Protecting Split Learning by Potential Energy Loss
2210.09617
0
0
🤯
Abstract
As a practical privacy-preserving learning method, split learning has drawn much attention in academia and industry. However, its security is constantly being questioned since the intermediate results are shared during training and inference. In this paper, we focus on the privacy leakage from the forward embeddings of split learning. Specifically, since the forward embeddings contain too much information about the label, the attacker can either use a few labeled samples to fine-tune the top model or perform unsupervised attacks such as clustering to infer the true labels from the forward embeddings. To prevent such kind of privacy leakage, we propose the potential energy loss to make the forward embeddings become more 'complicated', by pushing embeddings of the same class towards the decision boundary. Therefore, it is hard for the attacker to learn from the forward embeddings. Experiment results show that our method significantly lowers the performance of both fine-tuning attacks and clustering attacks.
Create account to get full access
Overview
- Split learning is a privacy-preserving machine learning method that has gained attention in academia and industry.
- However, its security is often questioned as the intermediate results are shared during training and inference.
- This paper focuses on the privacy leakage from the forward embeddings in split learning.
Plain English Explanation
In split learning, the machine learning model is split into two parts, with the first part (called the "top model") stored on a central server and the second part (called the "bottom model") stored on the client device. During training and inference, the client device sends the intermediate results (called "forward embeddings") to the central server.
The problem is that these forward embeddings can potentially reveal too much information about the true labels or targets, which could be a privacy concern. An attacker could use these forward embeddings in two ways:
- Fine-tuning attacks: The attacker could use a few labeled samples to fine-tune the top model and infer the true labels.
- Unsupervised attacks: The attacker could perform unsupervised techniques like clustering on the forward embeddings to try to infer the true labels.
To address this issue, the researchers propose a new technique called the "potential energy loss". This approach aims to make the forward embeddings more "complicated" by pushing the embeddings of the same class towards the decision boundary. This makes it harder for the attacker to learn from the forward embeddings and infer the true labels.
Technical Explanation
The paper presents a novel approach to enhance the privacy of split learning by addressing the privacy leakage from the forward embeddings.
The researchers first demonstrate that the forward embeddings in split learning can contain significant information about the true labels, which can be exploited by attackers using either fine-tuning attacks or unsupervised clustering attacks.
To mitigate this issue, the researchers propose the "potential energy loss" method. This approach aims to make the forward embeddings more "complicated" by pushing the embeddings of the same class towards the decision boundary. This is achieved by adding a regularization term to the loss function during training.
The researchers conduct extensive experiments to evaluate the effectiveness of their proposed method. They show that the potential energy loss significantly reduces the performance of both fine-tuning attacks and clustering attacks, compared to the baseline split learning approach.
Critical Analysis
The paper provides a valuable contribution to the field of privacy-preserving machine learning, particularly in the context of split learning.
One potential limitation of the proposed approach is that it may impact the overall performance of the model, as the potential energy loss could introduce additional complexities that may hinder the model's ability to learn effectively. The researchers acknowledge this trade-off and suggest that further research is needed to explore the efficiency-privacy trade-off in split learning.
Another area for further research could be the exploration of different types of privacy leakage beyond the forward embeddings, such as potential leakage from the gradients or other intermediate representations shared during the split learning process.
Conclusion
This paper presents a novel approach to enhance the privacy of split learning by addressing the privacy leakage from the forward embeddings. The proposed potential energy loss method effectively reduces the performance of both fine-tuning attacks and clustering attacks, making it harder for an attacker to infer the true labels from the shared forward embeddings.
The researchers' work highlights the importance of addressing privacy concerns in split learning and provides a promising solution that can help ensure the security and trustworthiness of this privacy-preserving machine learning technique.
This summary was produced with help from an AI and may contain inaccuracies - check out the links to read the original source documents!
