Secure Generalization through Stochastic Bidirectional Parameter Updates Using Dual-Gradient Mechanism

FL follows a cloud-server architecture, which consists of a global server and multiple local clients. In this paper, we consider the FL system to consist of homogenous local client models, i.e., using similar data distribution and having a model structure as of the global model. Assume our FL aims to map input space $\mathcal{X}$ to output space $\mathcal{Y}$ using global model, $\mathcal{S}$ and $\mathcal{N}$ local models represented as {$c_{1}$, $c_{2}$, …, $c_{N}$}. We denote the local dataset for each client $i$ as $\mathcal{D}_{i}$ = {$x_{i,1}$, $x_{i,2}$, …, $x_{i,n_{i}}$} such that $x_{i,j}$ = $(\mathcal{X},\mathcal{Y})\in\mathcal{X}\times\mathcal{Y}$. In FL, global model weights $w_{glb}$ are trained collaboratively by local clients by sharing their learning (local models) with the global server. The conventional method to generate a global model by aggregating the local models is FedAvg [3]. We can formulate the primary objective of FL using Eq. 1.

where, $\mathcal{L}$ denotes the loss terms for the global model, $l$ denotes loss for individual samples, $f_{i}$ comprises the loss of all samples for local client $i$.

In our work, we hold the assumption that the adversary does not corrupt the training. The client models share their parameters (weights or gradients) with the global model. When all local clients train their models for just one local epoch between two global aggregation operations, using their complete training datasets, we assume these parameters are equivalent. This scenario results in a white-box attack where model parameters and structure are accessible to the adversary.
Label Inference Attack (LIA): Assume each client $C_{k}$ with local dataset $\mathcal{D}_{k}=\{(x_{i},y_{i})\}_{i=1}^{n_{k}}$ where $x_{i}$, $y_{i}$ denotes the $i$-th sample and its ground truth label respectively. Consider local training with batch size, $bs$ with cross-entropy loss, $\mathcal{L}$ for the classification task; we can define the gradient of $\mathcal{L}$ with respect to (wrt) $w$ using Eq. 2

where, $n_{c}$ denotes the number of class labels, $y_{i}^{\prime}$ denotes the predicted logit. $y_{i}(j)$=1 if output index $j$ matches ground truth else $y_{i}(j)$=0. In LIA, our aim is to count images present in a batch ($\sum_{i=1}^{bs}y_{i}(j)$) for each class type $j$. For each input $x_{i}$, we can compute gradient wrt network output $z_{i}$ at index $j$ as suggested in (Yin et al. 2021) as shown in Eq. 3:

Further, we can use the uploaded gradient from the classifier model to perform LIA by multiple passes of random samples to the classifier to compute each category count $j$, which leads to privacy leakage [25]. We do not share the classifier parameters, so our method is resistant to LIA. Membership Inference Attack (MIA): In our work, we consider the enhanced MIA [25], defined as follows: Suppose attacker $C_{adv}$ has shadow dataset $\mathcal{D^{*}}$ which contains some images with target distribution but not in the target dataset. To improve attacks, shadow models are rebuilt for victims and other users. Using model parameters from clients, $C_{adv}$ generates a copy of victim model ${M^{victim}}$ and other models ${M^{others}}$ (aggregate if other users $>$ 2). The adversary $C_{adv}$ produces non-overlapping datasets randomly using $\mathcal{D^{*}}$ as $\mathcal{D}^{*}_{\text{victim}}$ and $\mathcal{D}^{*}_{\text{others}}$, which are fed as input to${M^{victim}}$, ${M^{others}}$ respectively. The obtained predictions ${P^{*}_{victim}}$, ${P^{*}_{others}}$ are manually considered with labels as $in$ (member) and $out$ (non-member) respectively. Using obtained predictions and their labels, an inference model ${M_{attack}}$ is trained by the adversary. Since the adversary has a skeptical dataset, it becomes difficult to determine whether the data comes from the victim or other users. $C_{adv}$ fed this dataset to ${M_{attack}}$ to perform MIA to infer data samples, and its success is determined based on correct inferences.
Image Reconstruction Attack (IR): During IR, the adversary attempts to recover the original image through the encrypted image to perform privacy leakage. To achieve this, optimization aimed to minimize the gradient difference obtained through the dummy images $x_{dummy}$ having labels $y_{dummy}$ and gradients shared by victim $\nabla w$. We can formally denote IR using Eq. 4.

