Location
https://ccse.kennesaw.edu/computing-showcase/cday-programs/spring2021program.php
Document Type
Event
Start Date
26-4-2021 5:00 PM
Description
In this paper, we introduce a data augmentation-based defense strategy for preventing the reconstruction of training data through the exploitation of stolen model gradient. The collection of training data to a centralized server has been required for the training of neural networks in traditional machine learning. However, as privacy becomes a significant concern, the concept of Federated learning is introduced. In federated learning, a centralized server shares the well-trained neural network and participating end-users send the gradient back to the server after training without sharing the sensitive data itself. As the concept of federated learning does not share the original data that might include sensitive information, it is believed to be safe against privacy threats. However, several types of research showed that sharing gradient is not safe for privacy as the data can be reconstructed from the shared gradient. Model inversion is an exemplary threat against privacy in deep learning that reconstructs training data from model parameters. Differential privacy is known as a way to prevent stealing gradient for this type of attack in machine learning, however, adding noise in the optimization process to preserve privacy generates significant accuracy loss, so balancing the privacy and utility is required. Our proposed method provides better performance than the traditional differentially private classification method through the usage of grid search that finds the optimized augmentation scheme for each data class. In our research, We found the best augmentations for each class of CIFAR-10 that guarantees similar or better accuracy exists compared to differentially private stochastic gradient descent optimization in deep learning. Our research provides model accuracy and attack accuracy for comparison, which indicates the accuracy of an augmented dataset and the dataset consists of recovered images with augmentation applied. We aimed to secure the higher model accuracy and lower attack accuracy than differentially private classification results. For example, airplane class in CIFAR-10 dataset has 62.33% of model accuracy and 34.67% of attack accuracy, and it is better than DPSGD results with 56.78% model accuracy and 44.73% attack accuracy with sigma=0.5 and l2_clip_norm=1.0. Our research guarantees a better balance between privacy and utility and also show that adaptive augmentation can be used in various type of dataset in further researches.Advisors(s): Dr. Junggab SonTopic(s): Security
Included in
GR-70 Defending data reconstruction through adaptive image augmentation
https://ccse.kennesaw.edu/computing-showcase/cday-programs/spring2021program.php
In this paper, we introduce a data augmentation-based defense strategy for preventing the reconstruction of training data through the exploitation of stolen model gradient. The collection of training data to a centralized server has been required for the training of neural networks in traditional machine learning. However, as privacy becomes a significant concern, the concept of Federated learning is introduced. In federated learning, a centralized server shares the well-trained neural network and participating end-users send the gradient back to the server after training without sharing the sensitive data itself. As the concept of federated learning does not share the original data that might include sensitive information, it is believed to be safe against privacy threats. However, several types of research showed that sharing gradient is not safe for privacy as the data can be reconstructed from the shared gradient. Model inversion is an exemplary threat against privacy in deep learning that reconstructs training data from model parameters. Differential privacy is known as a way to prevent stealing gradient for this type of attack in machine learning, however, adding noise in the optimization process to preserve privacy generates significant accuracy loss, so balancing the privacy and utility is required. Our proposed method provides better performance than the traditional differentially private classification method through the usage of grid search that finds the optimized augmentation scheme for each data class. In our research, We found the best augmentations for each class of CIFAR-10 that guarantees similar or better accuracy exists compared to differentially private stochastic gradient descent optimization in deep learning. Our research provides model accuracy and attack accuracy for comparison, which indicates the accuracy of an augmented dataset and the dataset consists of recovered images with augmentation applied. We aimed to secure the higher model accuracy and lower attack accuracy than differentially private classification results. For example, airplane class in CIFAR-10 dataset has 62.33% of model accuracy and 34.67% of attack accuracy, and it is better than DPSGD results with 56.78% model accuracy and 44.73% attack accuracy with sigma=0.5 and l2_clip_norm=1.0. Our research guarantees a better balance between privacy and utility and also show that adaptive augmentation can be used in various type of dataset in further researches.Advisors(s): Dr. Junggab SonTopic(s): Security