反迁移学习的隐私保护联邦学习

doi:10.19665/j.issn1001-2400.2023.04.009

Abstract

Abstract:

The model stealing and gradient leakage attacks have increasingly become the bottlenecks that limit the broad application of federated learning.The existing authorization-based intellectual property protection schemes and privacy-preserving federated learning schemes have conducted a lot of research to solve the above challenges.However,there are still issues of authorization invalidation and high computational overhead.To solve the above problems,this paper proposes a model intellectual property and privacy-preserving method in federated learning.This method can protect the privacy of local gradients while ensuring that the aggregated model authorization is not invalidated.Specifically,a lightweight gradient aggregation method based on the blind factor is designed to significantly reduce the computational overhead of the encryption and decryption process by aggregating blinding factors.On this basis,an interactive co-training method based on anti-transfer learning is further proposed to ensure that the model can only be used by authorized users in authorized domains while protecting the privacy of local gradients,where the Shannon mutual information between the representation vector of the auxiliary domain data and the obstacle is increased.The security and correctness of the scheme are theoretically proved,and the system’s superiority is verified on the public data set.It is shown that the performance of the proposed method in the unauthorized domain is at least 47% lower than that of the existing schemes,and the computational complexity is reduced at the level of gradient dimension.

Key words: federated learning, intellectual property protection, non-transfer learning, privacy-preserving, public key cryptography

CLC Number:

TP309

XU Mengfan,LI Xinghua. Privacy-preserving federated learning with non-transfer learning[J].Journal of Xidian University, 2023, 50(4): 89-99.

Figures/Tables 9

符号	描述	符号	描述
R	全局盲化因子	R_i	本地盲化因子
[R_i]	加密的本地盲化因子	[R]	加密的全局盲化因子
$L n t l l$	第l次迭代时的损失	$z S i l$	第l次迭代时第i个源域的表征向量
$z A i l$	第l次迭代时第i个辅助域的表征向量	$z S i l *$	第l次迭代时第i个源域的盲化表征向量
$z A i l *$	第l次迭代时第i个辅助域的盲化表征向量	$z ˉ S l$	第l次迭代时源域的平均表征向量
$z ˉ A l$	第l次迭代时辅助域的平均表征向量	$z S l *$	第l次迭代时源域全局盲化表征向量
$z A l *$	第l次迭代时辅助域全局盲化表征向量

References 21

[1]	BAEK H, YUN W J, KWAK Y, et al. Joint Superposition Coding and Trainingfor Federated Learning Over Multi-Width Neural Networks[C]// IEEE INFOCOM 2022-IEEE Conference on Computer Communications.Piscataway:IEEE, 2022:1729-1738.
[2]	GONG X, SHARMA A, KARANAM S, et al. Preserving Privacy in Federated Learning with Ensemble Cross-Domain Knowledge Distillation[C]// 2022 Proceedings of the AAAI Conference on Artificial Intelligence. Palo Alto: AAAI, 2022,1891-1899.
[3]	SHEN Y, HE X, HAN Y, et al. Model Stealing Attacks Against Inductive Graph Neural Networks[C]// 2022 IEEE Symposium on Security and Privacy (SP).Piscataway:IEEE, 2022:1175-1192.
[4]	KARIYAPPA S, QURESHI M K. Defending Against Model Stealing Attacks with Adaptive Misinformation[C]// Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition.Piscataway:IEEE, 2020:770-778.
[5]	袁程胜, 郭强, 付章杰. 基于差分隐私的深度伪造指纹检测模型版权保护算法[J]. 通信学报, 2022, 43(9):181-193. doi: 10.11959/j.issn.1000-436x.2022184
	YUAN Chengsheng, GUO Qiang, FU Zhangjie. Copyright Protection Algorithm Based on Differential Privacy Deep Fake Fingerprint Detection Model[J]. Journal on Communications, 2022, 43(9):181-193. doi: 10.11959/j.issn.1000-436x.2022184
[6]	SHARMA S, ZOU J J, FANG G. A Dual Watermarking Scheme for Identity Protection[C]// 2020 Digital Image Computing:Techniques and Applications(DICTA).Piscataway:IEEE, 2022:1-30.
[7]	LIU Z, LI F, LI Z, et al. LoneNeuron:A Highly-Effective Feature-Domain Neural Trojan Using Invisible and Polymorphic Watermarks[C]// Proceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security. New York: ACM, 2022:2129-2143.
[8]	ALAM M, SAHA S, MUKHOPADHYAY D, et al. Deep-Lock:Secure Authorization for Deep Neural Networks(2020)[J/OL].[2020-08-13]. https://arxiv.org/abs/2008.05966.
[9]	CHAKRABORTY A, MONDAI A, SRIVASTAVA A. Hardware-Assisted Intellectual Property Protection of Deep Learning Models[C]// 2020 57th ACM/IEEE Design Automation Conference (DAC).Piscataway:IEEE, 2020:1-6.
[10]	WANG L, XU S, XU R, et al. Non-Transferable Learning:A New Approach for Model Ownership Verification and Applicability Authorization(2021)[J/OL].[2021-06-13]. https://arxiv.org/abs/2106.06916v1.
[11]	WANG J, GUO S, XIE X, et al. Protect Privacy from Gradient Leakage Attack in Federated Learning[C]// IEEE INFOCOM 2022-IEEE Conference on Computer Communications.Piscataway:IEEE, 2022:580-589.
[12]	WEI W, LIU L. Gradient Leakage Attack Resilient Deep Learning[J]. IEEE Transactions on Information Forensics and Security, 2021, 17:303-316. doi: 10.1109/TIFS.2021.3139777
[13]	徐花, 田有亮. 差分隐私下的权重社交网络隐私保护[J]. 西安电子科技大学学报, 2022, 49(1):17-26.
	XU Hua, TIAN Youliang. Protection of Privacy of the Weighted Social Network under Differential Privacy[J]. Journal of Xidian University, 2022, 49(1):17-26.
[14]	XIE H, ZHENG J, HE T, et al. MTEBDS:A Trusted Execution Environment-and-Blockchain-Supported IoT Data Sharing System[J]. Future Generation Computer Systems. 2023, 140:321-330. doi: 10.1016/j.future.2022.10.016
[15]	WU T, LI X, MIAO Y, et al. CITS-MEW:Multi-Party Entangled Watermark in Cooperative Intelligent Transportation System[J]. IEEE Transactions on Intelligent Transportation Systems, 2023, 24(3):3528-3540. doi: 10.1109/TITS.2022.3225116
[16]	TISHBY N, PEREIRA F C, BIALEK W. The Information Bottleneck Method(2000)[J/OL].[2000-04-24]. https://arxiv.org/abs/physics/0004057.
[17]	ACHILLE A, SOATTO S. Emergenceof Invariance and Disentanglement in Deep Representations[J]. The Journal of Machine Learning Research, 2018, 19(1):1947-1980.
[18]	COHEN G, AFSHAR S, TAPSON J, et al. EMNIST:Extending Mnistto Handwritten Letters[C]// 2017 International Joint Conference on Neural Networks (IJCNN).Piscataway:IEEE, 2017:2921-2926.
[19]	KRIZHEVSKY A, HINTON G. Convolutional Deep Belief Networks on Cifar-10[J]. Unpublished Manuscript, 2010, 40(7):1-9.
[20]	LIU X, LI H, XU G, et al. Privacy-Enhanced Federated Learning Against Poisoning Adversaries[J]. IEEE Transactions on Information Forensics and Security, 2021, 16:4574-4588. doi: 10.1109/TIFS.2021.3108434
[21]	MA Z, MA J, MIAO Y, et al. ShieldFL:Mitigating Model Poisoning Attacks in Privacy-Preserving Federated Learning[J]. IEEE Transactions on Information Forensics and Security, 2022, 17:1639-1654. doi: 10.1109/TIFS.2022.3169918

