Exploiting Unintended Feature Leakage in Collaborative Learning

Slides:



Advertisements
Similar presentations
Introduction to Neural Networks Computing
Advertisements

1 RegionKNN: A Scalable Hybrid Collaborative Filtering Algorithm for Personalized Web Service Recommendation Xi Chen, Xudong Liu, Zicheng Huang, and Hailong.
Pattern Recognition. Introduction. Definitions.. Recognition process. Recognition process relates input signal to the stored concepts about the object.
Distributed Representations of Sentences and Documents
Machine learning Image source:
Introduction to machine learning
Exercise Session 10 – Image Categorization
Person-Specific Domain Adaptation with Applications to Heterogeneous Face Recognition (HFR) Presenter: Yao-Hung Tsai Dept. of Electrical Engineering, NTU.
Overview of Privacy Preserving Techniques.  This is a high-level summary of the state-of-the-art privacy preserving techniques and research areas  Focus.
Example 16,000 documents 100 topic Picked those with large p(w|z)
Privacy risks of collaborative filtering Yuval Madar, June 2012 Based on a paper by J.A. Calandrino, A. Kilzer, A. Narayanan, E. W. Felten & V. Shmatikov.
Universit at Dortmund, LS VIII
Sentiment Analysis with Incremental Human-in-the-Loop Learning and Lexical Resource Customization Shubhanshu Mishra 1, Jana Diesner 1, Jason Byrne 2, Elizabeth.
Gang WangDerek HoiemDavid Forsyth. INTRODUCTION APROACH (implement detail) EXPERIMENTS CONCLUSION.
Random Forests Ujjwol Subedi. Introduction What is Random Tree? ◦ Is a tree constructed randomly from a set of possible trees having K random features.
Reporter: Shau-Shiang Hung( 洪紹祥 ) Adviser:Shu-Chen Cheng( 鄭淑真 ) Date:99/06/15.
Feature Selection and Dimensionality Reduction. “Curse of dimensionality” – The higher the dimensionality of the data, the more data is needed to learn.
Proximity based one-class classification with Common N-Gram dissimilarity for authorship verification task Magdalena Jankowska, Vlado Kešelj and Evangelos.
Multi-Class Sentiment Analysis with Clustering and Score Representation Yan Zhu.
Naïve Bayes Classification Recitation, 1/25/07 Jonathan Huang.
Sparse Coding: A Deep Learning using Unlabeled Data for High - Level Representation Dr.G.M.Nasira R. Vidya R. P. Jaia Priyankka.
Combining Models Foundations of Algorithms and Machine Learning (CS60020), IIT KGP, 2017: Indrajit Bhattacharya.
Topic Modeling for Short Texts with Auxiliary Word Embeddings
Matrix Factorization and Collaborative Filtering
He Xiangnan Research Fellow National University of Singapore
Jonatas Wehrmann, Willian Becker, Henry E. L. Cagnini, and Rodrigo C
Deep Learning Amin Sobhani.
Sentence Modeling Representation of sentences is the heart of Natural Language Processing A sentence model is a representation and analysis of semantic.
Chilimbi, et al. (2014) Microsoft Research
Machine Learning Logistic Regression
MIRA, SVM, k-NN Lirong Xia. MIRA, SVM, k-NN Lirong Xia.
Neural Networks for Machine Learning Lecture 1e Three types of learning Geoffrey Hinton with Nitish Srivastava Kevin Swersky.
Multimodal Learning with Deep Boltzmann Machines
Introductory Seminar on Research: Fall 2017
Natural Language Processing of Knee MRI Reports
Neural networks (3) Regularization Autoencoder
Machine Learning Basics
CS 188: Artificial Intelligence
Applications of IScore (using R)
Object detection as supervised classification
Machine Learning Logistic Regression
Machine Learning Week 1.
Intro to Machine Learning
Machine Learning Today: Reading: Maria Florina Balcan
Unsupervised learning
Learning with information of features
Learning Emoji Embeddings Using Emoji Co-Occurrence Network Graph
Logistic Regression & Parallel SGD
Chap. 7 Regularization for Deep Learning (7.8~7.12 )
Overview of Machine Learning
Word Embedding Word2Vec.
Word embeddings based mapping
Ensemble learning.
Michal Rosen-Zvi University of California, Irvine
Authors: Wai Lam and Kon Fan Low Announcer: Kyu-Baek Hwang
Artifacts of Adversarial Examples
Lecture 8 Programming Paradigm & Languages. Programming Languages The process of telling the computer what to do Also known as coding.
Multivariate Methods Berlin Chen
Neural networks (3) Regularization Autoencoder
Logistic Regression Chapter 7.
Word embeddings (continued)
Helen: Maliciously Secure Coopetitive Learning for Linear Models
Attention for translation
The Updated experiment based on LSTM
Human-centered Machine Learning
MIRA, SVM, k-NN Lirong Xia. MIRA, SVM, k-NN Lirong Xia.
Lecture 16. Classification (II): Practical Considerations
Modeling IDS using hybrid intelligent systems
Jia-Bin Huang Virginia Tech
Exploiting Unintended Feature Leakage in Collaborative Learning
Presentation transcript:

