联邦学习中的隐私问题研究进展
作者:
作者简介:

汤凌韬(1994-), 男, 博士生, CCF学生会员, 主要研究领域为信息安全, 机器学习隐私保护;陈左宁(1957-), 女, 博士, 博士生导师, 中国工程院院士, CCF会士, 主要研究领域为软件理论, 操作系统, 信息安全;张鲁飞(1986-), 男, 博士, 工程师, 主要研究领域为高性能计算, 操作系统, 机器学习;吴东(1971-), 男, 博士, 研究员, 主要研究领域为人工智能, 密码学

通讯作者:

汤凌韬,E-mail:tangbdy@126.com

基金项目:

国家重点研发计划(2016YFB1000500); 国家科技重大专项(2018ZX01028102)


Research Progress of Privacy Issues in Federated Learning
Author:
  • 摘要
  • | |
  • 访问统计
  • |
  • 参考文献 [144]
  • |
  • 相似文献 [20]
  • | | |
  • 文章评论
    摘要:

    随着大数据、云计算等领域的蓬勃发展, 重视数据安全与隐私已经成为世界性的趋势, 不同团体为保护自身利益和隐私不愿贡献数据, 形成了数据孤岛. 联邦学习使数据不出本地就可被多方利用, 为解决数据碎片化和数据隔离等问题提供了解决思路. 然而越来越多研究表明, 由谷歌首先提出的联邦学习算法不足以抵抗精心设计的隐私攻击, 因此如何进一步加强隐私防护, 保护联邦学习场景下的用户数据隐私成为一个重要问题. 对近些年来联邦学习隐私攻击与防护领域取得的成果进行了系统总结. 首先介绍了联邦学习的定义、特点和分类; 然后分析了联邦学习场景下隐私威胁的敌手模型, 并根据敌手攻击目标对隐私攻击方法进行了分类和梳理; 介绍了联邦学习中的主流隐私防护技术, 并比较了各技术在实际应用中的优缺点; 分析并总结了6类目前联邦学习的隐私保护方案; 最后指出目前联邦学习隐私保护面临的挑战, 展望了未来可能的研究方向.

    Abstract:

    With the vigorous development of areas such as big data and cloud computing, it has become a worldwide trend for the public to attach importance to data security and privacy. Different groups are reluctant to share data in order to protect their own interests and privacy, which leads to data silos. Federated learning enables multiple parties to build a common, robust model without exchanging their data samples, thus addressing critical issues such as data fragmentation and data isolation. However, more and more studies have shown that the federated learning algorithm first proposed by Google can not resist sophisticated privacy attacks. Therefore, how to strengthen privacy protection and protect users’ data privacy in the federated learning scenario is an important issue. This paper offers a systematic survey of existing research achievements of privacy attacks and protection in federated learning in recent years. First, the definition, characteristics and classification of federated learning are introduced. Then the adversarial model of privacy threats in federated learning is analyzed, and typical works of privacy attacks are classified with respect to the adversary’s objectives. Next, several mainstream privacy-preserving technologies are introduced and their advantages and disadvantages in practical applications are pointed out. Furthermore, the existing achievements on protection against privacy attacks are summarized and six privacy-preserving schemes are elaborated. Finally, future challenges of privacy preserving in federated learning are concluded and promising future research directions are discussed.

    参考文献
    [1] McMahan HB, Moore E, Ramage D, Hampson S, Areas BA. Communication-efficient learning of deep networks from decentralized data. In:Proc. of the 20th Int'l Conf. on Artificial Intelligence and Statistics. Fort Lauderdale:PMLR, 2017. 1273-1282.
    [2] Bonawitz KA, Eichner H, Grieskamp W, Huba D, Ingerman A, Ivanov V, Kiddon C, Konečný J, Mazzocchi S, McMahan B, Van Overveldt T, Petrou D, Ramage D, Roselander J. Towards federated learning at scale:System design. In:Proc. of the Machine Learning and Systems 2019. Stanford:MLSys.org, 2019.
    [3] Zhao B, Mopuri KR, Bilen H. iDLG:Improved deep leakage from gradients. arXiv:2001.02610, 2020.
    [4] Phong LT, Aono Y, Hayashi T, Wang LH, Moriai S. Privacy-preserving deep learning via additively homomorphic encryption. IEEE Transactions on Information Forensics and Security, 2018, 13(5):1333-1345.[doi:10.1109/TIFS.2017.2787987]
    [5] Zhu LG, Liu ZJ, Han S. Deep leakage from gradients. In:Proc. of the Advances in Neural Information Processing Systems. Vancouver, 2019. 14747-14756.
    [6] Shokri R, Stronati M, Song CZ, Shmatikov V. Membership inference attacks against machine learning models. In:Proc. of the 2017 IEEE Symp. on Security and Privacy. San Jose:IEEE, 2017. 3-18.
    [7] Salem A, Zhang Y, Humbert M, Berrang P, Fritz M, Backes M. ML-leaks:Model and data independent membership inference attacks and defenses on machine learning models. In:Proc. of the 26th Annual Network and Distributed System Security Symp. San Diego:The Internet Society, 2019.
