Maoguo Gong,Ke Pan,Yu Xie,A. K. Qin,Zedong Tang

DOI: https://doi.org/10.1016/j.neunet.2020.02.001

IF: 7.8

2020-01-01

Neural Networks

Abstract:In recent years, deep learning achieves remarkable results in the field of artificial intelligence. However, the training process of deep neural networks may cause the leakage of individual privacy. Given the model and some background information of the target individual, the adversary can maliciously infer the sensitive feature of the target individual. Therefore, it is imperative to preserve the sensitive information in the training data. Differential privacy is a state-of-the-art paradigm for providing the privacy guarantee of datasets, which protects the private and sensitive information from the attack of adversaries significantly. However, the existing privacy-preserving models based on differential privacy are less than satisfactory since traditional approaches always inject the same amount of noise into parameters to preserve the sensitive information, which may impact the trade-off between the model utility and the privacy guarantee of training data. In this paper, we present a general differentially private deep neural networks learning framework based on relevance analysis, which aims to bridge the gap between private and non-private models while providing an effective privacy guarantee of sensitive information. The proposed model perturbs gradients according to the relevance between neurons in different layers and the model output. Specifically, during the process of backward propagation, more noise is added to gradients of neurons that have less relevance to the model output, and vice-versa. Experiments on five real datasets demonstrate that our mechanism not only bridges the gap between private and non-private models, but also prevents the disclosure of sensitive information effectively.

Di Gao,Cheng Zhuo

DOI: https://doi.org/10.3233/FAIA200294

2020-01-01

Abstract:The deployment of deep learning applications has to address the growing privacy concerns when using private and sensitive data for training. A conventional deep learning model is prone to privacy attacks that can recover the sensitive information of individuals from either model parameters or accesses to the target model. Recently, differential privacy that offers provable privacy guarantees has been proposed to train neural networks in a privacy-preserving manner to protect training data. However, many approaches tend to provide the worst case privacy guarantees for model publishing, inevitably impairing the accuracy of the trained models. In this paper, we present a novel private knowledge transfer strategy, where the private teacher trained on sensitive data is not publicly accessible but teaches a student to be publicly released. In particular, a three-player (teacher-student-discriminator) learning framework is proposed to achieve trade-off between utility and privacy, where the student acquires the distilled knowledge from the teacher and is trained with the discriminator to generate similar outputs as the teacher. We then integrate a differential privacy protection mechanism into the learning procedure, which enables a rigorous privacy budget for the training. The framework eventually allows student to be trained with only unlabelled public data and very few epochs, and hence prevents the exposure of sensitive training data, while ensuring model utility with a modest privacy budget. The experiments on MNIST, SVHN and CIFAR-10 datasets show that our students obtain the accuracy losses w.r.t teachers of 0.89%, 2.29%, 5.16%, respectively with the privacy bounds of (1.93, 10(-5)), (5.02, 10(-6)), (8.81, 10(-6)). When compared with the existing works [15, 20], the proposed work can achieve 582% accuracy loss improvement.

Longfei Zheng,Chaochao Chen,Yingting Liu,Bingzhe Wu,Xibin Wu,Li Wang,Lei Wang,Jun Zhou,Shuang Yang

2020-01-01

Abstract:Deep Neural Network (DNN) has been showing great potential in kinds of real-world applications such as fraud detection and distress prediction. Meanwhile, data isolation has become a serious problem currently, i.e., different parties cannot share data with each other. To solve this issue, most research leverages cryptographic techniques to train secure DNN models for multi-parties without compromising their private data. Although such methods have strong security guarantee, they are difficult to scale to deep networks and large datasets due to its high communication and computation complexities. To solve the scalability of the existing secure Deep Neural Network (DNN) in data isolation scenarios, in this paper, we propose an industrial scale privacy preserving neural network learning paradigm, which is secure against semi-honest adversaries. Our main idea is to split the computation graph of DNN into two parts, i.e., the computations related to private data are performed by each party using cryptographic techniques, and the rest computations are done by a neutral server with high computation ability. We also present a defender mechanism for further privacy protection. We conduct experiments on real-world fraud detection dataset and financial distress prediction dataset, the encouraging results demonstrate the practicalness of our proposal.

