Skip to main content
SpringerLink
Log in

Can differential privacy practically protect collaborative deep learning inference for IoT?

  • Published:
Wireless Networks Aims and scope Submit manuscript

Abstract

Collaborative inference has recently emerged as an attractive framework for applying deep learning to Internet of Things (IoT) applications by splitting a DNN model into several subpart models among resource-constrained IoT devices and the cloud. However, the reconstruction attack was proposed recently to recover the original input image from intermediate outputs that can be collected from local models in collaborative inference. For addressing such privacy issues, a promising technique is to adopt differential privacy so that the intermediate outputs are protected with a small accuracy loss. In this paper, we provide the first systematic study to reveal insights regarding the effectiveness of differential privacy for collaborative inference against the reconstruction attack. We specifically explore the privacy-accuracy trade-offs for three collaborative inference models with four datasets (SVHN, GTSRB, STL-10, and CIFAR-10). Our experimental analysis demonstrates that differential privacy can practically be applied to collaborative inference when a dataset has small intra-class variations in appearance. With the (empirically) optimized privacy budget parameter in our study, the differential privacy technique incurs accuracy loss of 0.476%, 2.066%, 5.021%, and 12.454% on SVHN, GTSRB, STL-10, and CIFAR-10 datasets, respectively, while thwarting the reconstruction attack.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6
Fig. 7
Fig. 8
Fig. 9
Fig. 10
Fig. 11
Fig. 12
Fig. 13
Fig. 14
Fig. 15
Fig. 16

Similar content being viewed by others

Data Availibility Statement

The datasets used during this study are publicly available, and the references to their sources have been given in this published article.

Notes

  1. Batch normalization is applied in our case to further improve the plain model accuracy.

References

  1. Yao, S., Hu, S., Zhao, Y., Zhang, A., & Abdelzaher, T. F. (2017). Deepsense: A unified deep learning framework for time-series mobile sensing data processing. In Proceedings of WWW.

  2. Radu, V., Tong, C., Bhattacharya, S., Lane, N. D., Mascolo, C., Marina, M. K., & Kawsar, F. (2017). Multimodal deep learning for activity and context recognition. In Proceedings of the ACM on interactive, mobile, wearable and ubiquitous technologies, Vol. 1, no. 4, pp. 157:1–157:27.

  3. Yao, S., Zhao, Y., Shao, H., Zhang, A., Zhang, C., Li, S., & Abdelzaher, T. F. (2017) “Rdeepsense: Reliable deep mobile computing models with uncertainty estimations,” Proceedings of the ACM on interactive, mobile, wearable and ubiquitous technologies, Vol. 1, no. 4, pp. 173:1–173:26.

  4. Yao, S., Zhao, Y., Shao, H., Zhang, C., Zhang, A., Hu, S., Liu, D., Liu, S., Su, L., & Abdelzaher, T. F. (2018). Sensegan: Enabling deep learning for internet of things with a semi-supervised framework. In Proceedings of the ACM on interactive, mobile, wearable and ubiquitous technologies, Vol. 2, no. 3, pp. 144:1–144:21.

  5. Yao, S., Zhao, Y., Zhang, A., Hu, S., Shao, H., Zhang, C., Su, L., & Abdelzaher, T. (2018). Deep learning for the internet of things. Computer, 51(5), 32–41.

    Article  Google Scholar 

  6. Yao, S., Zhao, Y., Shao, H., Liu, S., Liu, D., Su, L., & Abdelzaher, T. F. (2018). Fastdeepiot: Towards understanding and optimizing neural network execution time on mobile and embedded devices. In Proceedings of ACM SenSys.

  7. Teerapittayanon, S., McDanel, B., & Kung, H. T. (2017). Distributed deep neural networks over the cloud, the edge and end devices. In Proceedings of IEEE ICDCS.

