博碩士論文 110522604 詳細資訊




以作者查詢圖書館館藏 以作者查詢臺灣博碩士 以作者查詢全國書目 勘誤回報 、線上人數:151 、訪客IP:3.149.25.162
姓名 潘國勝(PHAN QUOC THANG)  查詢紙本館藏   畢業系所 資訊工程學系
論文名稱 基於梯度的重構攻擊在隱私權保護聯合學習中的評估方法初探
(A Preliminary Study on Evaluation Methods of Gradient-based Reconstruction Attacks in Privacy-Preserving Federated Learning)
檔案 [Endnote RIS 格式]    [Bibtex 格式]    [相關文章]   [文章引用]   [完整記錄]   [館藏目錄]   至系統瀏覽論文 ( 永不開放)
摘要(中) 在聯合學習(FL)中,參與者的模型更新可能會對隱私造成破壞性威脅,透過巧妙地充分利用共享更新,攻擊者可以重建參與者的訓練隱私數據,達到像素級別。 差分隱私(DP)作為資料匿名化的標準,就是為了應對這種新出現的威脅而提出的;在這種經過差分隱私改進的隱私保護FL(PPFL)設定中,傳輸的資訊會經過淨化(即 經過因子剪切和噪音擾動),以保護相關方的隱私。 儘管 DP 最初是用於集中學習和表格數據,但最近,它在處理多媒體數據(尤其是圖像)的 FL 方面獲得了越來越多的關注。

基於梯度的重構攻擊通常利用峰值信噪比(PSNR)、結構相似性指數(SSIM)和感知影像補丁相似性(LPIPS)等感知相似性指標作為主要評估方法,以暗示感知相似性與隱私洩露 之間的相關性。 基於深度神經網路(如AlexNet 和VGG)發明的Learned(LPIPS)等感知度量是為了模仿人類的感知,其設計目的是讓度量能夠捕捉兩張圖片之間細微的感知相似性和差異性,並解決 PSNR 和SSIM 等傳統測量無法超越影像像素值的問題。
然而,由於感知度量是建立在人的感知基礎上的,因此重構攻擊過程中造成的難以察覺的細微差別和損壞是否會影響這些度量還不得而知。 因此,作者認為這可能是需要填補的空白。
總而言之,據作者所知,在評估使用影像資料的聯邦學習框架的隱私洩漏時,對感知指標進行全面分析,以及隱私保護技術DP 在保護這種設定免受基於梯度的重構攻擊方面的效果如何 ,仍然是前所未聞的。

為此,本論文旨在研究1. 2.一種新型隱私評估方法的可行性,該方法可揭示SOTA 重構攻擊評估方法中廣泛使用的感知度量LPIPS 與PPFL 中分類任務準確性之間的關係 ;3.差分隱私保護技術對上述SOTA 基於梯度的重構攻擊的有效性。
摘要(英) In Federated Learning (FL), a participant’s model update can potentially be a devastating threat to privacy, by cleverly making full use of the shared updates, it is believed that an attacker can reconstruct the participant’s training private data to a pixel-level. Differential Privacy (DP), the norm in data anonymization, was proposed to deal with this emergent threat; in such a DP-fied Privacy-preserving FL (PPFL) setup, the transmitted information is sanitized (i.e. clipped by a factor and perturbed by noise) to protect the privacy of the parties involved. Though was originally intended to be used with centralized learning and tabular data, recently, DP has gained more and more attention in FL with multimedia data, especially images.

Gradient-based reconstruction attacks typically utilized perceptual similarity metrics such as Peak Signal-to-Noise Ratio (PSNR), Structural Similarity Index Measure (SSIM), and Perceptual Image Patch Similarity (LPIPS) as the main evaluation method to imply the correlation between perceptual similarity and privacy leakage. Perceptual metrics such as Learned (LPIPS) were invented to mimic human perception, based on deep neural networks (such as AlexNet and VGG), the design is intended to allow the metric to capture the subtle perceptual similarity and differences between 2 pictures, and solve the incapability to look beyond the image pixel’s value of the traditional metrics like PSNR and SSIM.