Liyao Xiang,Weiting Li,Jungang Yang,Xinbing Wang,Baochun Li

DOI: https://doi.org/10.1109/tmc.2021.3130060

IF: 6.075

2021-01-01

IEEE Transactions on Mobile Computing

Abstract:With the popularity of deep learning applications, the privacy of training data has become a major concern as the data sources may be sensitive. Recent studies have found that deep learning models are vulnerable to privacy attacks, which are able to infer private training data from model parameters. To mitigate such attacks, differential privacy has been proposed to preserve data privacy by adding randomized noise to these models. However, since deep learning models usually consist of a large number of parameters and complicated layered structures, an overwhelming amount of noise is often inserted, which significantly degrades model accuracy. We seek a better tradeoff between model utility and data privacy, by choosing directions of noise w.r.t. the utility subspace. We propose an optimized mechanism for differentially-private stochastic gradient descent, and derive a closed-form solution. The form of the solution makes the mechanism ready to be deployed in real-world deep learning systems. Experimental results on a variety of models, datasets, and privacy settings show that our proposed mechanism achieves higher accuracies at the same privacy guarantee compared to the state-of-the-art methods. Further, we extend the privacy guarantee to a mutual information bound, and propose a general form to the utility-privacy problem.

Tian Fan,Zhihua Cui

DOI: https://doi.org/10.1002/cpe.6367

2021-06-10

Concurrency and Computation: Practice and Experience

Abstract:<p>Privacy data security has become an important bottleneck for the overall development of artificial intelligence and a key challenge that needs to be broken in the Internet era. The current research mainly considers differential privacy to effectively protect the private information in the data. However, as the noise increases, the precision of the training model will decrease. In order to solve above problem, an adaptive differential privacy (ADP) method is constructed and applied to deep neural networks. ADP adds noise adaptively in the training process according to the importance of features. We also build the differential privacy multi-objective optimization model (DPMOM). DPMOM adopts multi-objective optimization characteristics, takes accuracy and privacy protection as the optimization objectives. It optimizes the super parameters of deep neural networks and the noise of differential privacy. In addition, to better solve the ADP model, with the NSGA-II algorithm as the basic framework, a multi-objective optimization algorithm based on differential privacy protection (DPPMOA) is designed. Simulation experiments show that compared with other machine learning methods and differentially private stochastic gradient descent, the accuracy of ADP is higher under the same amount of noise. Through comparison with NSGA-II, IBEA, PESA-II, and AGE-II, DPPMOA is proved that the solution set of this algorithm is better.</p>

Ying Lin,Ling-Yan Bao,Ze-Minghui Li,Shu-Zheng Si,Chao-Hsien Chu

DOI: https://doi.org/10.1016/j.cose.2020.102061

IF: 5.105

2020-01-01

Computers & Security

Abstract:Deep learning (DL) has been widely applied to achieve promising results in many fields, but it still exists various privacy concerns and issues. Applying differential privacy (DP) to DL models is an effective way to ensure privacy-preserving training and classification. In this paper, we revisit the DP stochastic gradient descent (DP-SGD) method, which has been used by several algorithms and systems and achieved good privacy protection. However, several factors, such as the sequence of adding noise, the models used etc., may impact its performance with various degrees. We empirically show that adding noise first and clipping second will not only significantly achieve high accuracy, but also accelerate convergence. Rigorous experiments have been conducted on three different datasets to train two popular DL models, Convolutional Neural Network (CNN) and Long and Short-Term Memory (LSTM). For the CNN, the accuracy rate can be increased by 3%, 8% and 10% on average for the respective datasets, and the loss value is reduced by 18%, 14% and 22% on average. For the LSTM, the accuracy rate can be increased by 18%, 13% and 12% on average, and the loss value can be reduced by 55%, 25% and 23% on average. Meanwhile, we have compared the performance of our proposed method with a state-of-the-art SGD-based technique. The results show that under the premise of a reasonable clipping threshold, the proposed method not only has better performance, but also achieve ideal privacy protection effects. The proposed alternative can be applied to many existing privacy preserving solutions.

Dayin Zhang,Xiaojun Chen,Jinqiao Shi

DOI: https://doi.org/10.1007/978-3-031-23098-1_11

2022-01-01

Abstract:Federated learning can complete the neural network model training without uploading users' private data. However, the deep leakage from gradients (DLG) and the compensatory reconstruction attack (CRA) can reconstruct the training data according to the gradients uploaded by users. We propose an efficient federated convolutional neural network scheme with differential privacy to solve this problem. By adding Gaussian noise to the fully connected layers of the convolutional neural network, the attacker cannot identify the critical gradients that cause privacy leakage. The cumulative privacy loss is tracked using the analytical moments accountant technique. We conduct extensive experiments on the MNIST and CIFAR10 datasets to evaluate our defense algorithm. After selecting appropriate parameters, the results show that our defense algorithm can defend against DLG and CRA while maintaining a high model accuracy.