    [8] Nasr M, Shokri R, Houmansadr A. Comprehensive privacy analysis of deep learning:Passive and active white-box inference attacks against centralized and federated learning. In:Proc. of the 2019 IEEE Symp. on Security and Privacy. San Francisco:IEEE, 2019. 739-753.
    [9] Ganju K, Wang Q, Yang W, Gunter CA, Borisov N. Property inference attacks on fully connected neural networks using permutation invariant representations. In:Proc. of the 2018 ACM SIGSAC Conf. on Computer and Communications Security. Toronto:Association for Computing Machinery, 2018. 619-633.
    [10] Melis L, Song CZ, De Cristofaro E, Shmatikov V. Exploiting unintended feature leakage in collaborative learning. In:Proc. of the 2019 IEEE Symp. on Security and Privacy. San Francisco:IEEE, 2019. 691-706.
    [11] Wang ZB, Song MK, Zhang ZF, Song Y, Wang Q, Qi HR. Beyond inferring class representatives:User-level privacy leakage from federated learning. In:Proc. of the IEEE INFOCOM 2019 IEEE Conf. on Computer Communications. Paris:IEEE, 2019. 2512-2520.
    [12] Hitaj B, Ateniese G, Perez-Cruz F. Deep models under the GAN:Information leakage from collaborative deep learning. In:Proc. of the 2017 ACM SIGSAC Conf. on Computer and Communications Security. Dallas:Association for Computing Machinery, 2017. 603-618.
    [13] Fredrikson M, Jha S, Ristenpart T. Model inversion attacks that exploit confidence information and basic countermeasures. In:Proc. of the 22nd ACM SIGSAC Conf. on Computer and Communications Security. Denver:Association for Computing Machinery, 2015. 1322-1333.
    [14] Kairouz P, McMahan HB, Avent B, Bellet A, Bennis M, Bhagoji AN, Bonawitz K, Charles Z, Cormode G, Cummings R, D'Oliveira RGL, Eichner H, El Rouayheb S, Evans D, Gardner J, Garrett Z, Gascon A, Ghazi B, Gibbons PB, Gruteser M, Harchaoui Z, He CY, He L, Huo ZY, Hutchinson B, Hsu J, Jaggi M, Javidi T, Joshi G, Khodak M, Konecny J, Korolova A, Koushanfar F, Koyejo S, Lepoint T, Liu Y, Mittal P, Mohri M, Nock R, Ozgur A, Pagh R, Qi H, Ramage D, Raskar R, Raykova M, Song D, Song WK, Stich SU, Sun ZT, Suresh AT, Tramer F, Vepakomma P, Wang JY, Xiong L, Xu Z, Yang Q, Yu FX, Yu H, Zhao S. Advances and open problems in federated learning. Foundations and Trends® in Machine Learning, 2021, 14(1-2):1-210.[doi:10.1561/2200000083]
    [15] Konečný J, McMahan HB, Ramage D, Richtarik P. Federated optimization:Distributed machine learning for on-device intelligence. arXiv:1610.02527, 2016.
    [16] Konečný J, McMahan HB, Yu FX, Suresh AT, Bacon D. Federated learning:Strategies for improving communication efficiency. arXiv:1610.05492, 2016.
    [17] Sahu AK, Li T, Sanjabi M, Zaheer M, Talwalkar A, Smith V. On the convergence of federated optimization in heterogeneous networks. arXiv:1812.06127, 2018.
    [18] Li T, Sahu AK, Zaheer M, Sanjabi M, Talwalkar A, Smith V. Federated optimization in heterogeneous networks. In:Proc. of the Machine Learning and Systems 2020. Austin:MLSys.org, 2020.
    [19] Yu H, Yang S, Zhu SH. Parallel restarted SGD with faster convergence and less communication:Demystifying why model averaging works for deep learning. In:Proc. of the 33rd AAAI Conf. on Artificial Intelligence. Honolulu:AAAI, 2019. 5693-5700.
    [20] Yang Q, Liu Y, Chen TJ, Tong YX. Federated machine learning:Concept and applications. ACM Transactions on Intelligent Systems and Technology, 2019, 10(2):12.[doi:10.1145/3298981]
    [21] 谭作文, 张连福. 机器学习隐私保护研究综述. 软件学报, 2020, 31(7):2127-2156. http://www.jos.org.cn/1000-9825/6052.htm
    Tan ZW, Zhang LF. Survey on privacy preserving techniques for machine learning. Ruan Jian Xue Bao/Journal of Software, 2020, 31(7):2127-2156 (in Chinese with English abstract). http://www.jos.org.cn/1000-9825/6052.htm
    [22] Dean J, Corrado GS, Monga R, Chen K, Devin M, Le QV, Mao MZ, Ranzato MA, Senior A, Tucker P, Yang K, Ng AY. Large scale distributed deep networks. In:Proc. of the 25th Int'l Conf. on Neural Information Processing Systems. Lake Tahoe:Curran Associates Inc., 2012. 1223-1231.
    [23] Lin YJ, Han S, Mao HZ, Wang Y, Dally W. Deep gradient compression:Reducing the communication bandwidth for distributed training. In:Proc. of the 6th Int'l Conf. on Learning Representations. Vancouver:OpenReview.net, 2018.
