基于联邦学习的中心化差分隐私保护算法研究

doi:10.3969/j.issn.1671-1122.2024.01.007

摘要/Abstract

摘要：

近年来，联邦学习以独特的训练方式打破了数据“孤岛”，因此受到越来越多的关注。然而在训练全局模型时，联邦学习易受到推理攻击，可能会泄露参与训练成员的一些信息，产生严重的安全隐患。针对联邦训练过程中半诚实/恶意客户端造成的差分攻击，文章提出了基于中心化的差分隐私联邦学习算法DP-FEDAC。首先，优化联邦加速随机梯度下降算法，改进服务器的聚合方式，计算参数更新差值后采用梯度聚合方式更新全局模型，以提升稳定收敛；然后，通过对聚合参数添加中心化差分高斯噪声隐藏参与训练的成员贡献，达到保护参与方隐私信息的目的，同时还引入时刻会计（MA）计算隐私损失，进一步平衡模型收敛和隐私损失之间的关系；最后，与FedAC、分布式MB-SGD、分布式MB-AC-SGD等算法做对比实验，评估DP-FEDAC的综合性能。实验结果表明，在通信不频繁的情况下，DP-FEDAC算法的线性加速最接近FedAC，远优于另外两种算法，拥有较好的健壮性；此外DP-FEDAC算法在保护隐私的前提下能够达到与FedAC算法相同的模型精度，体现了算法的优越性和可用性。

关键词: 联邦学习, 隐私泄露, 差分隐私, 高斯噪声, 隐私追踪

Abstract:

Federated learning has received increasing attention in recent years for breaking down “data silos” with unique training methods. However, when the global model is trained, federation learning is vulnerable to inference attacks, which may reveal the information of some training members and bring about serious security risks. In order to solve differential attacks caused by semi-honest/malicious clients in federated training, this paper proposed a centralized differential privacy federated learning algorithm DP-FedAC. Firstly, the federal accelerated stochastic gradient descent algorithm was optimized to improve the aggregation mode of the server. After calculating the parameter update difference, the global model was updated by gradient aggregation mode to improve the stable convergence. Then, by adding centralized differential Gaussian noise to the aggregation parameters to hide the contributions of training members, the purpose of protecting the privacy information of participants was achieved. Time accounting (MA) was also introduced to calculate privacy loss to further balance the relationship between model convergence and privacy loss. Finally, comparative experiments were conducted with FedAC, distributed MB-SGD, distributed MB-AC-SGD and other algorithms to evaluate the comprehensive performance of DP-FedAC. The experimental results show that the linear acceleration of DP-FedAC algorithm is closest to that of FedAC in the case of infrequent communication, which is far better than the other two algorithms and has good robustness. In addition, the DP-FedAC algorithm achieves the same model accuracy as the FedAC algorithm on the premise of privacy protection, which reflects the superiority and usability of the algorithm.

Key words: federated learning, privacy leaks, differential privacy, Gaussian noise, privacy tracking

中图分类号:

TP309

徐茹枝, 戴理朋, 夏迪娅, 杨鑫. 基于联邦学习的中心化差分隐私保护算法研究[J]. 信息网络安全, 2024, 24(1): 69-79.

XU Ruzhi, DAI Lipeng, XIA Diya, YANG Xin. Research on Centralized Differential Privacy Algorithm for Federated Learning[J]. Netinfo Security, 2024, 24(1): 69-79.