XianFu Cheng,YanQing Yao,Liying Zhang,Ao Liu,Zhoujun Li

DOI: https://doi.org/10.1002/int.22944

IF: 8.993

2022-01-01

International Journal of Intelligent Systems

Abstract:Deep learning techniques based on the neural network have made significant achievements in various fields of artificial intelligence. However, model training requires large-scale data sets, these data sets are crowd-sourced and model parameters will contain the encoding of private information, resulting in the risk of privacy leakage. With the trend toward sharing pretrained models, the risk of stealing training data sets through member inference attacks and model inversion attacks is further heightened. To tackle the privacy-preserving problems in deep learning tasks, we propose an improved Differential Privacy Stochastic Gradient Descent algorithm, using Simulated Annealing algorithm and Laplace Smooth denoising mechanism to optimize the allocation method of privacy loss, replacing the constant clipping method with adaptive gradient clipping method to improve model accuracy. we also analyze privacy cost under random shuffle data batch processing method in detail within the framework of Subsampled Renyi Differential Privacy. Compared with the existing privacy protection training methods with fixed parameters and dynamic privacy parameters in classification tasks, our implementation and experiments show that we can use less privacy budget train deep neural networks with the nonconvex objective function, obtain a higher model evaluation, and have almost zero additional cost in terms of model complexity, training efficiency, and model quality.

Wending Liu,Rui Han,Xinyu Guo,Junyan Ouyang,Xiaojiang Zuo,Chi Harold Liu

DOI: https://doi.org/10.1109/icetci61221.2024.10594030

2024-01-01

Abstract:Introducing differential privacy (DP) in federated learning (FL) has become a very effective way to protect user privacy. The privacy constraint of differential privacy is implemented by adding noise to deep neural networks (DNN). Traditional approaches uniformly add noise to all parts of the neural network, overlooking the fact that different parts of the network have different importance to the loss function, leading to significant accuracy degradation. It is necessary to finely control the addition of noise through fine-grained methods. However, in the scenario of differential privacy federated learning, it is difficult to quantify the importance of each part of the neural network to the loss function, and it is difficult to make reasonable and effective privacy budget allocation. Moreover, federated learning often faces the problem of model heterogeneity, which poses challenges to fine-grained differential privacy federated learning. To address these challenges, we propose NeuronDP, a differential privacy federated learning framework that adds noise at the neuron level. NeuronDP defines a novel importance metric for the neuron and allocates the privacy budgets to each Neuron according to its importance. Finally, NeuronDP introduces a model distillation-based approach to enable it in FL across the heterogeneous models. We implement NeuronDP in PyTorch and extensively evaluate it against state-of-the-art techniques using popular FL benchmarks. The results showed that while keeping privacy protection and computation efficiency, NeuronDP improves the accuracy by an average of 81.8%, and improves the accuracy up to 411.8% when the privacy protection level is high.

Yanling Wang,Qian Wang,Lingchen Zhao,Cong Wang

DOI: https://doi.org/10.1016/j.future.2023.06.010

IF: 7.307

2023-06-14

Future Generation Computer Systems

Abstract:Motivated by the security risks of deep neural networks, such as various membership and attribute inference attacks, differential privacy has emerged as a promising approach for protecting the privacy of neural networks. As a result, it is crucial to investigate the frontier intersection of differential privacy and deep learning, which is the main motivation behind this survey. Most of the current research in this field focuses on developing mechanisms for combining differentially private perturbations with deep learning frameworks. We provide a detailed summary of these works and analyze potential areas for improvement in the near future. In addition to privacy protection, differential privacy can also play other critical roles in deep learning, such as fairness, robustness, and prevention of over-fitting, which have not been thoroughly explored in previous research. Accordingly, we also discuss future research directions in these areas to offer practical suggestions for future studies.