    [24] Xing EP, Ho QR, Dai W, Kim JK, Wei JL, Lee S, Zheng X, Xie PT, Kumar A, Yu YL. Petuum:A new platform for distributed machine learning on big data. IEEE Transactions on Big Data, 2015, 1(2):49-67.[doi:10.1109/TBDATA.2015.2472014]
    [25] Zinkevich MA, Weimer M, Smola A, Li LH. Parallelized stochastic gradient descent. In:Proc. of the 23rd Int'l Conf. on Neural Information Processing Systems. Vancouver:Curran Associates Inc., 2010. 2595-2603.
    [26] Bonawitz K, Ivanov V, Kreuter B, Marcedone A, McMahan HB, Patel S, Ramage D, Segal A, Seth K. Practical secure aggregation for privacy-preserving machine learning. In:Proc. of the 2017 ACM SIGSAC Conf. on Computer and Communications Security. Dallas:Association for Computing Machinery, 2017. 1175-1191.
    [27] Leontiadis I, Elkhiyaoui K, Önen M, Molva R. PUDA-privacy and unforgeability for data aggregation. In:Proc. of the 14th Int'l Conf. on Cryptology and Network Security. Marrakesh:Springer, 2015. 3-18.
    [28] Ghazi B, Manurangsi P, Pagh R, Velingker A. Private aggregation from fewer anonymous messages. In:Proc. of the 39th Annual Int'l Conf. on the Theory and Applications of Cryptographic Techniques. Zagreb:Springer, 2020. 798-827.
    [29] Bonawitz K, Salehi F, Konečný J, McMahan B, Gruteser M. Federated learning with autotuned communication-efficient secure aggregation. In:Proc. of the 2019 Asilomar Conf. on Signals, Systems, and Computers. Pacific Grove:IEEE, 2019. 1222-1226.
    [30] Goryczka S, Xiong L, Sunderam V. Secure multiparty aggregation with differential privacy:A comparative study. In:Proc. of the 2013 Joint EDBT/ICDT Workshops. Genoa:Association for Computing Machinery, 2013. 155-163.
    [31] Bagdasaryan E, Veit A, Hua YQ, Estrin D, Shmatikov V. How to backdoor federated learning. In:Proc. of the Int'l Conf. on Artificial Intelligence and Statistics. Sicily:PMLR, 2020. 2938-2948.
    [32] Bhagoji AN, Chakraborty S, Mittal P, Calo S. Analyzing federated learning through an adversarial lens. In:Proc. of the Int'l Conf. on Machine Learning. Long Beach:PMLR, 2019. 634-643.
    [33] Fung C, Yoon CJM, Beschastnikh I. Mitigating sybils in federated learning poisoning. arXiv:1808.04866, 2018.
    [34] Sun ZT, Kairouz P, Suresh AT, McMahan HB. Can you really backdoor federated learning? arXiv:1911.07963, 2019.
    [35] Lyu LJ, Yu H, Yang Q. Threats to federated learning:A survey. arXiv:2003.02133, 2020.
    [36] Hazay C, Venkitasubramaniam M, Weiss M. The price of active security in cryptographic protocols. In:Proc. of the 39th Annual Int'l Conf. on the Theory and Applications of Cryptographic Techniques. Zagreb:Springer, 2020. 184-215.
    [37] 何英哲, 胡兴波, 何锦雯, 孟国柱, 陈恺. 机器学习系统的隐私和安全问题综述. 计算机研究与发展, 2019, 56(10):2049-2070.[doi:10.7544/issn1000-1239.2019.20190437]
    He YZ, Hu XB, He JW, Meng GZ, Chen K. Privacy and security issues in machine learning systems:A survey. Journal of Computer Research and Development, 2019, 56(10):2049-2070 (in Chinese with English abstract).[doi:10.7544/issn1000-1239.2019.20190437]
    [38] 刘俊旭, 孟小峰. 机器学习的隐私保护研究综述. 计算机研究与发展, 2020, 57(2):346-362.[doi:10.7544/issn1000-1239.2020.20190455]
    Liu JX, Meng XF. Survey on privacy-preserving machine learning. Journal of Computer Research and Development, 2020, 57(2):346-362 (in Chinese with English abstract).[doi:10.7544/issn1000-1239.2020.20190455]
    [39] 刘睿瑄, 陈红, 郭若杨, 赵丹, 梁文娟, 李翠平. 机器学习中的隐私攻击与防御. 软件学报, 2020, 31(3):866-892. http://www.jos.org.cn/1000-9825/5904.htm
    Liu RX, Chen H, Guo RY, Zhao D, Liang WJ, Li CP. Survey on privacy attacks and defenses in machine learning. Ruan Jian Xue Bao/Journal of Software, 2020, 31(3):866-892 (in Chinese with English abstract). http://www.jos.org.cn/1000-9825/5904.htm
    [40] Yaghini M, Kulynych B, Troncoso C. Disparate vulnerability:On the unfairness of privacy attacks against machine learning. arXiv:1906.00389, 2019.
    [41] Geiping J, Bauermeister H, Dröge H, Moeller M. Inverting gradients-How easy is it to break privacy in federated learning? In:Proc. of the 33rd Advances in Neural Information Processing Systems. 2020.