方案	保护方式	适用范围	隐私保护
文献[5-7]	水印(事后举证)	单用户	×
文献[15]	水印(事后举证)	多用户
文献[8-9]	用户授权(事前防御)	单用户	×
文献[10]	数据授权(事前防御)	单用户	×
文中方案	用户+数据授权(事前防御)	多用户	√

方案	计算复杂度	通信复杂度
文献[20-21]	O(nγ)	O(nlγ)
文中方案FedNTL	O(n)	O(nl)

Privacy-preserving federated learning with non-transfer learning

RichHTML

PDF (PC)

Like

Knowledge

Abstract

Cite this article

share this article

Figures/Tables 9

References 21

Related Articles 8

Metrics

Comments

Recommended 10

方案		L₁	L₂	L₃	L₄	L₅
NTL	源域	83	85	88	91	88
	辅助域	15	69	11	18	57
FedNTL	源域	85	81	89	93	87
	辅助域	16	19	12	15	14

[1]	LI Haiyang,GUO Jingjing,LIU Jiuzun,LIU Zhiquan. Privacy preserving byzantine robust federated learning algorithm [J]. Journal of Xidian University, 2023, 50(4): 121-131.
[2]	LI Yiming,LIU Shengli. Adaptive secure stream encryption supporting pattern matching [J]. Journal of Xidian University, 2023, 50(4): 1-10.
[3]	YANG Xiaohui,ZHUANG Haijing. Anonymous communication model with dynamic negotiation of identifiers [J]. Journal of Xidian University, 2023, 50(4): 100-110.
[4]	WANG Fangwei,XIE Meiyun,LI Qingru,WANG Changguang. Differentially private federated learning framework with adaptive clipping [J]. Journal of Xidian University, 2023, 50(4): 111-120.
[5]	DING Hongfa,TANG Mingli,LIU Hai,JIANG Heling,FU Peiwang,YU Yingying. Model for protection of k-degree anonymity privacy under neighbor subgraph disturbance [J]. Journal of Xidian University, 2023, 50(4): 180-193.
[6]	ZHU Xudong;LI Hui;GUO Zhen. Privacy-preserving query over the encrypted image in cloud computing [J]. J4, 2014, 41(2): 151-158.
[7]	ZHANG Wei-dong;WANG Bao-cang;HU Yu-pu. New knapsack-type public-key cryptographic algorithm [J]. J4, 2009, 36(3): 506-511.
[8]	ZHU Hui;LI Hui;WANG Yu-min. Fast authentication protocol based on the Canetti-Krawczyk model [J]. J4, 2009, 36(1): 156-161.