Our novelty lies in proposing generalized updates for local clients to improve the utility and resist privacy leakage in FL. We validated the superiority of our method over the recent state-of-the-art method [25] (PPIDSG) by following a similar FL set-up (except using the proposed approach to generate diverse global solutions) and a further improvement in model utility and defense across the attacks. To achieve this, we propose a stochastic bidirectional learning mechanism that helps to generate diverse solutions at the global server to update local clients. The generated models at the server are in the neighborhood to provide generalized solutions for FL clients (refer to Fig. 1).

Our approach makes bidirectional systematic alterations in the gradients by modification in model parameters at a fine-grained level (i.e., altering each convolutional filter across the layers of the model), which improves the defense against attacks. These systematic updates provide a diverse model for each client and help them with generalized learning to improve the utility of the model (refer Fig. 1). The overview of the proposed method is provided in Fig. 2.

The overall FL round mainly consists of four steps: 1) The global model sends a diverse model to each client, as shown in Algo. 1. 2) With the received diverse model, each client undergoes local training and then uploads the model parameters (in our case, $G$) to the global model. 3) The global model aggregates the received models from the clients as shown in Eq. 5 to obtain the updated global model. 4) Using the current global model and previous global models, we perform Stochastic Bidirectional Parameter Updates ($SBPU$) to generate diverse models as shown in Algo. 2. For each client, the global model sends one diverse model to assist in its learning in the next round. Finally, we update the global models ($w_{glb}$, $w^{\prime}_{glb}$, $w^{\prime\prime}_{glb}$) for the next stochastic update.

Please note that, for the initial two FL rounds, we initialize $w^{\prime}_{glb}$ and $w^{\prime\prime}_{glb}$ with $w_{glb}$.To perform $SBPU$, we use $StochasticList$ as [-1, $\dots$, -1, 1, $\dots$, 1, -2, $\dots$, -2, 2, …, 2], where the frequency of each stochastic term, i.e., {-1, 1, -2, 2}, equals to $\left\lfloor\frac{f}{4}\right\rfloor$ where $f$ denotes the number of filters present in layer $i$ of global model $w_{glb}$. The $StochasticList$ is randomly shuffled to create diverse models by performing bidirectional parameter updates in filter $j$ from layer $i$. If $StochasticList[j]==\pm 1$, we perform the update under diversity rate $\beta_{1}$ as shown in Line 9 of Algo. 2, else we update under diversity rate $\beta_{2}$ as shown in Line 11 of Algo. 2, where $g_{glb}.i.j$, $g^{\prime}_{glb}.i.j$ denotes the gradient computed for $j$-th filter of $i$-th layer using global models from previous and previous to previous FL rounds, respectively; and $w_{loc}.i.j$ denotes the diverse model obtained after $SBPU$ for $j$-th filter of $i$-th layer.

In the GAN setup, $G$ captures the distribution in encrypted space and shares its parameters to perform FL. The original image is fed to $G$ instead of noise as it improves privacy. The generator network, $G$, consists of the encoder, ResNet blocks, and a decoder. To extract features from the original image, the encoder is used, which is fed into the ResNet block to maintain and align the image features into the target domain. Finally, the decoder helps to restore the features of the image. The discriminator network $D$ utilizes the adversarial loss (without conditional labels), $\mathcal{L}_{\text{adv}}$ for effective conversion into the encrypted domain. Consider original image domain ($X$) with distribution $x_{i}\sim p_{\text{data}}(x)$ and target domain $\hat{X}$ with distribution $\hat{x_{i}}\sim p_{\text{data}}(\hat{x})$. For training images with batch size $bs$, we can express the objective using Eq. 4.2 where $G$ and $D$ tires to maximize and minimize the objective, respectively.

To retain semantic information, we use semantic loss using $l_{1}$ norm as shown in Eq. 7, where $\theta_{G}$ denotes the generator parameters.