    [42] Jochems A, Deist TM, El Naqa I, Kessler M, Mayo C, Reeves J, Jolly S, Matuszak M, Ten Haken R, Van Soest J, Oberije C, Faivre-Finn C, Price G, De Ruysscher D, Lambin P, Dekker A. Developing and validating a survival prediction model for NSCLC patients through distributed learning across 3 countries. International Journal of Radiation Oncology, Biology, Physics, 2017, 99(2):344-352.[doi:10.1016/j.ijrobp.2017.04.021]
    [43] Jochems A, Deist TM, van Soest J, Eble M, Bulens P, Coucke P, Dries W, Lambin P, Dekker A. Distributed learning:Developing a predictive model based on data from multiple hospitals without data leaving the hospital-a real life proof of concept. Radiotherapy and Oncology, 2016, 121(3):459-467.[doi:10.1016/j.radonc.2016.10.002]
    [44] Shokri R, Shmatikov V. Privacy-preserving deep learning. In:Proc. of the 22nd ACM SIGSAC Conf. on Computer and Communications Security. Denver:Association for Computing Machinery, 2015. 1310-1321.
    [45] Tran NH, Bao W, Zomaya A, Nguyen MNH, Hong CS. Federated learning over wireless networks:Optimization model design and analysis. In:Proc. of the IEEE Conf. on Computer Communications. Paris:IEEE, 2019. 1387-1395.
    [46] Costan V, Devadas S. Intel SGX explained. IACR Cryptology ePrint Archive, 2016:86.
    [47] Costan V, Lebedev IA, Devadas S. Sanctum:Minimal hardware extensions for strong software isolation. In:Proc. of the 25th USENIX Security Symp. Austin:USENIX Association, 2016. 857-874.
    [48] Yao AC. Protocols for secure computations. In:Proc. of the 23rd Annual Symp. on Foundations of Computer Science (SFCS 1982). Chicago:IEEE, 1982. 160-164.
    [49] Yao AC. How to generate and exchange secrets. In:Proc. of the 27th Annual Symp. on Foundations of Computer Science (SFCS 1986). Toronto:IEEE, 1986. 162-167.
    [50] Goldreich O, Micali S, Wigderson A. How to play ANY mental game. In:Proc. of the Nineteenth ACM Symp. on Theory of Computing, STOC. New York:Association for Computing Machinery, 1987. 218-229.
    [51] Ben-Or M, Goldwasser S, Wigderson A. Completeness theorems for non-cryptographic fault-tolerant distributed computation. In:Proc. of the 20th Annual ACM Symp. on Theory of Computing (STOC). Chicago:Association for Computing Machinery, 1988. 1-10.
    [52] Beaver D, Micali S, Rogaway P. The round complexity of secure protocols. In:Proc. of the 22nd Annual ACM Symp. on Theory of Computing. Baltimore:Association for Computing Machinery, 1990. 503-513.
    [53] Bendlin R, Damgård I, Orlandi C, Zakarias S. Semi-homomorphic encryption and multiparty computation. In:Proc. of the 30th Annual Int'l Conf. on the Theory and Applications of Cryptographic Techniques. Tallinn:Springer, 2011. 169-188.
    [54] Damgård I, Pastro V, Smart N, Zakarias S. Multiparty computation from somewhat homomorphic encryption. In:Proc. of the 32nd Annual Cryptology Conf. on Advances in Cryptology. Santa Barbara:Springer, 2012. 643-662.
    [55] Beaver D. Efficient multiparty protocols using circuit randomization. In:Proc. of the 11th Annual Int'l Cryptology Conf. on Advances in Cryptology. Santa Barbara:Springer, 1991. 420-432.
    [56] Wang X, Ranellucci S, Katz J. Authenticated garbling and efficient maliciously secure two-party computation. In:Proc. of the 2017 ACM SIGSAC Conf. on Computer and Communications Security. Dallas:Association for Computing Machinery, 2017. 21-37.
    [57] Wang X, Ranellucci S, Katz J. Global-scale secure multiparty computation. In:Proc. of the 2017 ACM SIGSAC Conf. on Computer and Communications Security. Dallas:Association for Computing Machinery, 2017. 39-56.
    [58] Pinkas B, Rosulek M, Trieu N, Yanai A. PSI from PaXoS:Fast, malicious private set intersection. In:Proc. of the 39th Annual Int'l Conf. on the Theory and Applications of Cryptographic Techniques. Zagreb:Springer, 2020. 739-767.
    [59] Nair DG, Binu VP, Kumar GS. An improved e-voting scheme using secret sharing based secure multi-party computation. arXiv:1502.07469, 2015.
    [60] Naor M, Pinkas B. Oblivious polynomial evaluation. SIAM Journal on Computing, 2006, 35(5):1254-1281.[doi:10.1137/S0097539704383633]
    [61] Sen J. Homomorphic encryption-Theory and application. In:Sen J. Theory and Practice of Cryptography and Network Security Protocols and Technologies. London:IntechOpen, 2013. 1-21.
