1007/s11704-023-2283-x

IF: 2.6688

2024-01-23

Frontiers of Computer Science

Abstract:Federated learning (FL) has emerged to break data-silo and protect clients' privacy in the field of artificial intelligence. However, deep leakage from gradient (DLG) attack can fully reconstruct clients' data from the submitted gradient, which threatens the fundamental privacy of FL. Although cryptology and differential privacy prevent privacy leakage from gradient, they bring negative effect on communication overhead or model performance. Moreover, the original distribution of local gradient has been changed in these schemes, which makes it difficult to defend against adversarial attack. In this paper, we propose a novel federated learning framework with model decomposition, aggregation and assembling (FedDAA), along with a training algorithm, to train federated model, where local gradient is decomposed into multiple blocks and sent to different proxy servers to complete aggregation. To bring better privacy protection performance to FedDAA, an indicator is designed based on image structural similarity to measure privacy leakage under DLG attack and an optimization method is given to protect privacy with the least proxy servers. In addition, we give defense schemes against adversarial attack in FedDAA and design an algorithm to verify the correctness of aggregated results. Experimental results demonstrate that FedDAA can reduce the structural similarity between the reconstructed image and the original image to 0.014 and remain model convergence accuracy as 0.952, thus having the best privacy protection performance and model training effect. More importantly, defense schemes against adversarial attack are compatible with privacy protection in FedDAA and the defense effects are not weaker than those in the traditional FL. Moreover, verification algorithm of aggregation results brings about negligible overhead to FedDAA.

computer science, information systems, theory & methods, software engineering

Jingwei Sun,Ang Li,Binghui Wang,Huanrui Yang,Hai Li,Yiran Chen

DOI: https://doi.org/10.48550/arXiv.2012.06043

2020-12-09

Abstract:Federated learning (FL) is a popular distributed learning framework that can reduce privacy risks by not explicitly sharing private data. However, recent works demonstrated that sharing model updates makes FL vulnerable to inference attacks. In this work, we show our key observation that the data representation leakage from gradients is the essential cause of privacy leakage in FL. We also provide an analysis of this observation to explain how the data presentation is leaked. Based on this observation, we propose a defense against model inversion attack in FL. The key idea of our defense is learning to perturb data representation such that the quality of the reconstructed data is severely degraded, while FL performance is maintained. In addition, we derive certified robustness guarantee to FL and convergence guarantee to FedAvg, after applying our defense. To evaluate our defense, we conduct experiments on MNIST and CIFAR10 for defending against the DLG attack and GS attack. Without sacrificing accuracy, the results demonstrate that our proposed defense can increase the mean squared error between the reconstructed data and the raw data by as much as more than 160X for both DLG attack and GS attack, compared with baseline defense methods. The privacy of the FL system is significantly improved.

Machine Learning,Artificial Intelligence,Computer Vision and Pattern Recognition

Soumya Banerjee,Sandip Roy,Sayyed Farid Ahamed,Devin Quinn,Marc Vucovich,Dhruv Nandakumar,Kevin Choi,Abdul Rahman,Edward Bowen,Sachin Shetty

2023-11-28

Abstract:The membership inference attack (MIA) is a popular paradigm for compromising the privacy of a machine learning (ML) model. MIA exploits the natural inclination of ML models to overfit upon the training data. MIAs are trained to distinguish between training and testing prediction confidence to infer membership information. Federated Learning (FL) is a privacy-preserving ML paradigm that enables multiple clients to train a unified model without disclosing their private data. In this paper, we propose an enhanced Membership Inference Attack with the Batch-wise generated Attack Dataset (MIA-BAD), a modification to the MIA approach. We investigate that the MIA is more accurate when the attack dataset is generated batch-wise. This quantitatively decreases the attack dataset while qualitatively improving it. We show how training an ML model through FL, has some distinct advantages and investigate how the threat introduced with the proposed MIA-BAD approach can be mitigated with FL approaches. Finally, we demonstrate the qualitative effects of the proposed MIA-BAD methodology by conducting extensive experiments with various target datasets, variable numbers of federated clients, and training batch sizes.