To improve distribution learning in $G$ towards the class-specific features, we used classification loss $\mathcal{L_{\text{cls}}}$ into $G$. With training epochs, $G$ learns to align generated images into the encrypted domain, and then generator parameters can be shared to the global server by different clients to facilitate FL. To improve the feature learning, we use feature extractor $F$, which consists of Encoder ($Enc$) and decoder $Dec$ networks. The features extracted by $Enc$ are converted into images using $Dec$. To extract efficient features, $F$ tries to minimize the feature distance between the image generated by $G$ and $Dec$ as shown in Eq. 8 where $\tilde{x_{i}}$ denotes the generated image. The classifier $C$ consists of a simple convolutional network and takes features from $F$ to minimize the classification error ($\mathcal{L_{\text{cls}}}$) for $n_{c}$ classes as described in Eq. 9. We compute total loss $\mathcal{L}_{\text{total}}$ as shown in Eq. 10 where $\lambda_{sem}$ and $\lambda_{cls}$ are hyperparameters to control the influence of $\mathcal{L}_{\text{sem}}$ and $\mathcal{L}_{\text{cls}}$ respectively.

Our global model is aggregated from all the trained local models similar to FedAvg. Let $t$ denote the $t^{th}$ SGD iteration on the local client, and each local client undergoes $E$ SGD training iterations, $w_{glb}$ denotes the aggregated model. For $i=1,2,\dots,K$, our method satisfies the following property:

where $\mathbf{w}_{i,n}^{{loc}}$ denotes the $i^{th}$ mutated weights in the $n^{th}$ round. Inspired by [21], the following assumptions on the loss functions of local clients (i.e., $f_{1},f_{2},\dots,f_{K}$) can be considered.
Assumption 1: For $i\in\{1,2,\dots,K\}$, $f_{i}$ is $L$-smooth, where $f_{i}(v)\leq f_{i}(w)+(v-w)^{T}\nabla f_{i}(w)+\frac{L}{2}\|v-w\|_{2}^{2}$.
Assumption 2: For $i\in\{1,2,\dots,K\}$, $f_{i}$ is $\mu$-strongly convex, where $f_{i}(v)\geq f_{i}(w)+(v-w)^{T}\nabla f_{i}(w)+\frac{\mu}{2}\|v-w\|_{2}^{2}$.
Assumption 3: The variance of stochastic gradients is bounded by $\sigma_{i}^{2}$, i.e., $\mathbb{E}\|\nabla f_{i}(w;\xi)-\nabla f_{i}(w)\|^{2}\leq\sigma_{i}^{2}$, where $\xi$ is a data batch of the $i^{th}$ client in the $t^{th}$ FL round.
Assumption 4: The expected squared norm of stochastic gradients is bounded by $G^{2}$, i.e., $\mathbb{E}\|\nabla f_{i}(w;\xi)\|^{2}\leq G^{2}$.
Based on these assumptions, our convergence can be obtained as:
Theorem 1. (Convergence of SBPU) Let Assumption 1-4 hold. If there are $n$ FL rounds during the FL training process. Let $T=n\times E$ denotes total number of SGD iterations and $\eta_{t}=\frac{2}{\mu(t+\gamma)}$ is learning rate. Let $\kappa=\frac{L}{\mu}$, $\gamma=\max(8\kappa,E)$. We have

where $B=\frac{1}{K^{2}}\sum_{i=1}^{K}\sigma_{i}^{2}+\frac{32\alpha^{2}}{1-4\alpha^{2}}(E-1)^{2}G^{2}$. Theorem 1 computes loss for SBPU between $f^{*}$ (optimal weight) and $f({w}_{T})$ in the $T^{th}$ interaction and indicates a convergence rate similar to FedAvg (detailed in [21]). We have provided full proof of convergence analysis of SBPU in the supplementary material.

We implemented the proposed approach using the PyTorch programming framework using NVIDIA RTX A5000 GPU with 24GB GPU memory. We evaluated our model on four datasets MNIST [6], FMNIST [33], CIFAR10 [18], and SVHN [37] as per official train-test split. To perform different attacks, we randomly select any one client as a victim.