    [62] Acar A, Aksu H, Uluagac AS, Conti M. A survey on homomorphic encryption schemes:Theory and implementation. ACM Computing Surveys, 2019, 51(4):79.[doi:10.1145/3214303]
    [63] 李宗育, 桂小林, 顾迎捷, 李雪松, 戴慧珺, 张学军. 同态加密技术及其在云计算隐私保护中的应用. 软件学报, 2018, 29(7):1830-1851. http://www.jos.org.cn/1000-9825/5354.htm
    Li ZY, Gui XL, Gu YJ, Li XS, Dai HJ, Zhang XJ. Survey on homomorphic encryption algorithm and its application in the privacy-preserving for cloud computing. Ruan Jian Xue Bao/Journal of Software, 2018, 29(7):1830-1851 (in Chinese with English abstract). http://www.jos.org.cn/1000-9825/5354.htm
    [64] Gentry C. Fully homomorphic encryption using ideal lattices. In:Proc. of the 41st Annual ACM Symp. on Theory of Computing. Bethesda:Association for Computing Machinery, 2009. 169-178.
    [65] López-Alt A, Tromer E, Vaikuntanathan V. On-the-fly multiparty computation on the cloud via multikey fully homomorphic encryption. In:Proc. of the 44th Annual ACM Symp. on Theory of Computing. New York:Association for Computing Machinery, 2012. 1219-1234.
    [66] Mukherjee P, Wichs D. Two round multiparty computation via multi-key FHE. In:Proc. of the 35th Annual Int'l Conf. on the Theory and Applications of Cryptographic Techniques. Vienna:Springer, 2016. 735-763.
    [67] Boneh D, Sahai A, Waters B. Functional encryption:Definitions and challenges. In:Proc. of the 8th Theory of Cryptography Conf. on Theory of Cryptography. Providence:Springer, 2011. 253-273.
    [68] Abdalla M, Catalano D, Fiore D, Gay R, Ursu B. Multi-input functional encryption for inner products:Function-hiding realizations and constructions without pairings. In:Proc. of the 38th Annual Int'l Cryptology Conf. on Advances in Cryptology. Santa Barbara:Springer, 2018. 597-627.
    [69] Marc T, Stopar M, Hartman J, Bizjak M, Modic J. Privacy-enhanced machine learning with functional encryption. In:Proc. of the 24th European Symp. on Research in Computer Security. Luxembourg:Springer, 2019. 3-21.
    [70] Xu RH, Baracaldo N, Zhou Y, Anwar A, Ludwig H. HybridAlpha:An efficient approach for privacy-preserving federated learning. In:Proc. of the 12th ACM Workshop on Artificial Intelligence and Security. London:Association for Computing Machinery, 2019. 13-23.
    [71] Dwork C, Lei J. Differential privacy and robust statistics. In:Proc. of the 41st Annual ACM Symp. on Theory of Computing. Bethesda:Association for Computing Machinery, 2009. 371-380.
    [72] Li X, Huang KX, Yang WH, Wang SS, Zhang ZH. On the convergence of FedAvg on Non-IID data. In:Proc. of the 8th Int'l Conf. on Learning Representations. Addis Ababa:OpenReview.net, 2020.
    [73] Subramanyan P, Sinha R, Lebedev I, Devadas S, Seshia SA. A formal foundation for secure remote execution of enclaves. In:Proc. of the 2017 ACM SIGSAC Conf. on Computer and Communications Security. Dallas:Association for Computing Machinery, 2017. 2435-2450.
    [74] 吴晓慧, 贺也平, 马恒太, 周启明, 林少锋. 微架构瞬态执行攻击与防御方法. 软件学报, 2020, 31(2):544-563. http://www.jos.org.cn/1000-9825/5979.htm
    Wu XH, He YP, Ma HT, Zhou QM, Lin SF. Microarchitectural transient execution attacks and defense methods. Ruan Jian Xue Bao/Journal of Software, 2020, 31(2):544-563 (in Chinese with English abstract). http://www.jos.org.cn/1000-9825/5979.htm
    [75] Brasser F, Müller U, Dmitrienko A, Kostiainen K, Capkun S, Sadeghi AR. Software grand exposure:SGX cache attacks are practical. In:Proc. of the 11th USENIX Conf. on Offensive Technologies. Vancouver:USENIX Association, 2017.
    [76] 王鹃, 樊成阳, 程越强, 赵波, 韦韬, 严飞, 张焕国, 马婧. SGX技术的分析和研究. 软件学报, 2018, 29(9):2778-2798. http://www.jos.org.cn/1000-9825/5594.htm
    Wang J, Fan CY, Cheng YQ, Zhao B, Wei T, Yan F, Zhang HG, Ma J. Analysis and research on SGX technology. Ruan Jian Xue Bao/Journal of Software, 2018, 29(9):2778-2798 (in Chinese with English abstract). http://www.jos.org.cn/1000-9825/5594.htm
    [77] Demmler D, Schneider T, Zohner M. ABY-A framework for efficient mixed-protocol secure two-party computation. In:Proc. of the 22nd Annual Network and Distributed System Security Symp. San Diego:The Internet Society, 2015.
    [78] Truex S, Baracaldo N, Anwar A, Steinke T, Ludwig H, Zhang R, Zhou Y. A hybrid approach to privacy-preserving federated learning. In:Proc. of the 12th ACM Workshop on Artificial Intelligence and Security. London:Association for Computing Machinery, 2019. 1-11.