  8. Ko, J. H., Na, T., Amir, M. F., & Mukhopadhyay, S. (2018). Edge-host partitioning of deep neural networks with feature space encoding for resource-constrained internet-of-things platforms. In Proceedings of IEEE international conference on advanced video and signal based surveillance.

  9. Wang, J., Zhang, J., Bao, W., Zhu, X., Cao, B., & Yu, P. S. (2018). Not just privacy: Improving performance of private deep learning in mobile cloud. In Proceedings of KDD.

  10. He, Z., Zhang, T., & Lee, R. B. (2019). Model inversion attacks against collaborative inference. In Proceedings of ACSAC.

  11. Dwork, C. (2006). Differential privacy. In Proceedings of ICALP.

  12. Dwork, C., McSherry, F., Nissim, K., & Smith, A. D. (2006). Calibrating noise to sensitivity in private data analysis. In Proceedings of TCC.

  13. Bai, J., Li, Y., Li, J., Yang, X., Jiang, Y., & Xia, S. (2022). Multinomial random forest. Pattern Recognition, 122, 108331.

    Article  Google Scholar 

  14. Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., & Ng, A. Y. (2011). Reading digits in natural images with unsupervised feature learning. In ICLR AI for social good workshop.

  15. Stallkamp, J., Schlipsing, M., Salmen, J., & Igel, C. (2012). Man vs. computer: Benchmarking machine learning algorithms for traffic sign recognition. Neural Networks, 32, 323–332.

    Article  Google Scholar 

  16. Krizhevsky, A. (2009). Learning multiple layers of features from tiny images. Tech. Rep.

  17. Coates, A., Ng, A. Y., & Lee, H. (2011). An analysis of single-layer networks in unsupervised feature learning. In Proceedings of AISTATS.

  18. Jayaraman, B., & Evans, D. (2019). Evaluating differentially private machine learning in practice. In Proceedings of USENIX security.

  19. Wang, Z., Bovik, A. C., Sheikh, H. R., & Simoncelli, E. P. (2004). Image quality assessment: From error visibility to structural similarity. IEEE Transactions on Image Processing, 13(4), 600–612.

    Article  Google Scholar 

  20. Dosovitskiy, A., Springenberg, J. T., Riedmiller, M., & Brox, T. (2014). Discriminative unsupervised feature learning with convolutional neural networks. In Proceedings of NeurlPS, pp. 766–774.

  21. Huang, H., Zhang, D., Xiao, F., Wang, K., Gu, J., & Wang, R. (2020). Privacy-preserving approach pbcn in social network with differential privacy. IEEE Transactions on Network and Service Management, 17(2), 931–945.

    Article  Google Scholar 

  22. Nguyen, D. C., Pathirana, P. N., Ding, M., & Seneviratne, A. (2020). Privacy-preserved task offloading in mobile blockchain with deep reinforcement learning. IEEE Transactions on Network and Service Management, 17(4), 2536–2549.

    Article  Google Scholar 

  23. Andreoletti, D., Velichkova, T., Verticale, G., Tornatore, M., & Giordano, S. (2020). A privacy-preserving reinforcement learning algorithm for multi-domain virtual network embedding. IEEE Transactions on Network and Service Management, 17(4), 2291–2304.

    Article  Google Scholar 

  24. Dong, S., Xia, Y., & Peng, T. (2021). Network abnormal traffic detection model based on semi-supervised deep reinforcement learning. IEEE Transactions on Network and Service Management.

  25. Khan, L. U., Han, Z., Niyato, D., & Hong, C. S. (2021). Socially-aware-clustering-enabled federated learning for edge networks. IEEE Transactions on Network and Service Management.

  26. Zhang, L., Cai, Z., & Wang, X. (2016). Fakemask: A novel privacy preserving approach for smartphones. IEEE Transactions on Network and Service Management, 13(2), 335–348.

    Article  Google Scholar 

  27. Subramanya, T., & Riggio, R. (2021). Centralized and federated learning for predictive vnf autoscaling in multi-domain 5g networks and beyond. IEEE Transactions on Network and Service Management, 18(1), 63–78.