However, since the perceptual metrics are built upon human perception, it is unknown whether the imperceptible nuances and corruptions caused by the reconstruction attack process could influence those metrics. Therefore, the author sees this could potentially be a gap that needs to be filled.
To summarize, according to the author′s best knowledge, a comprehensive analysis of perceptual metrics in evaluating privacy leakages of a Federated Learning framework with image data, and how effectively the privacy-preserving technique DP works in protecting such a setting against gradient-based reconstruction attacks is still unheard of.

For that matter, this dissertation is intended to study: 1. The reliability of perceptual metrics, which are employed by reconstruction attacks literature in a realistic Federated Learning framework; 2. The feasibility of a novel privacy evaluation method that can reveal the relationship between the widely used perceptual metric LPIPS in the SOTA reconstruction attack′s evaluation method and the accuracy of a classification task in PPFL; 3. The effectiveness of differential privacy against the aforementioned SOTA gradient-based reconstruction attack.
關鍵字(中) ★ 知覺度量
★ 分類任務準確性
★ 聯合學習
★ 保護隱私的聯合學習
★ 隱私外洩評估
關鍵字(英) ★ Perceptual metrics
★ Classification task accuracy
★ Federated Learning
★ Privacy-preserving Federated Learning
★ Privacy leakage evaluation
論文目次 Contents
1 Introduction 1
2 Related Works 3
2.1 Image data reconstruction via gradient-leakage in Federated Learning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
2.2 Differential privacy as a shared update protection method . . . . 4
2.2.1 Differential Privacy and Categorization . . . . . . . . . . . 4
2.2.2 Threat models . . . . . . . . . . . . . . . . . . . . . . . . . . 6
3 Methodology 9
3.1 Federated Learning . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
3.2 Privacy-preserving Federated Learning framework . . . . . . . . 10
3.3 Gradient matching based reconstruction module . . . . . . . . . . 11
3.4 Privacy leakage evaluation . . . . . . . . . . . . . . . . . . . . . . . 14
3.4.1 Perceptual-based evaluation methods . . . . . . . . . . . . 14
3.4.1.1 Mean squared error (MSE) . . . . . . . . . . . . . 14
3.4.1.2 Peak signal-to-noise ratio (PSNR) . . . . . . . . . 15
3.4.1.3 Structural similarity index measure (SSIM) . . . 15
3.4.1.4 Learned Perceptual Image Patch Similarity (LPIPS) 15
3.4.2 Classification accuracy as a privacy evaluation method . . 16
3.4.3 The extension for the evaluation method . . . . . . . . . . 17
4 Experimental setup and results 21
4.1 Setting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
4.2 Limitations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
4.2.1 Known reconstruction attacks limitation . . . . . . . . . . 23
4.2.1.1 Multiple images that belong to the same class/label 23
4.2.2 Resources limitation . . . . . . . . . . . . . . . . . . . . . . 24
4.2.2.1 Out-of-memory (GPU VRAM) . . . . . . . . . . . 24
4.3 Experimental results . . . . . . . . . . . . . . . . . . . . . . . . . . 25
4.3.1 Privacy-preserving Federated Learning . . . . . . . . . . . 25
4.3.2 Reconstruction attack results . . . . . . . . . . . . . . . . . 27
4.3.3 Relationship between the metrics . . . . . . . . . . . . . . . 29
4.3.3.1 Client 2 . . . . . . . . . . . . . . . . . . . . . . . . 29
4.3.3.2 Client 14 . . . . . . . . . . . . . . . . . . . . . . . 30
4.3.3.3 Client 4 . . . . . . . . . . . . . . . . . . . . . . . . 30
4.3.3.4 Client 12 . . . . . . . . . . . . . . . . . . . . . . . 31
4.3.3.5 Client 6 . . . . . . . . . . . . . . . . . . . . . . . . 40
5 Findings and Discussion 41
6 Conclusion and Future direction 43
6.1 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
6.2 Future directions . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
6.2.1 A more rigorous investigation on the subject . . . . . . . . 44
6.2.2 Explore more privacy-preserving potential . . . . . . . . . 44
6.2.3 Improving existing PPFL using the proposed method . . . 45
6.2.4 Go beyond multiple metrics . . . . . . . . . . . . . . . . . . 45
Bibliography 47
Appendix A: Privacy evaluation results for all of the clients 53
參考文獻 [1] H. Brendan McMahan et al. Communication-Efficient Learning of Deep Networks from Decentralized Data. en. arXiv:1602.05629 [cs]. Jan. 2023. URL:
http://arxiv.org/abs/1602.05629 (visited on 08/05/2023).