computer science, theory & methods

Liyao Xiang,Jingbo Yang,Baochun Li

DOI: https://doi.org/10.1109/infocom.2019.8737494

2019-01-01

Abstract:With the amount of user data crowdsourced for data mining dramatically increasing, there is an urgent need to protect the privacy of individuals. Differential privacy mechanisms are conventionally adopted to add noise to the user data, so that an adversary is not able to gain any additional knowledge about individuals participating in the crowdsourcing, by inferring from the learned model. However, such protection is usually achieved with significantly degraded learning results. We have observed that the fundamental cause of this problem is that the relationship between model utility and data privacy is not accurately characterized, leading to privacy constraints that are overly strict. In this paper, we address this problem from an optimization perspective, and formulate the problem as one that minimizes the accuracy loss given a set of privacy constraints. We use sensitivity to describe the impact of perturbation noise to the model utility, and propose a new optimized additive noise mechanism that improves overall learning accuracy while conforming to individual privacy constraints. As a highlight of our privacy mechanism, it is highly robust in the high privacy regime (when $\epsilon \rightarrow 0$), and against any changes in the model structure and experimental settings.

Xianfu Cheng,Yanqing Yao,Ao Liu

DOI: https://doi.org/10.1007/978-3-030-62223-7_29

2020-01-01

Abstract:Deep learning techniques based on neural network have made significant achievements in various fields of Artificial Intelligence. However, model training requires large-scale datasets, these datasets are crowd-sourced and model parameters will contain the encoding of private information, resulting in the risk of privacy leakage. With the trend towards sharing pre-trained models, the risk of stealing training datasets through member inference attack and model inversion attack is further heightened. To tackle this problem, we propose an improved Differential Privacy Stochastic Gradient Descent algorithm, using simulated annealing algorithm and denoising mechanism to optimize the allocation method of privacy loss and improve model accuracy. We also analyze privacy cost under random shuffle data batch processing methods in detail within the framework of Subsampled Rényi Differential Privacy. Compared with existing methods, our experiments show that we can train deep neural networks with non-convex objective function more efficiently with moderate privacy budgets.

Xixi Huang,Jian Guan,Bin Zhang,Shuhan Qi,Xuan Wang,Qing Liao

DOI: https://doi.org/10.1109/dsc.2019.00105

2019-01-01

Abstract:Deep learning achieves remarkable success in the fields of target detection, computer vision, natural language processing, and speech recognition. However, traditional deep learning models may suffer the privacy risk due to some training data involve sensitive information, such as the medical histories, location information and face images. Attackers can exploit the implicit information to recover the sensitive information from the training data. In order to protecting privacy of deep learning model, we develop a novel optimization algorithm called DPAGDCNN for convolution neural network which cooperates differential privacy technique. Specifically, DPAGD-CNN allocates privacy budgets more carefully in each iteration, rather than assigning a fixed privacy budget per iteration. We theoretically prove that our approach can protect the privacy of training data and it achieves higher classification accuracy under the moderate privacy budget in the MNIST and CIFAR-10 datasets.

Bo Ma,W. Yan,E. Lai,Jingsong Wu

DOI: https://doi.org/10.1007/978-3-030-72073-5_1

2021-01-01

Abstract:Centralised machine learning brings in side effect pertaining to privacy preservation, most of machine learning methods prone to using the frameworks without privacy protection, as current methods for privacy preservation will slow down model training and testing. In order to resolve this problem, we develop a new noise generating method based on information entropy by using differential privacy for betterment the privacy protection which owns the architecture of federated machine learning. Our experiments unveil that this solution effectively preserves privacy in the vein of centralized federated learning. The gained accuracy is promising which has a room to be uplifted.

Haodi Wang,Tangyu Jiang,Yu Guo,Chengjun Cai,Cong Wang,Xiaohua Jia

2024-09-21

Abstract:Deep learning models have been extensively adopted in various regions due to their ability to represent hierarchical features, which highly rely on the training set and procedures. Thus, protecting the training process and deep learning algorithms is paramount in privacy preservation. Although Differential Privacy (DP) as a powerful cryptographic primitive has achieved satisfying results in deep learning training, the existing schemes still fall short in preserving model utility, i.e., they either invoke a high noise scale or inevitably harm the original gradients. To address the above issues, in this paper, we present a more robust approach for DP training called GReDP. Specifically, we compute the model gradients in the frequency domain and adopt a new approach to reduce the noise level. Unlike the previous work, our GReDP only requires half of the noise scale compared to DPSGD [1] while keeping all the gradient information intact. We present a detailed analysis of our method both theoretically and empirically. The experimental results show that our GReDP works consistently better than the baselines on all models and training settings.