    Article  Google Scholar 

  28. Ding, W., Hu, R., Yan, Z., Qian, X., Deng, R. H., Yang, L. T., & Dong, M. (2019). An extended framework of privacy-preserving computation with flexible access control. IEEE Transactions on Network and Service Management, 17(2), 918–930.

    Article  Google Scholar 

  29. Groleat, T., & Pouyllau, H. (2012). Distributed learning algorithms for inter-nsp sla negotiation management. IEEE Transactions on Network and Service Management, 9(4), 433–445.

    Article  Google Scholar 

  30. Zheng, Y., Lai, S., Liu, Y., Yuan, X., Yi, X., & Wang, C. (2022). Aggregation service for federated learning: An efficient, secure, and more resilient realization. IEEE Transactions on Dependable and Secure Computing. https://doi.org/10.1109/TDSC.2022.3146448.

  31. Zhu, L., Liu, X., Li, Y., Yang, X., Xia, S., & Lu, R. (2022)“A fine-grained differentially private federated learning against leakage from gradients,” IEEE Internet of Things Journal, vol. 9, no. 13, pp. 11 500–11 512.

  32. Zheng, Y., Duan, H., Tang, X., Wang, C., & Zhou, J. (2021). Denoising in the dark: Privacy-preserving deep neural network-based image denoising. IEEE Transactions on Dependable and Secure Computing, 18(3), 1261–1275.

    Article  Google Scholar 

  33. Liu, X., Zheng, Y., Yuan, X., & Yi, X. (2021). Medisc: Towards secure and lightweight deep learning as a medical diagnostic service. In Proceedings of ESORICS.

  34. Rahman, M. A., Rahman, T., Laganière, R., & Mohammed, N. (2018). Membership inference attack against differentially private deep learning model. Transactions on Data Privacy, 11(1), 61–79.

    Google Scholar 

  35. Abadi, M., Chu, A., Goodfellow, I. J., McMahan, H. B., Mironov, I., Talwar, K., & Zhang, L. (2016). Deep learning with differential privacy. In Proceedings of ACM CCS.

  36. Bernau, D., Grassal, P., Robl, J., & Kerschbaum, F. (2019). Assessing differentially private deep learning with membership inference. CoRR, Vol. abs/1912.11328.

Download references

Acknowledgements

This paper was supported in part by the Guangdong Basic and Applied Basic Research Foundation under Grant 2021A1515110027, in part by the Shenzhen Science and Technology Program under Grant RCBS20210609103056041, in part by the National Natural Science Foundation of China under Grant 62002167, in part by the Natural Science Foundation of JiangSu under Grant BK20200461, in part by the Research Grants Council of Hong Kong under Grants CityU 11217819, 11217620, RFS2122-1S04, N_CityU139/21, C2004-21GF, R1012-21, and R6021-20F, in part by the Shenzhen Municipality Science and Technology Innovation Commission under Grant SGDX20201103093004019, and in part by the Information & communications Technology Promotion grant funded by the Korea government.

Funding

This paper was supported in part by the Guangdong Basic and Applied Basic Research Foundation under Grant 2021A1515110027, in part by the Shenzhen Science and Technology Program under Grant RCBS20210609103056041, in part by the National Natural Science Foundation of China under Grant 62002167, in part by the Natural Science Foundation of JiangSu under Grant BK20200461, in part by the Research Grants Council of Hong Kong under Grants CityU 11217819, 11217620, RFS2122-1S04, N_CityU139/21, C2004-21GF, R1012-21, and R6021-20F, in part by the Shenzhen Municipality Science and Technology Innovation Commission under Grant SGDX20201103093004019, and in part by the Information & communications Technology Promotion grant funded by the Korea government.