Exploiting Unintended Feature Leakage in Collaborative Learning Luca Melis∗ UCL luca.melis.14@alumni.ucl.ac.uk Congzheng Song∗ Cornell University cs2296@cornell.edu Emiliano De Cristofaro UCL & Alan Turing Institute e.decristofaro@ucl.ac.uk Vitaly Shmatikov Cornell Tech shmat@cs.cornell.edu

Collaborative machine learning Dataset 1 Participant 1 Model 1 Dataset 2 Participant 2 Model 2 Dataset 3 Participant 3 Model 3 Periodically exchange model parameters Training data never leave participants’ machines

Collaborative machine learning synchronized gradient updates

Collaborative machine learning Federated learning with model averaging

Key idea Any useful ML model reveals something about the population from which the training data was drawn inferring “unintended” features that hold for certain subsets of the training data

Inferences Membership Inference Passive Property Inference Active Property Inference

Threat Model K participants (1 adversary, 1 target) Algorithm 1 K = 2 observes gradient updates computed on a single batch of the target’s data K > 2 observes an aggregation of gradient updates from all other participants Algorithm 2 the result of two-step aggregation: (1) every participant aggregates the gradients computed on each local batch (2) the server aggregates the updates from all participants.

Threat Model

Threat Model - Embedding layer Non-numeric Discrete Inputs Sparse Low-dim vector representation Treat embedding matrix as a parameter Sparse gradient Infer information from non-zero gradient

Membership Inference IN? - Interpretation data model - Importance Disease record - Implementation in

Membership Inference - Experiment (a) idea Test Bag of Words (BoW) : the input to be inferred Batch Bag of Words (BoW): the target’s data in each batch subset (b) dataset Yelp-health : vocabulary containing 5,000 words FourSquare: 30,000 locations (c) result

Passive Property Inference - Interpretation Not necessarily in all class Not necessarily related with training object Detect properties in a single batch Detect properties in a participant’s entire dataset Bob’s photo -- gender classification – whether Alice also appears whether people wear glasses when a property appears - Assumption Data labeled: - idea generate aggregated updates based on the data with the property and updates based on the data without the property. train a binary batch property classifier and feeds it

Passive Property Inference - idea

Single batch Property Inference - Experiment ex1

Single batch Property Inference t-SNE projection of the features from different layers - Experiment ex1

Single batch Property Inference - Experiment ex2 Main task: review-score classification Inference: specialty of doctors ex3 Infer some people

Dynamic Property Occurrence Inference determine if people in the image are of the same gender infer whether and when a certain person appears in the other participant’s photos

Inference against well-generalized models Main task: sentiment Inference: infer authors’ gender dataset: annually expanded student-written essays and reviews Truthful/Deceptive OR Positive/Negative labeled with attributes of the author (gender, age, sexual orientation, region of origin, personality profile) the document (timestamp, genre, topic, veracity, sentiment)

Active property inference Let the main model learn separable representations for the data with and without the property. adversary performs additional local computations and submits the resulting values into the collaborative learning protocol Main task: gender classification Inference: presence of ID 4

Multi-party experiments A. Synchronized SGD

Multi-party experiments B. Model averaging

Multi-party experiments B. Model averaging

Defense A. Sharing fewer gradients B. Dimensionality reduction

Defense C. Dropout D. Participant-level differential privacy

Limitations A. Auxiliary data More targeted inference attacks require specialized auxiliary data that may not be available B. Number of participants some federated-learning applications involve thousands or millions of users C. Undetectable properties It may not be possible to infer some properties from model updates. D. Attribution of inferred properties may not be able to attribute these inputs to a specific participant in multi-party scenarios

Thanks!

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.