Cryptography and Security,Artificial Intelligence

Martin Abadi, Andy Chu, Ian Goodfellow, H Brendan McMahan, Ilya Mironov, Kunal Talwar, Li Zhang

2016-10-24

Abstract:Machine learning techniques based on neural networks are achieving remarkable results in a wide variety of domains. Often, the training of models requires large, representative datasets, which may be crowdsourced and contain sensitive information. The models should not expose private information in these datasets. Addressing this goal, we develop new algorithmic techniques for learning and a refined analysis of privacy costs within the framework of differential privacy. Our implementation and experiments demonstrate that we can train deep neural networks with non-convex objectives, under a modest privacy budget, and at a manageable cost in software complexity, training efficiency, and model quality.

Zhiying Xu,Shuyu Shi,Alex X. Liu,Jun Zhao,Lin Chen

DOI: https://doi.org/10.1109/infocom41043.2020.9155359

2020-01-01

Abstract:With the advent of the era of big data, deep learning has become a prevalent building block in a variety of machine learning or data mining tasks, such as signal processing, network modeling and traffic analysis, to name a few. The massive user data crowdsourced plays a crucial role in the success of deep learning models. However, it has been shown that user data may be inferred from trained neural models and thereby exposed to potential adversaries, which raises information security and privacy concerns. To address this issue, recent studies leverage the technique of differential privacy to design private-preserving deep learning algorithms. Albeit successful at privacy protection, differential privacy degrades the performance of neural models. In this paper, we develop ADADP, an adaptive and fast convergent learning algorithm with a provable privacy guarantee. ADADP significantly reduces the privacy cost by improving the convergence speed with an adaptive learning rate and mitigates the negative effect of differential privacy upon the model accuracy by introducing adaptive noise. The performance of ADADP is evaluated on real-world datasets. Experiment results show that it outperforms state-of-the-art differentially private approaches in terms of both privacy cost and model accuracy.

Xinyan Li,Yufei Chen,Cong Wang,Chao Shen

DOI: https://doi.org/10.1109/mnet.001.2100256

IF: 10.294

2021-11-01

IEEE Network

Abstract:Over the past decade, we have witnessed unprecedented development in deep learning (DL) and its contributions to modern networking systems. Along with its wide adoption, however, are growing concerns over the broad attack surfaces toward learning systems and the intrinsic vulnerabilities on privacy, security, robustness, and more. As a countermeasure to mitigate the threats or formalize a better defense, a widely adopted approach is to introduce a certain level of random perturbation (a.k.a. calibrated artificial noise) at either the training or prediction phase. Noteworthy examples include effective defenses against model inference attacks and notions of certified robustness. As such, differential privacy (DP), originally established as a privacy-preserving framework for data publishing, has drawn great interest from the learning community. Given a target utility and the acceptable trade-off, DP&#x27;s formalization on the amount of noise needed has been shown to be widely applicable to a broad range of DL vulnerability mitigations. In this article, we present to our readers the recent representative advancements intersecting DL and DP, ranging from privacy enhancements for DL systems to security and robustness improvements and other novel extensions. Furthermore, we discuss the ongoing challenges and propose a number of future directions where DP has great potential to positively contribute to future DL systems.

computer science, information systems,telecommunications,engineering, electrical & electronic, hardware & architecture

Qiang Gao,Han Sun,Zhifang Wang

DOI: https://doi.org/10.1016/j.optlastec.2023.110541

IF: 4.939

2024-01-11

Optics & Laser Technology

Abstract:In deep learning differential privacy protection, adding noise based on gradient has become a mainstream algorithm, but excessive gradient perturbation noise causes accuracy degradation. To solve this problem, a differential privacy protection algorithm based on differential evolution and particle swarm optimization is proposed to realize hyperparameter optimization in differential privacy, reduce the impact of noise on the model, and effectively improve the accuracy. On the one hand, the differential evolution scheme performs selection, crossover and mutation on learning rate η , make it approach the global optimal solution, and improve the computational efficiency of the algorithm. On the other hand, the particle swarm optimization scheme is adopted. Without changing the parameters and gradient structure, the parameters are optimized by using the network propagation attributes, which reduces the influence of noise on the accuracy. Experiments are performed on three datasets: Cifar10, Mnist and FashionMnist. Compared with the existing differential privacy algorithms, under the same privacy budget, the proposed algorithm has better accuracy and higher efficiency.

optics,physics, applied