Related Papers
🏅
Exploring the Privacy-Energy Consumption Tradeoff for Split Federated Learning
Joohyung Lee, Mohamed Seif, Jungchan Cho, H. Vincent Poor
0
0
Split Federated Learning (SFL) has recently emerged as a promising distributed learning technology, leveraging the strengths of both federated and split learning. It emphasizes the advantages of rapid convergence while addressing privacy concerns. As a result, this innovation has received significant attention from both industry and academia. However, since the model is split at a specific layer, known as a cut layer, into both client-side and server-side models for the SFL, the choice of the cut layer in SFL can have a substantial impact on the energy consumption of clients and their privacy, as it influences the training burden and the output of the client-side models. In this article, we provide a comprehensive overview of the SFL process and thoroughly analyze energy consumption and privacy. This analysis considers the influence of various system parameters on the cut layer selection strategy. Additionally, we provide an illustrative example of the cut layer selection, aiming to minimize clients' risk of reconstructing the raw data at the server while sustaining energy consumption within the required energy budget, which involves trade-offs. Finally, we address open challenges in this field. These directions represent promising avenues for future research and development.
5/6/2024
👀
Make Split, not Hijack: Preventing Feature-Space Hijacking Attacks in Split Learning
Tanveer Khan, Mindaugas Budzys, Antonis Michalas
0
0
The popularity of Machine Learning (ML) makes the privacy of sensitive data more imperative than ever. Collaborative learning techniques like Split Learning (SL) aim to protect client data while enhancing ML processes. Though promising, SL has been proved to be vulnerable to a plethora of attacks, thus raising concerns about its effectiveness on data privacy. In this work, we introduce a hybrid approach combining SL and Function Secret Sharing (FSS) to ensure client data privacy. The client adds a random mask to the activation map before sending it to the servers. The servers cannot access the original function but instead work with shares generated using FSS. Consequently, during both forward and backward propagation, the servers cannot reconstruct the client's raw data from the activation map. Furthermore, through visual invertibility, we demonstrate that the server is incapable of reconstructing the raw image data from the activation map when using FSS. It enhances privacy by reducing privacy leakage compared to other SL-based approaches where the server can access client input information. Our approach also ensures security against feature space hijacking attack, protecting sensitive information from potential manipulation. Our protocols yield promising results, reducing communication overhead by over 2x and training time by over 7x compared to the same model with FSS, without any SL. Also, we show that our approach achieves >96% accuracy and remains equivalent to the plaintext models.
4/16/2024
💬
Split-and-Denoise: Protect large language model inference with local differential privacy
Peihua Mai, Ran Yan, Zhe Huang, Youjia Yang, Yan Pang
0
0
Large Language Models (LLMs) excel in natural language understanding by capturing hidden semantics in vector space. This process enriches the value of text embeddings for various downstream tasks, thereby fostering the Embedding-as-a-Service (EaaS) business model. However, the risk of privacy leakage due to direct text transmission to servers remains a critical concern. To address this, we introduce Split-N-Denoise (SnD), an private inference framework that splits the model to execute the token embedding layer on the client side at minimal computational cost. This allows the client to introduce noise prior to transmitting the embeddings to the server, and subsequently receive and denoise the perturbed output embeddings for downstream tasks. Our approach is designed for the inference stage of LLMs and requires no modifications to the model parameters. Extensive experiments demonstrate SnD's effectiveness in optimizing the privacy-utility tradeoff across various LLM architectures and diverse downstream tasks. The results reveal an improvement in performance under the same privacy budget compared to the baselines by over 10% on average, offering clients a privacy-preserving solution for local privacy protection.
5/28/2024
💬
Information Leakage from Embedding in Large Language Models
Zhipeng Wan, Anda Cheng, Yinggui Wang, Lei Wang
0
0
The widespread adoption of large language models (LLMs) has raised concerns regarding data privacy. This study aims to investigate the potential for privacy invasion through input reconstruction attacks, in which a malicious model provider could potentially recover user inputs from embeddings. We first propose two base methods to reconstruct original texts from a model's hidden states. We find that these two methods are effective in attacking the embeddings from shallow layers, but their effectiveness decreases when attacking embeddings from deeper layers. To address this issue, we then present Embed Parrot, a Transformer-based method, to reconstruct input from embeddings in deep layers. Our analysis reveals that Embed Parrot effectively reconstructs original inputs from the hidden states of ChatGLM-6B and Llama2-7B, showcasing stable performance across various token lengths and data distributions. To mitigate the risk of privacy breaches, we introduce a defense mechanism to deter exploitation of the embedding reconstruction process. Our findings emphasize the importance of safeguarding user privacy in distributed learning systems and contribute valuable insights to enhance the security protocols within such environments.
5/24/2024