图/表 5

表1

图1

图2

图3

图4

参考文献 32

[1]	MCMAHAN B, MOORE E, RAMAGE D, et al. Communication-Efficient Learning of Deep Networks from Decentralized Data[C]// PMLR.Artificial Intelligence and Statistics. Lauderdale: PMLR, 2017: 1273-1282.
[2]	ZHOU Jun, FANG Guoying, WU Nan. A Survey of Research on Security and Privacy Protection in Federated Learning[J]. Journal of Xihua University(Natural Science Edition), 2020, 39(4): 9-17.
	周俊, 方国英, 吴楠. 联邦学习安全与隐私保护研究综述[J]. 西华大学学报(自然科学版), 2020, 39(4): 9-17.
[3]	GEYER R C, KLEIN T, NABI M. Differentially Private Federated Learning: A Client Level Perspective[EB/OL]. (2017-09-20) [2023-07-23]. https://arxiv.org/abs/1712.07557.
[4]	MCMAHAN H B, RAMAGE D, TALWAR K, et al. Learning Differentially Private Recurrent Language Models[EB/OL]. (2017-08-18) [2023-07-24]. https://arxiv.org/abs/1710.06963.
[5]	MCMAHAN H B, ANDREW G, ERLINGSSON U, et al. A General Approach to Adding Differential Privacy to Iterative Training Procedures[EB/OL].(2018-09-15) [2023-07-24]. https://arxiv.org/abs/1812.06210.
[6]	LIU Yuhan, SURESH A T, YU F, et al. Learning Discrete Distributions: User vs Item-Level Privacy[C]// NIPS. Advances in Neural Information Processing Systems. New York: MIT Press, 2020: 20965-20976.
[7]	LIANG Zhicong, WANG Bao, GU Quanquan, et al. Exploring Private Federated Learning with Laplacian Smoothing[EB/OL]. (2020-05-01) [2023-07-24]. https://arxiv.org/abs/2005.00218.
[8]	HAMM J, CAO P, BELKIN M. Learning Privately from Multiparty Data[C]// ACM. International Conference on Machine Learning. New York: ACM, 2016: 555-563.
[9]	PAPERNOT N, ABADI M, ERLINGSSON U, et al. Semi-Supervised Knowledge Transfer for Deep Learning from Private Training Data[C]// ICLR. International Conference on Learning Representations. New York: arXiv.org, 2016: 1-16.
[10]	PAPERNOT N, SONG Shuang, MIRONOV I, et al. Scalable Private Learning with PATE[C]// ICLR. International Conference on Learning Representations. New York: arXiv.org, 2018: 1-34.
[11]	MIRONOV I. Renyi Differential Privacy[C]// IEEE. 2017 IEEE 30th Computer Security Foundations Symposium (CSF). New York: IEEE, 2017: 263-275.
[12]	SUN Lichao, ZHOU Yingbo, YU P S, et al. Differentially Private Deep Learning with Smooth Sensitivity[EB/OL]. (2020-03-01) [2023-07-25]. https://arxiv.org/abs/2003.00505.
[13]	ABADI M, CHU A, GOODFELLOW I, et al. Deep Learning with Differential Privacy[C]// ACM. Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security. New York: ACM, 2016: 308-318.
[14]	DING Jiahao, WANG Jingyi, LIANG Guanguan, et al. Towards Plausible Differentially Private ADMM Based Distributed Machine Learning[C]// ACM.Proceedings of the 29th ACM International Conference on Information & Knowledge Management. New York: ACM, 2020: 285-294.
[15]	ARACHCHIGE P C M, BERTOK P, KHALIL I, et al. Local Differential Privacy for Deep Learning[J]. IEEE Internet of Things Journal, 2019, 7(7): 5827-5842. doi: 10.1109/JIoT.6488907 URL
[16]	ZHAO Yang, ZHAO Jun, YANG Mengmeng, et al. Local Differential Privacy-Based Federated Learning for Internet of Things[J]. IEEE Internet of Things Journal, 2020, 8(11): 8836-8853. doi: 10.1109/JIOT.2020.3037194 URL
[17]	TRUEX S, LIU Ling, CHOW K H, et al. LDP-Fed: Federated Learning with Local Differential Privacy[C]// ACM. Proceedings of the Third ACM International Workshop on Edge Systems, Analytics and Networking. New York: ACM, 2020: 61-66.