[2] Margalit Glasgow, Honglin Yuan, and Tengyu Ma. Sharp Bounds for Federated Averaging (Local SGD) and Continuous Perspective. en. arXiv:2111.03741
[cs, math, stat]. Feb. 2022. URL: http://arxiv.org/abs/2111.03741
(visited on 08/05/2023).
[3] Peter Kairouz et al. Advances and Open Problems in Federated Learning. en.
arXiv:1912.04977 [cs, stat]. Mar. 2021. URL: http://arxiv.org/abs/
1912.04977 (visited on 08/05/2023).
[4] Qiang Yang et al. Federated Machine Learning: Concept and Applications. en.
arXiv:1902.04885 [cs]. Feb. 2019. URL: http://arxiv.org/abs/1902.
04885 (visited on 08/05/2023).
[5] Keith Bonawitz et al. Towards Federated Learning at Scale: System Design. en.
arXiv:1902.01046 [cs, stat]. Mar. 2019. URL: http://arxiv.org/abs/
1902.01046 (visited on 08/05/2023).
[6] Ligeng Zhu, Zhijian Liu, and Song Han. Deep Leakage from Gradients. en.
arXiv:1906.08935 [cs, stat]. Dec. 2019. URL: http://arxiv.org/abs/
1906.08935 (visited on 11/26/2022).
[7] Jonas Geiping et al. “Inverting Gradients - How easy is it to break privacy
in federated learning?” en. In: p. 11.
[8] Hongxu Yin et al. “See through Gradients: Image Batch Recovery via
GradInversion”. en. In: 2021 IEEE/CVF Conference on Computer Vision
and Pattern Recognition (CVPR). Nashville, TN, USA: IEEE, June 2021,
pp. 16332–16341. ISBN: 978-1-66544-509-2. DOI: 10.1109/CVPR46437.
2021.01607. URL: https://ieeexplore.ieee.org/document/
9577731/ (visited on 11/26/2022).
[9] Liam Fowl et al. “Robbing the Fed: Directly Obtaining Private Data in
Federated Learning with Modified Models”. en. In: 2022, p. 25. URL:
https://openreview.net/forum?id=fwzUgo0FM9v (visited on
10/22/2022).
[10] Jinwoo Jeon et al. “Gradient Inversion with Generative Image Prior”. en.
In: p. 11.
[11] Zhuohang Li et al. “Auditing Privacy Defenses in Federated Learning via
Generative Gradient Leakage”. en. In: 2022 IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR). New Orleans, LA, USA: IEEE,
June 2022, pp. 10122–10132. ISBN: 978-1-66546-946-3. DOI: 10 . 1109 /
CVPR52688.2022.00989. URL: https://ieeexplore.ieee.org/
document/9878452/ (visited on 01/08/2023).
[12] Hao Fang et al. GIFD: A Generative Gradient Inversion Method with Feature
Domain Optimization. en. arXiv:2308.04699 [cs]. Sept. 2023. URL: http://
arxiv.org/abs/2308.04699 (visited on 09/21/2023).
[13] Martín Abadi et al. “Deep Learning with Differential Privacy”. en. In: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security. arXiv:1607.00133 [cs, stat]. Oct. 2016, pp. 308–318. DOI:
10.1145/2976749.2978318. URL: http://arxiv.org/abs/1607.
00133 (visited on 04/07/2023).