    [79] Mandal K, Gong G, Liu CY. NIKE-based fast privacy-preserving high-dimensional data aggregation for mobile devices. CACR Technical Report, CACR2018-10, Waterloo:University of Waterloo, 2018.
    [80] Zhang XL, Fu AM, Wang HQ, Zhou CY, Chen ZZ. A privacy-preserving and verifiable federated learning scheme. In:Proc. of the IEEE Int'l Conf. on Communications (ICC). Dublin:IEEE, 2020. 1-6.
    [81] Phong LT, Phuong TT. Privacy-preserving deep learning via weight transmission. IEEE Transactions on Information Forensics and Security, 2019, 14(11):3003-3015.[doi:10.1109/TIFS.2019.2911169]
    [82] Geyer RC, Klein T, Nabi M. Differentially private federated learning:A client level perspective. arXiv:1712.07557, 2017.
    [83] Abadi M, Chu A, Goodfellow I, McMahan HB, Mironov I, Talwar K, Zhang L. Deep learning with differential privacy. In:Proc. of the 2016 ACM SIGSAC Conf. on Computer and Communications Security. Vienna:Association for Computing Machinery, 2016. 308-318.
    [84] Agarwal N, Suresh AT, Yu F, Kumar S, McMahan HB. cpSGD:Communication-efficient and differentially-private distributed SGD. In:Proc. of the 32nd Int'l Conf. on Neural Information Processing Systems. Montreal:Curran Associates Inc., 2018. 7575-7586.
    [85] Choudhury O, Gkoulalas-Divanis A, Salonidis T, Sylla I, Park Y, Hsu G, Das A. Differential privacy-enabled federated learning for sensitive health data. arXiv:1910.02578, 2019.
    [86] Wei K, Li J, Ding M, Ma C, Yang HH, Farokhi F, Jin S, Quek TQS, Poor HV. Federated learning with differential privacy:Algorithms and performance analysis. IEEE Transactions on Information Forensics and Security, 2020, 15:3454-3469.[doi:10.1109/TIFS.2020.2988575]
    [87] Hao M, Li HW, Xu GW, Liu S, Yang HM. Towards efficient and privacy-preserving federated deep learning. In:Proc. of the IEEE Int'l Conf. on Communications (ICC). Shanghai:IEEE, 2019. 1-6.
    [88] Mohassel P, Zhang YP. SecureML:A system for scalable privacy-preserving machine learning. In:Proc. of the 2017 IEEE Symp. on Security and Privacy. San Jose:IEEE, 2017. 19-38.
    [89] Chandran N, Gupta D, Rastogi A, Sharma R, Tripathi S. EzPC:Programmable and efficient secure two-party computation for machine learning. In:Proc. of the 4th IEEE European Symp. on Security and Privacy. Stockholm:IEEE, 2019. 496-511.
    [90] Liu J, Juuti M, Lu Y, Asokan N. Oblivious neural network predictions via minionn transformations. In:Proc. of the 2017 ACM SIGSAC Conf. on Computer and Communications Security. Dallas:Association for Computing Machinery, 2017. 619-631.
    [91] Rouhani BD, Riazi MS, Koushanfar F. Deepsecure:Scalable provably-secure deep learning. In:Proc. of the 55th Annual Design Automation Conf. California:Association for Computing Machinery, 2018. 2.
    [92] Riazi MS, Weinert C, Tkachenko O, Songhori EM, Schneider T, Koushanfar F. Chameleon:A hybrid secure computation framework for machine learning applications. In:Proc. of the Asia Conf. on Computer and Communications Security. Incheon:Association for Computing Machinery, 2018. 707-721.
    [93] Dowlin N, Gilad-Bachrach R, Laine K, Lauter K, Naehrig M, Wernsing J. Cryptonets:Applying neural networks to encrypted data with high throughput and accuracy. In:Proc. of the 33rd Int'l Conf. on Machine Learning. New York:JMLR.org, 2016. 201-210.
    [94] Agrawal N, Shahin Shamsabadi A, Kusner MJ, Gascón A. QUOTIENT:Two-party secure neural network training and prediction. In:Proc. of the 2019 ACM SIGSAC Conf. on Computer and Communications Security. London:Association for Computing Machinery, 2019. 1231-1247.
    [95] Mohassel P, Rindal P. ABY3:A mixed protocol framework for machine learning. In:Proc. of the 2018 ACM SIGSAC Conf. on Computer and Communications Security. Toronto:Association for Computing Machinery, 2018. 35-52.
    [96] Wagh S, Gupta D, Chandran N. SecureNN:3-party secure computation for neural network training. Proceedings on Privacy Enhancing Technologies, 2019, 2019(3):26-49.[doi:10.2478/popets-2019-0035]
    [97] Juvekar C, Vaikuntanathan V, Chandrakasan A. GAZELLE:A low latency framework for secure neural network inference. In:Proc. of the 27th USENIX Conf. on Security Symp. Baltimore:USENIX Association, 2018. 1651-1668.
    [98] Vaidya J, Clifton C. Privacy-preserving k-means clustering over vertically partitioned data. In:Proc. of the 9th ACM SIGKDD Int'l Conf. on Knowledge Discovery and Data Mining. Washington:Association for Computing Machinery, 2003. 206-215.
