Table of Contents
Fetching ...

FedRE: Robust and Effective Federated Learning with Privacy Preference

Tianzhe Xiao, Yichen Li, Yu Zhou, Yining Qi, Yi Liu, Wei Wang, Haozhao Wang, Yi Wang, Ruixuan Li

TL;DR

This work addresses gradient leakage in federated learning by introducing Privacy-Sensitive Information (PSI) as a client-specific privacy preference and computing layer-wise PSI to guide protective noise. The proposed FedRE framework implements a layer-wise Local Differential Privacy (LDP) mechanism with budgets $\\epsilon_l$ proportional to PSI, and uses a novel PDA-PAM aggregation that leverages a public dataset to reduce the impact of perturbations. PSI is measured via a Jacobian-based sensitivity $S_l$, and perturbations are applied with clipping and Gaussian noise, providing overall $(\\sum_l \\epsilon_l, \\sum_l \\delta_l)$-DP across layers. Experiments on T-SROIE and DocTamper demonstrate that FedRE maintains or improves robustness and accuracy relative to baselines, highlighting the practical impact of tailoring privacy protection to data-specific PSI and using distribution-aware aggregation to preserve utility.

Abstract

Despite Federated Learning (FL) employing gradient aggregation at the server for distributed training to prevent the privacy leakage of raw data, private information can still be divulged through the analysis of uploaded gradients from clients. Substantial efforts have been made to integrate local differential privacy (LDP) into the system to achieve a strict privacy guarantee. However, existing methods fail to take practical issues into account by merely perturbing each sample with the same mechanism while each client may have their own privacy preferences on privacy-sensitive information (PSI), which is not uniformly distributed across the raw data. In such a case, excessive privacy protection from private-insensitive information can additionally introduce unnecessary noise, which may degrade the model performance. In this work, we study the PSI within data and develop FedRE, that can simultaneously achieve robustness and effectiveness benefits with LDP protection. More specifically, we first define PSI with regard to the privacy preferences of each client. Then, we optimize the LDP by allocating less privacy budget to gradients with higher PSI in a layer-wise manner, thus providing a stricter privacy guarantee for PSI. Furthermore, to mitigate the performance degradation caused by LDP, we design a parameter aggregation mechanism based on the distribution of the perturbed information. We conducted experiments with text tamper detection on T-SROIE and DocTamper datasets, and FedRE achieves competitive performance compared to state-of-the-art methods.

FedRE: Robust and Effective Federated Learning with Privacy Preference

TL;DR

This work addresses gradient leakage in federated learning by introducing Privacy-Sensitive Information (PSI) as a client-specific privacy preference and computing layer-wise PSI to guide protective noise. The proposed FedRE framework implements a layer-wise Local Differential Privacy (LDP) mechanism with budgets proportional to PSI, and uses a novel PDA-PAM aggregation that leverages a public dataset to reduce the impact of perturbations. PSI is measured via a Jacobian-based sensitivity , and perturbations are applied with clipping and Gaussian noise, providing overall -DP across layers. Experiments on T-SROIE and DocTamper demonstrate that FedRE maintains or improves robustness and accuracy relative to baselines, highlighting the practical impact of tailoring privacy protection to data-specific PSI and using distribution-aware aggregation to preserve utility.

Abstract

Despite Federated Learning (FL) employing gradient aggregation at the server for distributed training to prevent the privacy leakage of raw data, private information can still be divulged through the analysis of uploaded gradients from clients. Substantial efforts have been made to integrate local differential privacy (LDP) into the system to achieve a strict privacy guarantee. However, existing methods fail to take practical issues into account by merely perturbing each sample with the same mechanism while each client may have their own privacy preferences on privacy-sensitive information (PSI), which is not uniformly distributed across the raw data. In such a case, excessive privacy protection from private-insensitive information can additionally introduce unnecessary noise, which may degrade the model performance. In this work, we study the PSI within data and develop FedRE, that can simultaneously achieve robustness and effectiveness benefits with LDP protection. More specifically, we first define PSI with regard to the privacy preferences of each client. Then, we optimize the LDP by allocating less privacy budget to gradients with higher PSI in a layer-wise manner, thus providing a stricter privacy guarantee for PSI. Furthermore, to mitigate the performance degradation caused by LDP, we design a parameter aggregation mechanism based on the distribution of the perturbed information. We conducted experiments with text tamper detection on T-SROIE and DocTamper datasets, and FedRE achieves competitive performance compared to state-of-the-art methods.
Paper Structure (10 sections, 11 equations, 6 figures, 4 tables, 1 algorithm)

This paper contains 10 sections, 11 equations, 6 figures, 4 tables, 1 algorithm.

Figures (6)

  • Figure 1: This illustration depicts the varied privacy preferences of different clients. Client A pays close attention to iconographic elements within the data, such as stamps, bar codes, and QR codes, and highlights these privacy-sensitive regions with a yellow border. In contrast, Client B is more concerned with textual content, including numerical values and phone numbers, marking these sections with a blue frame.
  • Figure 2: Different derivatives of different layer networks on input images (left : original image, middle and right : derivatives on different layers).
  • Figure 3: The overall architecture of FedRE. When clients want to train a model cooperatively, each of them first trains locally on the last round's global model to get the original gradient. Then based on annotated PSI, we can measure the risk of PSI leakage at each layer by calculating their PSI scores, and the privacy budget $\epsilon$ will be rationally allocated to each layer accordingly. The original gradient will then be perturbed according to the privacy budget of each layer correspondingly and uploaded to the server for aggregation. Finally, in order to reduce the degradation caused by perturbation, the server aggregates all the gradients based on the possible distribution of the perturbation information known using the public dataset and distributes the updated model to all clients for the training of the next round.
  • Figure 4: Images recovered from gradient after gradient leakage attack without FedRE and with FedRE under the same privacy budget. Assuming that the last three characters of an image containing a social security number are PSI, the left image is the original image, the center image is attacked without FedRE, and the right image is the effect of privacy budget reallocation using FedRE.
  • Figure 5: Comparison of the effects of no noise, adding noise to the gradient and adding noise to the raw data on the Doctamper and T-Sroie datasets for training, with the iou metric on the left and the f-score metric on the right.
  • ...and 1 more figures

Theorems & Definitions (1)

  • definition 1