| 摘要(英) |
In Federated Learning (FL), a participant’s model update can potentially be a devastating threat to privacy, by cleverly making full use of the shared updates, it is believed that an attacker can reconstruct the participant’s training private data to a pixel-level. Differential Privacy (DP), the norm in data anonymization, was proposed to deal with this emergent threat; in such a DP-fied Privacy-preserving FL (PPFL) setup, the transmitted information is sanitized (i.e. clipped by a factor and perturbed by noise) to protect the privacy of the parties involved. Though was originally intended to be used with centralized learning and tabular data, recently, DP has gained more and more attention in FL with multimedia data, especially images.
Gradient-based reconstruction attacks typically utilized perceptual similarity metrics such as Peak Signal-to-Noise Ratio (PSNR), Structural Similarity Index Measure (SSIM), and Perceptual Image Patch Similarity (LPIPS) as the main evaluation method to imply the correlation between perceptual similarity and privacy leakage. Perceptual metrics such as Learned (LPIPS) were invented to mimic human perception, based on deep neural networks (such as AlexNet and VGG), the design is intended to allow the metric to capture the subtle perceptual similarity and differences between 2 pictures, and solve the incapability to look beyond the image pixel’s value of the traditional metrics like PSNR and SSIM.
However, since the perceptual metrics are built upon human perception, it is unknown whether the imperceptible nuances and corruptions caused by the reconstruction attack process could influence those metrics. Therefore, the author sees this could potentially be a gap that needs to be filled.
To summarize, according to the author′s best knowledge, a comprehensive analysis of perceptual metrics in evaluating privacy leakages of a Federated Learning framework with image data, and how effectively the privacy-preserving technique DP works in protecting such a setting against gradient-based reconstruction attacks is still unheard of.
For that matter, this dissertation is intended to study: 1. The reliability of perceptual metrics, which are employed by reconstruction attacks literature in a realistic Federated Learning framework; 2. The feasibility of a novel privacy evaluation method that can reveal the relationship between the widely used perceptual metric LPIPS in the SOTA reconstruction attack′s evaluation method and the accuracy of a classification task in PPFL; 3. The effectiveness of differential privacy against the aforementioned SOTA gradient-based reconstruction attack. |
| 參考文獻 |
[1] H. Brendan McMahan et al. Communication-Efficient Learning of Deep Networks from Decentralized Data. en. arXiv:1602.05629 [cs]. Jan. 2023. URL:
http://arxiv.org/abs/1602.05629 (visited on 08/05/2023).
[2] Margalit Glasgow, Honglin Yuan, and Tengyu Ma. Sharp Bounds for Federated Averaging (Local SGD) and Continuous Perspective. en. arXiv:2111.03741
[cs, math, stat]. Feb. 2022. URL: http://arxiv.org/abs/2111.03741
(visited on 08/05/2023).
[3] Peter Kairouz et al. Advances and Open Problems in Federated Learning. en.
arXiv:1912.04977 [cs, stat]. Mar. 2021. URL: http://arxiv.org/abs/
1912.04977 (visited on 08/05/2023).
[4] Qiang Yang et al. Federated Machine Learning: Concept and Applications. en.
arXiv:1902.04885 [cs]. Feb. 2019. URL: http://arxiv.org/abs/1902.
04885 (visited on 08/05/2023).
[5] Keith Bonawitz et al. Towards Federated Learning at Scale: System Design. en.
arXiv:1902.01046 [cs, stat]. Mar. 2019. URL: http://arxiv.org/abs/
1902.01046 (visited on 08/05/2023).
[6] Ligeng Zhu, Zhijian Liu, and Song Han. Deep Leakage from Gradients. en.
arXiv:1906.08935 [cs, stat]. Dec. 2019. URL: http://arxiv.org/abs/
1906.08935 (visited on 11/26/2022).
[7] Jonas Geiping et al. “Inverting Gradients - How easy is it to break privacy
in federated learning?” en. In: p. 11.
[8] Hongxu Yin et al. “See through Gradients: Image Batch Recovery via
GradInversion”. en. In: 2021 IEEE/CVF Conference on Computer Vision
and Pattern Recognition (CVPR). Nashville, TN, USA: IEEE, June 2021,
pp. 16332–16341. ISBN: 978-1-66544-509-2. DOI: 10.1109/CVPR46437.
2021.01607. URL: https://ieeexplore.ieee.org/document/
9577731/ (visited on 11/26/2022).
[9] Liam Fowl et al. “Robbing the Fed: Directly Obtaining Private Data in
Federated Learning with Modified Models”. en. In: 2022, p. 25. URL:
https://openreview.net/forum?id=fwzUgo0FM9v (visited on
10/22/2022).
