| dc.description.abstract | In Federated Learning (FL), a participant’s model update can potentially be a devastating threat to privacy, by cleverly making full use of the shared updates, it is believed that an attacker can reconstruct the participant’s training private data to a pixel-level. Differential Privacy (DP), the norm in data anonymization, was proposed to deal with this emergent threat; in such a DP-fied Privacy-preserving FL (PPFL) setup, the transmitted information is sanitized (i.e. clipped by a factor and perturbed by noise) to protect the privacy of the parties involved. Though was originally intended to be used with centralized learning and tabular data, recently, DP has gained more and more attention in FL with multimedia data, especially images.
Gradient-based reconstruction attacks typically utilized perceptual similarity metrics such as Peak Signal-to-Noise Ratio (PSNR), Structural Similarity Index Measure (SSIM), and Perceptual Image Patch Similarity (LPIPS) as the main evaluation method to imply the correlation between perceptual similarity and privacy leakage. Perceptual metrics such as Learned (LPIPS) were invented to mimic human perception, based on deep neural networks (such as AlexNet and VGG), the design is intended to allow the metric to capture the subtle perceptual similarity and differences between 2 pictures, and solve the incapability to look beyond the image pixel’s value of the traditional metrics like PSNR and SSIM.
However, since the perceptual metrics are built upon human perception, it is unknown whether the imperceptible nuances and corruptions caused by the reconstruction attack process could influence those metrics. Therefore, the author sees this could potentially be a gap that needs to be filled.
To summarize, according to the author′s best knowledge, a comprehensive analysis of perceptual metrics in evaluating privacy leakages of a Federated Learning framework with image data, and how effectively the privacy-preserving technique DP works in protecting such a setting against gradient-based reconstruction attacks is still unheard of.
For that matter, this dissertation is intended to study: 1. The reliability of perceptual metrics, which are employed by reconstruction attacks literature in a realistic Federated Learning framework; 2. The feasibility of a novel privacy evaluation method that can reveal the relationship between the widely used perceptual metric LPIPS in the SOTA reconstruction attack′s evaluation method and the accuracy of a classification task in PPFL; 3. The effectiveness of differential privacy against the aforementioned SOTA gradient-based reconstruction attack. | en_US |