[14] Ilya Mironov. “Renyi Differential Privacy”. en. In: 2017 IEEE 30th Computer Security Foundations Symposium (CSF). arXiv:1702.07476 [cs]. Aug.
2017, pp. 263–275. DOI: 10.1109/CSF.2017.11. URL: http://arxiv.
org/abs/1702.07476 (visited on 06/26/2023).
[15] Borja Balle et al. Hypothesis Testing Interpretations and Renyi Differential Privacy. en. arXiv:1905.09982 [cs, stat]. Oct. 2019. URL: http://arxiv.org/
abs/1905.09982 (visited on 06/25/2023)
[16] Ilya Mironov, Kunal Talwar, and Li Zhang. Renyi Differential Privacy of
the Sampled Gaussian Mechanism. en. arXiv:1908.10530 [cs, stat]. Aug. 2019.
URL: http://arxiv.org/abs/1908.10530 (visited on 04/06/2023).
[17] Natalia Ponomareva et al. How to DP-fy ML: A Practical Guide to Machine
Learning with Differential Privacy. en. arXiv:2303.00654 [cs, stat]. Mar. 2023.
URL: http://arxiv.org/abs/2303.00654 (visited on 03/21/2023).
[18] Richard Zhang et al. The Unreasonable Effectiveness of Deep Features as a Perceptual Metric. en. arXiv:1801.03924 [cs]. Apr. 2018. URL: http://arxiv.
org/abs/1801.03924 (visited on 12/02/2022).
[19] Yuxin Wen et al. “Fishing for User Data in Large-Batch Federated Learning via Gradient Magnification”. en. In: Proceedings of the 39th International Conference on Machine Learning. Vol. 162. Baltimore, Maryland, USA,
pp. 23668–23684. URL: https://proceedings.mlr.press/v162/
wen22a.html (visited on 10/22/2022).
[20] Cynthia Dwork and Aaron Roth. The Algorithmic Foundations of Differential Privacy. en. Vol. 9. 2013. URL: http : / / www . nowpublishers .
com/articles/foundations- and- trends- in- theoreticalcomputer-science/TCS-042 (visited on 06/27/2023).
[21] Robin C. Geyer, Tassilo Klein, and Moin Nabi. Differentially Private Federated Learning: A Client Level Perspective. en. arXiv:1712.07557 [cs, stat].
Mar. 2018. URL: http://arxiv.org/abs/1712.07557 (visited on
08/05/2023).
[22] H. Brendan McMahan et al. Learning Differentially Private Recurrent Language Models. en. arXiv:1710.06963 [cs]. Feb. 2018. URL: http://arxiv.
org/abs/1710.06963 (visited on 08/05/2023).
[23] Lichao Sun, Jianwei Qian, and Xun Chen. LDP-FL: Practical Private
Aggregation in Federated Learning with Local Differential Privacy. en.
arXiv:2007.15789 [cs]. May 2021. URL: http://arxiv.org/abs/2007.
15789 (visited on 10/24/2023).
[24] Ziyu Liu et al. On Privacy and Personalization in Cross-Silo Federated Learning. en. arXiv:2206.07902 [cs, stat]. Oct. 2022. URL: http://arxiv.org/
abs/2206.07902 (visited on 02/22/2023).
[25] Bo Zhao, Konda Reddy Mopuri, and Hakan Bilen. iDLG: Improved Deep
Leakage from Gradients. en. arXiv:2001.02610 [cs, stat]. Jan. 2020. URL:
http://arxiv.org/abs/2001.02610 (visited on 12/04/2023).
[26] Yangsibo Huang et al. Evaluating Gradient Inversion Attacks and Defenses
in Federated Learning. en. arXiv:2112.00059 [cs]. Nov. 2021. URL: http://
arxiv.org/abs/2112.00059 (visited on 11/30/2022).
[27] Giannis Daras et al. Intermediate Layer Optimization for Inverse Problems
using Deep Generative Models. en. arXiv:2102.07364 [cs]. Feb. 2021. URL:
http://arxiv.org/abs/2102.07364 (visited on 11/15/2023).