For a fair comparison with recent benchmark PPIDSG [25], we followed a similar setting, i.e., homogeneous distribution across clients in the FL system [26] having 10 clients with equal training data access. We followed a batch size of 64 for GAN. We used block sizes ($B_{x}$ and $B_{y}$) for image encryption as 4. The generator and discriminator network have been trained using Adam optimizer with a learning rate (lr) of 0.0002. For the feature extractor ($F$) and classifier ($C$), we used an SGD optimizer with an lr of 0.01 and weight decay of 0.001. We keep the initial lr constant for the first 20 global iterations and then follow linear decrement until it converges to 0. In Eq. 10, we used $\lambda_{sem}$=1 and $\lambda_{cls}$=2 and train model for 100 rounds. We used $\beta$ = 0.025, 0.25, 0.15, and 1.1 in our learning rule for MNIST, FMIST, CIFAR10, and SVHN datasets, respectively. We defined $\beta_{1}$ and $\beta_{2}$ as $\beta$ and $\beta^{2}$, respectively. For further details, please refer to the supplementary material.

To evaluate the robustness of our model against different attacks, we compared it against several defense mechanisms, i.e., 1) ATS [9] (to find optimal image transformation through automatic transformation search) 2) EtC [5] (encrypt image using block-based image transformation) 3) DP [31] (use clipped gradient with gaussian noise during model training) 4) GC [40] follows gradient pruning to avoid privacy leakage 5) FedCG [32] use conditional GANs for privacy preservation in FL 6) PPIDSG [25] (share GAN parameters during FL rather than classifier to ensure privacy preservation). For differential privacy (DP), we kept the privacy budget as $\epsilon/T$ for $T$ global training epochs with clipping hyperparameter $C$ and denoted as DP $<$$\epsilon,C$$>$.

To validate the utility of the model, we select a random user to evaluate classification performance since our approach doesn’t have a global classification model. We provide the highest classification accuracy obtained by our model and compare it with different techniques in Table 1. Our method surpassed the state-of-the-art (SOTA) methods and obtained the highest classification accuracy. For CIFAR10, we observed significant improvement in classification accuracy. It is important to note that ATS and EtC defense policies utilize ResNet-18 as a classifier, which mainly determines the model utility and affects the classification accuracy. Our model uses a simple classifier network and is able to improve model utility mainly due to diverse and generalized updates to clients. To ensure effectiveness against attacks, our approach does not share the classifier parameter. Since we do not share the classifier model, our model becomes robust against Label Inference Attack (LIA). We have shown the robustness of other defense methods against LIA using different activation functions and architecture in the supplementary material. We considered enhanced Membership Inference Attack (MIA) as proposed in [25] for evaluation. We compared our defense accuracy against MIA with other defense mechanisms in Table 2.

Due to page limit constraints, we provided additional results, such as model utility and its robustness against MIA under $Part$ and $All$ settings for the remaining datasets in the supplementary material. For Reconstruction Attack (RA), we do not share the classifier model parameters with the global model, so the adversary fails to perform RA on our approach and attempts to reconstruct the image using generator parameters. In Fig. 4, we provide the quantitative and qualitative comparison of different mechanisms with the proposed approach against RA.

To decide the proposed stochastic bidirectional parameter update strategy, we performed ablation to analyze the effect of varying the number of global models (one, two, three, i.e., SingleGrad, DualGrad, and TripleGrad) to consider from previous FL rounds. SingleGrad, DualGrad, and TripleGrad consider stochastic terms for $StochasticList$ as {$\pm$ 1} with diversity rate: $\beta$; {$\pm$ 1, $\pm$ 2} with diversity rate: $\beta$, $\beta^{2}$; and {$\pm$ 1, $\pm$ 2, $\pm$ 3} with diversity rate: $\beta$, $\beta^{2},\beta^{3}$, respectively. We provided these ablations in Table 3. We performed ablation to analyze the effect of i) block size for image encryption, ii) the number of clients, and iii) the Effect of varying diversity rates, iv) compared the defense accuracy of our approach with SOTA settings: original image and no update; and provided results in the supplementary material. While comparing our method over PPIDSG using different numbers of clients, we found our method better, confirming its reliability and practical utility. We have shown the effect of increasing clients for both methods using CIFAR10 and FMNIST datasets in Fig. 5.