[18]	KIM M, LEE J, OHNO-MACHADO L, et al. Secure and Differentially Private Logistic Regression for Horizontally Distributed Data[J]. IEEE Transactions on Information Forensics and Security, 2019(15): 695-710.
[19]	LU Yunlong, HUANG Xiahong, DAI Yueyue, et al. Differentially Private Asynchronous Federated Learning for Mobile Edge Computing in Urban Informatics[J]. IEEE Transactions on Industrial Informatics, 2019, 16(3): 2134-2143. doi: 10.1109/TII.9424 URL
[20]	ZHAO Bin, FAN Kai, YANG Kan, et al. Anonymous and Privacy-Preserving Federated Learning with Industrial Big Data[J]. IEEE Transactions on Industrial Informatics, 2021, 17(9): 6314-6323. doi: 10.1109/TII.2021.3052183 URL
[21]	HU Rui, GUO Yuanxiong, GONG Yanming. Concentrated Differentially Private and Utility Preserving Federated Learning[EB/OL]. (2020-09-22) [2023-07-23]. https://arxiv.org/abs/2003.13761.
[22]	GONG Maoguo, FENG Jialun, YU Xie. Privacy-Enhanced Multi-Party Deep Learning[J]. Neural Networks, 2020, 121: 484-496. doi: S0893-6080(19)30323-5 pmid: 31648120
[23]	CHOUDHURY O, GKOULALAS-DIVANIS A, SALONIDIS T, et al. Anonymizing Data for Privacy-Preserving Federated Learning[EB/OL]. (2020-02-21) [2023-07-24]. https://arxiv.org/abs/2002.09096.
[24]	POULIS G, LOUKIDES G, GKOULALAS-DIVANIS A, et al. Anonymizing Data with Relational and Transaction Attributes[C]// Springer. Proceedings of the 2013 European Conference on Machine Learning and Knowledge Discovery in Databases-Volume Part III. Heidelberg: Springer, 2013: 353-369.
[25]	BITTAU A, ERLINGSSON U, MANIATIS P, et al. Prochlo: Strong Privacy for Analytics in the Crowd[C]// ACM. Proceedings of the 26th Symposium on Operating Systems Principles. New York: ACM, 2017: 441-459.
[26]	ERLINGSSON U, FELDMAN V, MIRONOV I, et al. Encode,Shuffle, Analyze Privacy Revisited: Formalizations and Empirical Evaluation[EB/OL].(2020-01-10) [2023-07-25]. https://arxiv.org/abs/2001.03618.
[27]	WEI Kang, LI Jun, DING Ming, et al. Federated Learning with Differential Privacy: Algorithms and Performance Analysis[J]. IEEE Transactions on Information Forensics and Security, 2020(15): 3454-3469.
[28]	WANG Hongyi, YUROCHKIN M, SUN Yuekai, et al. Federated Learning with Matched Averaging[EB/OL]. (2020-02-15) [2023-07-23]. https://arxiv.org/abs/2002.06440.
[29]	YE Yunfan, LI Shen, LIU Fang, et al. EdgeFed: Optimized Federated Learning Based on Edge Computing[J]. IEEE Access, 2020(8): 209191-209198.
[30]	YUAN Honglin, MA Tengyu. Federated Accelerated Stochastic Gradient Descent[C]// NIPS. Advances in Neural Information Processing Systems. San Diego: NIPS, 2020(33): 5332-5344.
[31]	DEKEL O, GILAD-BACHRACH R, SHAMIR O, et al. Optimal Distributed Online Prediction Using Mini-Batches[J]. Journal of Machine Learning Research, 2012, 13(1): 1-38.
[32]	COTTER A, SHAMIR O, SREBRO N, et al. Better Mini-Batch Algorithms via Accelerated Gradient Methods[C]// NIPS. Advances in Neural Information Processing Systems. San Diego: NIPS, 2011: 24-33.

保护策略	保护对象	保护方法	主要技术
中心	中心梯度^[3???-7] 中心模型^[8???-12]	扰动知识迁移	中心化差分隐私迁移、中心化差分隐私
本地	本地模型^[13,14]	扰动	中心化差分隐私
本地	本地属性信息^[15]	扰动	本地化差分隐私
本地	本地梯度^[16,17]	加密	同态加密秘密共享
中心/本地	本地梯度^[18??-21] 中心梯度^[22??-25]	安全混洗匿名	安全混洗（k, k^m）匿名本地化差分隐私
中心/本地	本地数据集信息和中心模型参数^[26]	安全多方计算与扰动	安全多方计算中心化差分隐私