Cryptography and Security,Artificial Intelligence,Machine Learning

Haiqin Weng,Juntao Zhang,Feng Xue,Tao Wei,Shouling Ji,Zhiyuan Zong

2020-01-01

Abstract:Federated learning enables mutually distrusting participants to collaboratively learn a distributed machine learning model without revealing anything but the model's output. Generic federated learning has been studied extensively, and several learning protocols, as well as open-source frameworks, have been developed. Yet, their over pursuit of computing efficiency and fast implementation might diminish the security and privacy guarantees of participant's training data, about which little is known thus far. In this paper, we consider an honest-but-curious adversary who participants in training a distributed ML model, does not deviate from the defined learning protocol, but attempts to infer private training data from the legitimately received information. In this setting, we design and implement two practical attacks, reverse sum attack and reverse multiplication attack, neither of which will affect the accuracy of the learned model. By empirically studying the privacy leakage of two learning protocols, we show that our attacks are (1) effective - the adversary successfully steal the private training data, even when the intermediate outputs are encrypted to protect data privacy; (2) evasive - the adversary's malicious behavior does not deviate from the protocol specification and deteriorate any accuracy of the target model; and (3) easy - the adversary needs little prior knowledge about the data distribution of the target participant. We also experimentally show that the leaked information is as effective as the raw training data through training an alternative classifier on the leaked information. We further discuss potential countermeasures and their challenges, which we hope may lead to several promising research directions.

Ping Zhao,Zhikui Cao,Jin Jiang,Fei Gao

DOI: https://doi.org/10.1109/jiot.2022.3201231

IF: 10.6

2022-12-24

IEEE Internet of Things Journal

Abstract:Federated learning (FL) enables multiple worker devices share local models trained on their private data to collaboratively train a machine learning model. However, local models are proved to imply the information about the private data and, thus, introduce much vulnerabilities to inference attacks where the adversary reconstructs or infers the sensitive information about the private data (e.g., labels, memberships, etc.) from the local models. To address this issue, existing works proposed homomorphic encryption, secure multiparty computation (SMC), and differential privacy methods. Nevertheless, the homomorphic encryption and SMC-based approaches are not applicable to large-scale FL scenarios as they incur substantial additional communication and computation costs and require secure channels to delivery keys. Moreover, differential privacy brings a substantial tradeoff between privacy budget and model performance. In this article, we propose a novel FL framework, which can protect the data privacy of worker devices against the inference attacks with minimal accuracy cost and low computation and communication cost, and does not rely on the secure pairwise communication channels. The main idea is to generate the lightweight keys based on computational Diffie–Hellman (CDH) problem to encrypt the local models, and the FL server can only get the sum of the local models of all worker devices without knowing the exact local model of any specific worker device. The extensive experimental results on three real-world data sets validate that the proposed FL framework can protect the data privacy of worker devices, and only incurs a small constant of computation and communication cost and a drop in test accuracy of no more than 1%.

computer science, information systems,telecommunications,engineering, electrical & electronic

Xiuting Gu,Tianqing Zhu,Jie Li,Tao Zhang,Wei Ren

DOI: https://doi.org/10.1007/978-3-030-65745-1_25

2020-01-01

Abstract:Federated learning is a machine learning framework where many clients (e.g. mobile devices or whole organizations) collaboratively train a model under the orchestration of a central server (e.g. service provider), while keeping the training data decentralized. Naively minimizing an aggregate loss function in such a network may disproportionately advantage or disadvantage some of the clients. Thus, federated learning could raise "unfairness" according to some fairness metrics. Differential privacy is a privacy model used to protect privacy in federated learning with bounded leakage about the presence of a specific point in the training data. Previous work showed that a reduction in accuracy induced by deep private models disproportionately impacts underrepresented groups. This motivates us to analyze the impact of differential privacy on model fairness in federated learning. In this work, we conduct extensive experiments to evaluate the impact of differential privacy on model fairness in federated learning. Experiments show that, with a proper choice of parameters, differential privacy might improve fairness with an ignoble reduction on accuracy.