Author information

Authors and Affiliations

  1. Department of Computer Science and Engineering, Sungkyunkwan University, Seoul, South Korea

    Jihyeon Ryu, Junyaup Kim, Dongho Won & Hyoungshick Kim

  2. School of Computer Science and Technology, Harbin Institute of Technology, Shenzhen, China

    Yifeng Zheng

  3. School of Computer Science and Engineering, Nanjing University of Science and Technology, Nanjing, China

    Yansong Gao

  4. Data61, CSIRO, Sydney, Australia

    Alsharif Abuadbba & Surya Nepal

  5. Department of Computer Science, City University of Hong Kong, Hong Kong, China

    Cong Wang

Authors
  1. Jihyeon Ryu
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Yifeng Zheng
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Yansong Gao
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Alsharif Abuadbba
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Junyaup Kim
    View author publications

    You can also search for this author in PubMed Google Scholar

  6. Dongho Won
    View author publications

    You can also search for this author in PubMed Google Scholar

  7. Surya Nepal
    View author publications

    You can also search for this author in PubMed Google Scholar

  8. Hyoungshick Kim
    View author publications

    You can also search for this author in PubMed Google Scholar

  9. Cong Wang
    View author publications

    You can also search for this author in PubMed Google Scholar

Contributions

Conceptualization: Jihyeon Ryu, Yifeng Zheng, Yansong Gao, Alsharif Abuadbba; Methodology: Jihyeon Ryu, Yifeng Zheng, Yansong Gao, Alsharif Abuadbba; Formal analysis and investigation: Jihyeon Ryu, Yifeng Zheng, Yansong Gao; Writing—original draft preparation: Jihyeon Ryu, Yifeng Zheng, Yansong Gao, Alsharif Abuadbba; Writing - review and editing: Junyaup Kim, Dongho Won, Surya Nepal, Hyoungshick Kim, Cong Wang; Funding acquisition: Yifeng Zheng, Yansong Gao.

Corresponding author

Correspondence to Yifeng Zheng.

Ethics declarations

Competing interests

The authors have no relevant financial or non-financial interests to disclose.

Ethics approval

This article does not contain any studies with human participants performed by any of the authors.

Additional information

Publisher's Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

A More visual and quantitative evaluation results

A More visual and quantitative evaluation results

Figure 17 show some visual evaluation results on Case 1 and Case 2 in datasets (SVHN, GTSRB, STL-10, CIFAR-10) regarding the protection levels of the DP method against the data reconstruction attack. We can see that the reconstruction attack is not effective even for smaller \(\epsilon\) value as the local part model layer increases. It is observed that even at \(\epsilon\) = 1000 in Case 1, the reconstructed images reveal meaningful visual information of the original images, in Case 2, the reconstructed images, the reconstructed images almost reveal no meaningful information of the original images.

Tables 345, and 6 provide the quantitative evaluation results in terms of accuracy, MSE, SSIM, and PSNR. Note that the accuracy results were plotted in Figs. 4710, and 13. And the MSE, SSIM, and PSNR results were plotted in Figs. 6912, and 15. We provide the exact figures here to facilitate the observations.

Fig. 17
figure 17

Visual results of applying the attack against the DP method. (Case 1 and Case 2)

Full size image
Table 3 Summary of quantitative evaluation results on SVHN
Full size table
Table 4 Summary of quantitative evaluation results on GTSRB
Full size table
Table 5 Summary of quantitative evaluation results on STL-10
Full size table
Table 6 Summary of quantitative evaluation results on CIFAR-10
Full size table

Rights and permissions

Springer Nature or its licensor holds exclusive rights to this article under a publishing agreement with the author(s) or other rightsholder(s); author self-archiving of the accepted manuscript version of this article is solely governed by the terms of such publishing agreement and applicable law.

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Ryu, J., Zheng, Y., Gao, Y. et al. Can differential privacy practically protect collaborative deep learning inference for IoT?. Wireless Netw (2022). https://doi.org/10.1007/s11276-022-03113-7

Download citation

  • Accepted:

  • Published:

  • DOI: https://doi.org/10.1007/s11276-022-03113-7

Keywords

Search

Navigation