TY - GEN
T1 - PRIVATEFL
T2 - 32nd USENIX Security Symposium, USENIX Security 2023
AU - Yang, Yuchen
AU - Hui, Bo
AU - Yuan, Haolin
AU - Gong, Neil
AU - Cao, Yinzhi
N1 - Publisher Copyright:
© USENIX Security 2023. All rights reserved.
PY - 2023
Y1 - 2023
N2 - Federated learning (FL) enables multiple clients to collaboratively train a model with the coordination of a central server. Although FL improves data privacy via keeping each client’s training data locally, an attacker—e.g., an untrusted server—can still compromise the privacy of clients’ local training data via various inference attacks. A de facto approach to preserving FL privacy is Differential Privacy (DP), which adds random noise during training. However, when applied to FL, DP suffers from a key limitation: it sacrifices the model accuracy substantially—which is even more severely than being applied to traditional centralized learning—to achieve a meaningful level of privacy. In this paper, we study the accuracy degradation cause of FL+DP and then design an approach to improve the accuracy. First, we propose that such accuracy degradation is partially because DP introduces additional heterogeneity among FL clients when adding different random noise with clipping bias during local training. To the best of our knowledge, we are the first to associate DP in FL with client heterogeneity. Second, we design PRIVATEFL to learn accurate, differentially private models in FL with reduced heterogeneity. The key idea is to jointly learn a differentially private, personalized data transformation for each client during local training. The personalized data transformation shifts client’s local data distribution to compensate the heterogeneity introduced by DP, thus improving FL model’s accuracy. In the evaluation, we combine and compare PRIVATEFL with eight state-of-the-art differentially private FL methods on seven benchmark datasets, including six image and one non-image datasets. Our results show that PRIVATEFL learns accurate FL models with a small ε, e.g., 93.3% on CIFAR-10 with 100 clients under (ε = 2, δ = 1e−3)-DP. Moreover, PRIVATEFL can be combined with prior works to reduce DP-induced heterogeneity and further improve their accuracy.
AB - Federated learning (FL) enables multiple clients to collaboratively train a model with the coordination of a central server. Although FL improves data privacy via keeping each client’s training data locally, an attacker—e.g., an untrusted server—can still compromise the privacy of clients’ local training data via various inference attacks. A de facto approach to preserving FL privacy is Differential Privacy (DP), which adds random noise during training. However, when applied to FL, DP suffers from a key limitation: it sacrifices the model accuracy substantially—which is even more severely than being applied to traditional centralized learning—to achieve a meaningful level of privacy. In this paper, we study the accuracy degradation cause of FL+DP and then design an approach to improve the accuracy. First, we propose that such accuracy degradation is partially because DP introduces additional heterogeneity among FL clients when adding different random noise with clipping bias during local training. To the best of our knowledge, we are the first to associate DP in FL with client heterogeneity. Second, we design PRIVATEFL to learn accurate, differentially private models in FL with reduced heterogeneity. The key idea is to jointly learn a differentially private, personalized data transformation for each client during local training. The personalized data transformation shifts client’s local data distribution to compensate the heterogeneity introduced by DP, thus improving FL model’s accuracy. In the evaluation, we combine and compare PRIVATEFL with eight state-of-the-art differentially private FL methods on seven benchmark datasets, including six image and one non-image datasets. Our results show that PRIVATEFL learns accurate FL models with a small ε, e.g., 93.3% on CIFAR-10 with 100 clients under (ε = 2, δ = 1e−3)-DP. Moreover, PRIVATEFL can be combined with prior works to reduce DP-induced heterogeneity and further improve their accuracy.
UR - https://www.scopus.com/pages/publications/85176128350
UR - https://www.scopus.com/pages/publications/85176128350#tab=citedBy
M3 - Conference contribution
AN - SCOPUS:85176128350
T3 - 32nd USENIX Security Symposium, USENIX Security 2023
SP - 1595
EP - 1611
BT - 32nd USENIX Security Symposium, USENIX Security 2023
PB - USENIX Association
Y2 - 9 August 2023 through 11 August 2023
ER -