| Deep learning is an efficient way to model,classify,and identify complex data.Deep learning-based Artificial Intelligence(AI)products have brought a development in various fields,which have brought great changes to people's lives.Due to the advantages of high privacy of personal data,high learning efficiency and no limitation of computing devices,distributed federated deep learning has gradually become a hot research direction in the big data.Users must share their data while enjoying the convenience of the deep learning model.With increasing number of data leakage events,the data security and privacy issues have gradually attracted people's attention.There are many risks in distributed federated deep learning system to disclose the users' private information.In the distributed federated learning protocol,participants train the global model from each other's data by sharing model parameters.And parameter server computes the gradient parameters from participants' models.Participants need to upload local gradient parameters in each iteration,which may contain some information about the local training set.And attackers can extract local data by calculating the gradient parameter values in some iterations.This paper studies the privacy security of distributed federated deep learning system.We propose an attack model for distributed federated learning system,which can restore samples accurately from participants.At the same time,we propose a set of privacy protection countermeasures against the attack model to protect the parameters shared by participants.The main research work is as follows:1.To address the vulnerability of parameter sharing protocol in distributed federated deep learning system,we propose an attack model based on GAN and membership inference technology.In the attack model,the attacker disguises as a federal learning participant,continuously induces normal users to train the GAN,conductes confrontation training with the generator held by the attacker,and restores the private data of normal users through the generator in the GAN.By extracting the white box model of the participants,the attacker makes a membership inference attack on the privacy data,and determines the subordination relationship between the sample and each participant.We have tested the attack model on the MNIST and Celeb A datasets.The results show that in a distributed federated learning system,an attacker can generate a fake training set of participants even without directly touching the data set,whose accuracy can reach about 85%.2.To against the attack model of participant training samples in distributed federated learning system,we improved the parameter selection algorithm and proposed a set of differential privacy method based on sparse vector and trust domain technology.Considering the threshold selection problem in the Selection Gradient Upload algorithm,we use the sparse vector technology.Noise perturbation is applied to gradients beyond the threshold according to the principle of maximum gradient reduction.This way avoids the effect of too much noisy that is added on the model.We have experimentally validated the effectiveness of differential privacy protection in the Federated Learning System.Reasonable parameter choices are effective against attack model.We also evaluated a trust domain-based optimization scheme that divided users into k-trust domains in the distributed federated learning system.With the same privacy budget,we can greatly improve the accuracy of the global model by partitioning the trust domain. |
PDF Full Text Request