[10] Jinwoo Jeon et al. “Gradient Inversion with Generative Image Prior”. en.
In: p. 11.
[11] Zhuohang Li et al. “Auditing Privacy Defenses in Federated Learning via
Generative Gradient Leakage”. en. In: 2022 IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR). New Orleans, LA, USA: IEEE,
June 2022, pp. 10122–10132. ISBN: 978-1-66546-946-3. DOI: 10 . 1109 /
CVPR52688.2022.00989. URL: https://ieeexplore.ieee.org/
document/9878452/ (visited on 01/08/2023).
[12] Hao Fang et al. GIFD: A Generative Gradient Inversion Method with Feature
Domain Optimization. en. arXiv:2308.04699 [cs]. Sept. 2023. URL: http://
arxiv.org/abs/2308.04699 (visited on 09/21/2023).
[13] Martín Abadi et al. “Deep Learning with Differential Privacy”. en. In: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security. arXiv:1607.00133 [cs, stat]. Oct. 2016, pp. 308–318. DOI:
10.1145/2976749.2978318. URL: http://arxiv.org/abs/1607.
00133 (visited on 04/07/2023).
[14] Ilya Mironov. “Renyi Differential Privacy”. en. In: 2017 IEEE 30th Computer Security Foundations Symposium (CSF). arXiv:1702.07476 [cs]. Aug.
2017, pp. 263–275. DOI: 10.1109/CSF.2017.11. URL: http://arxiv.
org/abs/1702.07476 (visited on 06/26/2023).
[15] Borja Balle et al. Hypothesis Testing Interpretations and Renyi Differential Privacy. en. arXiv:1905.09982 [cs, stat]. Oct. 2019. URL: http://arxiv.org/
abs/1905.09982 (visited on 06/25/2023)
[16] Ilya Mironov, Kunal Talwar, and Li Zhang. Renyi Differential Privacy of
the Sampled Gaussian Mechanism. en. arXiv:1908.10530 [cs, stat]. Aug. 2019.
URL: http://arxiv.org/abs/1908.10530 (visited on 04/06/2023).
[17] Natalia Ponomareva et al. How to DP-fy ML: A Practical Guide to Machine
Learning with Differential Privacy. en. arXiv:2303.00654 [cs, stat]. Mar. 2023.
URL: http://arxiv.org/abs/2303.00654 (visited on 03/21/2023).
[18] Richard Zhang et al. The Unreasonable Effectiveness of Deep Features as a Perceptual Metric. en. arXiv:1801.03924 [cs]. Apr. 2018. URL: http://arxiv.
org/abs/1801.03924 (visited on 12/02/2022).
[19] Yuxin Wen et al. “Fishing for User Data in Large-Batch Federated Learning via Gradient Magnification”. en. In: Proceedings of the 39th International Conference on Machine Learning. Vol. 162. Baltimore, Maryland, USA,
pp. 23668–23684. URL: https://proceedings.mlr.press/v162/
wen22a.html (visited on 10/22/2022).
[20] Cynthia Dwork and Aaron Roth. The Algorithmic Foundations of Differential Privacy. en. Vol. 9. 2013. URL: http : / / www . nowpublishers .
com/articles/foundations- and- trends- in- theoreticalcomputer-science/TCS-042 (visited on 06/27/2023).
[21] Robin C. Geyer, Tassilo Klein, and Moin Nabi. Differentially Private Federated Learning: A Client Level Perspective. en. arXiv:1712.07557 [cs, stat].
Mar. 2018. URL: http://arxiv.org/abs/1712.07557 (visited on
08/05/2023).
[22] H. Brendan McMahan et al. Learning Differentially Private Recurrent Language Models. en. arXiv:1710.06963 [cs]. Feb. 2018. URL: http://arxiv.
org/abs/1710.06963 (visited on 08/05/2023).
[23] Lichao Sun, Jianwei Qian, and Xun Chen. LDP-FL: Practical Private
Aggregation in Federated Learning with Local Differential Privacy. en.
arXiv:2007.15789 [cs]. May 2021. URL: http://arxiv.org/abs/2007.
15789 (visited on 10/24/2023).
[24] Ziyu Liu et al. On Privacy and Personalization in Cross-Silo Federated Learning. en. arXiv:2206.07902 [cs, stat]. Oct. 2022. URL: http://arxiv.org/
abs/2206.07902 (visited on 02/22/2023).