[28] Z. Wang et al. “Image Quality Assessment: From Error Visibility to Structural Similarity”. en. In: IEEE Trans. on Image Process. 13.4 (Apr. 2004),
pp. 600–612. ISSN: 1057-7149. DOI: 10.1109/TIP.2003.819861. URL:
http://ieeexplore.ieee.org/document/1284395/ (visited on
08/05/2023).
[29] Hongsheng Hu et al. Membership Inference Attacks on Machine Learning: A
Survey. en. arXiv:2103.07853 [cs]. Feb. 2022. URL: http://arxiv.org/
abs/2103.07853 (visited on 05/28/2023).
[30] Bargav Jayaraman and David Evans. “Are Attribute Inference Attacks Just
Imputation?” In: Proceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security. CCS ’22. Los Angeles, CA, USA: Association for Computing Machinery, 2022, 1569–1582. ISBN: 9781450394505.
DOI: 10.1145/3548606.3560663. URL: https://doi.org/10.
1145/3548606.3560663.
[31] Sai Qian Zhang, Jieyu Lin, and Qi Zhang. “A Multi-Agent Reinforcement
Learning Approach for Efficient Client Selection in Federated Learning”.
en. In: AAAI 36.8 (June 2022), pp. 9091–9099. ISSN: 2374-3468, 2159-5399.DOI: 10.1609/aaai.v36i8.20894. URL: https://ojs.aaai.org/
index.php/AAAI/article/view/20894 (visited on 12/25/2023).
[32] Howard H. Yang et al. Scheduling Policies for Federated Learning in Wireless
Networks. 2019. arXiv: 1908.06287 [cs.IT].
[33] Ashkan Yousefpour et al. Opacus: User-Friendly Differential Privacy Library
in PyTorch. en. arXiv:2109.12298 [cs]. Aug. 2022. URL: http://arxiv.
org/abs/2109.12298 (visited on 04/07/2023).
[34] Andrew Brock, Jeff Donahue, and Karen Simonyan. Large Scale GAN Training for High Fidelity Natural Image Synthesis. en. arXiv:1809.11096 [cs, stat].
Feb. 2019. URL: http://arxiv.org/abs/1809.11096 (visited on
11/16/2022).
[35] Hang Xu et al. “SLAMB: Accelerated Large Batch Training with Sparse
Communication”. en. In: Proceedings of the 40th International Conference on
Machine Learning 202 (July 2023), pp. 38801–38825.
[36] Alexander Tyurin and Peter Richtárik. DASHA: Distributed Nonconvex Optimization with Communication Compression, Optimal Oracle Complexity, and
No Client Synchronization. en. arXiv:2202.01268 [cs]. May 2022. URL: http:
//arxiv.org/abs/2202.01268 (visited on 09/23/2023).
[37] Kamalika Chaudhuri, Chuan Guo, and Mike Rabbat. Privacy-Aware Compression for Federated Data Analysis. en. arXiv:2203.08134 [cs]. June 2022.
URL: http://arxiv.org/abs/2203.08134 (visited on 09/23/2023).
[38] Zebang Shen et al. “Share Your Representation Only: Guaranteed Improvement of the Privacy-Utility Tradeoff in Federated Learning”. en. In:
The Eleventh International Conference on Learning Representations (2023).
[39] Enayat Ullah et al. Private Federated Learning with Autotuned Compression.
en. arXiv:2307.10999 [cs, stat]. July 2023. URL: http://arxiv.org/abs/
2307.10999 (visited on 09/25/2023).
指導教授 王家慶 呂俊賢(Jia-Ching Wang Chun-Shien Lu) 審核日期 2024-1-26
推文 facebook   plurk   twitter   funp   google   live   udn   HD   myshare   reddit   netvibes   friend   youpush   delicious   baidu   
網路書籤 Google bookmarks   del.icio.us   hemidemi   myshare   

若有論文相關問題,請聯絡國立中央大學圖書館推廣服務組 TEL:(03)422-7151轉57407,或E-mail聯絡  - 隱私權政策聲明