    [99] Gheid Z, Challal Y. Efficient and privacy-preserving k-means clustering for big data mining. In:Proc. of the IEEE Trustcom/BigDataSE/ISPA. Tianjin:IEEE, 2016. 791-798.
    [100] Prasad KD, Reddy KAN, Vasumathi D. Privacy-preserving naive bayesian classifier for continuous data and discrete data. In:Proc. of the 1st Int'l Conf. on Artificial Intelligence and Cognitive Computing. Singapore:Springer, 2019. 289-299.
    [101] Samet S, Miri A. Privacy-preserving back-propagation and extreme learning machine algorithms. Data & Knowledge Engineering, 2012, 79-80:40-61.
    [102] Goethals B, Laur S, Lipmaa H, Mielikainen T. On private scalar product computation for privacy-preserving data mining. In:Proc. of the 7th Int'l Conf. on Information Security and Cryptology. Seoul:Springer, 2005. 104-120.
    [103] Zheng WT, Popa RA, Gonzalez JE, Stoica I. Helen:Maliciously secure coopetitive learning for linear models. In:Proc. of the 2019 IEEE Symp. on Security and Privacy. San Francisco:IEEE, 2019. 724-738.
    [104] Sharma S, Xing CP, Liu Y, Kang Y. Secure and efficient federated transfer learning. In:Proc. of the 2019 IEEE Int'l Conf. on Big Data. Los Angeles:IEEE, 2019. 2569-2576.
    [105] Chang K, Balachandar N, Lam C, Yi D, Brown J, Beers A, Rosen B, Rubin DL, Kalpathy-Cramer J. Distributed deep learning networks among institutions for medical imaging. Journal of the American Medical Informatics Association, 2018, 25(8):945-954.[doi:10.1093/jamia/ocy017]
    [106] Inan A, Kantarcioglu M, Bertino E, Scannapieco M. A hybrid approach to private record linkage. In:Proc. of the 24th IEEE Int'l Conf. on Data Engineering. Cancun:IEEE, 2008. 496-505.
    [107] Scannapieco M, Figotin I, Bertino E, Elmagarmid AK. Privacy preserving schema and data matching. In:Proc. of the 2007 ACM SIGMOD Int'l Conf. on Management of Data. Beijing:Association for Computing Machinery, 2007. 653-664.
    [108] Cheng KW, Fan T, Jin YL, Liu Y, Chen TJ, Papadopoulos D, Yang Q. SecureBoost:A lossless federated learning framework. IEEE Intelligent Systems, 2021, 36(6):87-98.[doi:10.1109/MIS.2021.3082561]
    [109] Hardy S, Henecka W, Ivey-Law H, Nock R, Patrini G, Smith G, Thorne B. Private federated learning on vertically partitioned data via entity resolution and additively homomorphic encryption. arXiv:1711.10677, 2017.
    [110] Liu Y, Kang Y, Xing CP, Chen TJ, Yang Q. Secure federated transfer learning. arXiv:1812.03337, 2018.
    [111] Ohrimenko O, Schuster F, Fournet C, Mehta A, Nowozin S, Vaswani K, Costa M. Oblivious multi-party machine learning on trusted processors. In:Proc. of the 25th USENIX Conf. on Security Symp. Austin:USENIX Association, 2016. 619-636.
    [112] Lin S, Wang CH, Li HJ, Deng JR, Wang YZ, Ding CW. ESMFL:Efficient and secure models for federated learning. arXiv:2009.01867, 2020.
    [113] Mo F, Shamsabadi AS, Katevas K, Cavallaro A, Haddadi H. Towards characterizing and limiting information exposure in DNN layers. arXiv:1907.06034, 2019.
    [114] Barni M, Failla P, Kolesnikov V, Lazzeretti R, Sadeghi AR, Schneider T. Secure evaluation of private linear branching programs with medical applications. In:Proc. of the 14th European Symp. on Research in Computer Security. Saint-Malo:Springer, 2009. 424-439.
    [115] Chaudhari H, Choudhury A, Patra A, Suresh A. ASTRA:High throughput 3PC over rings with application to secure prediction. In:Proc. of the 2019 ACM SIGSAC Conf. on Cloud Computing Security Workshop. London:Association for Computing Machinery, 2019. 81-92.
    [116] Bost R, Popa RA, Tu S, Goldwasser S. Machine learning classification over encrypted data. In:Proc. of the 22nd Annual Network and Distributed System Security Symp. San Diego:The Internet Society, 2015.
    [117] Bos JW, Lauter K, Loftus J, Naehrig M. Improved security for a ring-based fully homomorphic encryption scheme. In:Proc. of the 14th IMA Int'l Conf. on Cryptography and Coding. Oxford:Springer, 2013. 45-64.
    [118] Sanyal A, Kusner MJ, Gascon A, Kanade V. Tapas:Tricks to accelerate (encrypted) prediction as a service. In:Proc. of the Int'l Conf. on Machine Learning. Stockholm:PMLR, 2018. 4490-4499.
    [119] Bourse F, Minelli M, Minihold M, Paillier P. Fast homomorphic evaluation of deep discretized neural networks. In:Proc. of the 38th Annual Int'l Cryptology Conf. on Advances in Cryptology. Santa Barbara:Springer, 2018. 483-512.