[25] Bo Zhao, Konda Reddy Mopuri, and Hakan Bilen. iDLG: Improved Deep
Leakage from Gradients. en. arXiv:2001.02610 [cs, stat]. Jan. 2020. URL:
http://arxiv.org/abs/2001.02610 (visited on 12/04/2023).
[26] Yangsibo Huang et al. Evaluating Gradient Inversion Attacks and Defenses
in Federated Learning. en. arXiv:2112.00059 [cs]. Nov. 2021. URL: http://
arxiv.org/abs/2112.00059 (visited on 11/30/2022).
[27] Giannis Daras et al. Intermediate Layer Optimization for Inverse Problems
using Deep Generative Models. en. arXiv:2102.07364 [cs]. Feb. 2021. URL:
http://arxiv.org/abs/2102.07364 (visited on 11/15/2023).
[28] Z. Wang et al. “Image Quality Assessment: From Error Visibility to Structural Similarity”. en. In: IEEE Trans. on Image Process. 13.4 (Apr. 2004),
pp. 600–612. ISSN: 1057-7149. DOI: 10.1109/TIP.2003.819861. URL:
http://ieeexplore.ieee.org/document/1284395/ (visited on
08/05/2023).
[29] Hongsheng Hu et al. Membership Inference Attacks on Machine Learning: A
Survey. en. arXiv:2103.07853 [cs]. Feb. 2022. URL: http://arxiv.org/
abs/2103.07853 (visited on 05/28/2023).
[30] Bargav Jayaraman and David Evans. “Are Attribute Inference Attacks Just
Imputation?” In: Proceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security. CCS ’22. Los Angeles, CA, USA: Association for Computing Machinery, 2022, 1569–1582. ISBN: 9781450394505.
DOI: 10.1145/3548606.3560663. URL: https://doi.org/10.
1145/3548606.3560663.
[31] Sai Qian Zhang, Jieyu Lin, and Qi Zhang. “A Multi-Agent Reinforcement
Learning Approach for Efficient Client Selection in Federated Learning”.
en. In: AAAI 36.8 (June 2022), pp. 9091–9099. ISSN: 2374-3468, 2159-5399.DOI: 10.1609/aaai.v36i8.20894. URL: https://ojs.aaai.org/
index.php/AAAI/article/view/20894 (visited on 12/25/2023).
[32] Howard H. Yang et al. Scheduling Policies for Federated Learning in Wireless
Networks. 2019. arXiv: 1908.06287 [cs.IT].
[33] Ashkan Yousefpour et al. Opacus: User-Friendly Differential Privacy Library
in PyTorch. en. arXiv:2109.12298 [cs]. Aug. 2022. URL: http://arxiv.
org/abs/2109.12298 (visited on 04/07/2023).
[34] Andrew Brock, Jeff Donahue, and Karen Simonyan. Large Scale GAN Training for High Fidelity Natural Image Synthesis. en. arXiv:1809.11096 [cs, stat].
Feb. 2019. URL: http://arxiv.org/abs/1809.11096 (visited on
11/16/2022).
[35] Hang Xu et al. “SLAMB: Accelerated Large Batch Training with Sparse
Communication”. en. In: Proceedings of the 40th International Conference on
Machine Learning 202 (July 2023), pp. 38801–38825.
[36] Alexander Tyurin and Peter Richtárik. DASHA: Distributed Nonconvex Optimization with Communication Compression, Optimal Oracle Complexity, and
No Client Synchronization. en. arXiv:2202.01268 [cs]. May 2022. URL: http:
//arxiv.org/abs/2202.01268 (visited on 09/23/2023).
[37] Kamalika Chaudhuri, Chuan Guo, and Mike Rabbat. Privacy-Aware Compression for Federated Data Analysis. en. arXiv:2203.08134 [cs]. June 2022.
URL: http://arxiv.org/abs/2203.08134 (visited on 09/23/2023).
[38] Zebang Shen et al. “Share Your Representation Only: Guaranteed Improvement of the Privacy-Utility Tradeoff in Federated Learning”. en. In:
The Eleventh International Conference on Learning Representations (2023).
[39] Enayat Ullah et al. Private Federated Learning with Autotuned Compression.
en. arXiv:2307.10999 [cs, stat]. July 2023. URL: http://arxiv.org/abs/
2307.10999 (visited on 09/25/2023). |
[Endnote RIS 格式]
[相關文章]
[文章引用]
[完整記錄]
[館藏目錄]
至系統瀏覽論文 ( 永不開放)
plurk
funp
live
udn
HD
myshare
netvibes
friend
youpush
delicious
baidu
Google bookmarks
del.icio.us
hemidemi
facebook
twitter
google
reddit