    [120] Chillotti I, Gama N, Georgieva M, Izabachene M. Faster fully homomorphic encryption:Bootstrapping in less than 0.1 seconds. In:Proc. of the 22nd Int'l Conf. on the Theory and Application of Cryptology and Information Security. Hanoi:Springer, 2016. 3-33.
    [121] Wu DJ, Feng T, Naehrig M, Lauter K. Privately evaluating decision trees and random forests. Proceedings on Privacy Enhancing Technologies, 2016, 2016(4):335-355.[doi:10.1515/popets-2016-0043]
    [122] Chen H, Chillotti I, Dong YH, Poburinnaya O, Razenshteyn I, Riazi MS. SANNS:Scaling up secure approximate k-nearest neighbors search. In:Proc. of the 29th USENIX Conf. on Security Symp. USENIX Association, 2020. 119.
    [123] Doerner J, Shelat A. Scaling ORAM for secure computation. In:Proc. of the 2017 ACM SIGSAC Conf. on Computer and Communications Security. Dallas:Association for Computing Machinery, 2017. 523-535.
    [124] Hunt T, Song CZ, Shokri R, Shmatikov V, Witchel E. Chiron:Privacy-preserving machine learning as a service. arXiv:1803.05961, 2018.
    [125] Ács D, Coleşa A. Securely exposing machine learning models to web clients using intel SGX. In:Proc. of the 15th IEEE Int'l Conf. on Intelligent Computer Communication and Processing (ICCP). Cluj-Napoca:IEEE, 2019. 161-168.
    [126] Grover K, Tople S, Shinde S, Bhagwan R, Ramjee R. Privado:Practical and secure DNN inference with enclaves. arXiv:1810.00602, 2018.
    [127] Srivastava N, Hinton G, Krizhevsky A, Sutskever I, Salakhutdinov R. Dropout:A simple way to prevent neural networks from overfitting. The Journal of Machine Learning Research, 2014, 15(1):1929-1958.
    [128] Yao Y, Rosasco L, Caponnetto A. On early stopping in gradient descent learning. Constructive Approximation, 2007, 26(2):289-315.[doi:10.1007/s00365-006-0663-2]
    [129] Wong SC, Gatt A, Stamatescu V, McDonnell MD. Understanding data augmentation for classification:When to warp? In:Proc. of the 2016 Int'l Conf. on Digital Image Computing:Techniques and Applications (DICTA). Gold Coast:IEEE, 2016. 1-6.
    [130] Wu S, Li GQ, Chen F, Shi LP. Training and inference with integers in deep neural networks. In:Proc. of the 6th Int'l Conf. on Learning Representations. Vancouver:OpenReview.net, 2018.
    [131] Rotaru D, Wood T. MArBled circuits:Mixing arithmetic and boolean circuits with active security. In:Proc. of the 20th Int'l Conf. on Cryptology in India. Hyderabad:Springer, 2019. 227-249.
    [132] Zhu RY, Cassel D, Sabry A, Huang Y. NANOPI:Extreme-scale actively-secure multi-party computation. In:Proc. of the 2018 ACM SIGSAC Conf. on Computer and Communications Security. Toronto:Association for Computing Machinery, 2018. 862-879.
    [133] He Y, Zhang X, Sun J. Channel pruning for accelerating very deep neural networks. In:Proc. of the IEEE Int'l Conf. on Computer Vision. 2017. 1389-1397.
    [134] Han S, Mao HZ, Dally WJ. Deep compression:Compressing deep neural networks with pruning, trained quantization and huffman coding. arXiv:1510.00149, 2015.
    [135] Louizos C, Ullrich K, Welling M. Bayesian compression for deep learning. In:Proc. of the 31st Int'l Conf. on Neural Information Processing Systems. Long Beach:Curran Associates Inc., 2017. 3290-3300.
    [136] Wagner I, Eckhoff D. Technical privacy metrics:A systematic survey. ACM Computing Surveys, 2019, 51(3):57.[doi:10.1145/3168389]
    [137] Lyu LJ, Yu JS, Nandakumar K, Li YT, Ma XJ, Jin J. Towards fair and decentralized privacy-preserving deep learning. arXiv:1906.01167, 2019.
    引证文献
    网友评论
    网友评论
    分享到微博
    发 布
引用本文

汤凌韬,陈左宁,张鲁飞,吴东.联邦学习中的隐私问题研究进展.软件学报,2023,34(1):197-229

复制
分享
文章指标
  • 点击次数:4008
  • 下载次数: 9058
  • HTML阅读次数: 5493
  • 引用次数: 0
历史
  • 收稿日期:2020-10-02
  • 最后修改日期:2021-01-28
  • 在线发布日期: 2021-08-02
  • 出版日期: 2023-01-06
文章二维码
您是第19862316位访问者
版权所有:中国科学院软件研究所 京ICP备05046678号-3
地址:北京市海淀区中关村南四街4号,邮政编码:100190
电话:010-62562563 传真:010-62562533 Email:jos@iscas.ac.cn
技术支持:北京勤云科技发展有限公司

京公网安备 11040202500063号