Federated learning (FL) aims to collaboratively train the global model in a distributed manner by sharing the model parameters from local clients to a central server, thereby potentially protecting users' private information. Nevertheless, recent studies have illustrated that FL still suffers from information leakage as adversaries try to recover the training data by analyzing shared parameters from local clients. To deal with this issue, differential privacy (DP) is adopted to add noise to the gradients of local models before aggregation. It, however, results in the poor performance of gradient-based interpretability methods, since some weights capturing the salient region in feature map will be perturbed. To overcome this problem, we propose a simple yet effective adaptive differential privacy (ADP) mechanism that selectively adds noisy perturbations to the gradients of client models in FL. We also theoretically analyze the impact of gradient perturbation on the model interpretability. Finally, extensive experiments on both IID and Non-IID data demonstrate that the proposed ADP can achieve a good trade-off between privacy and interpretability in FL.
翻译:联邦学习(FL)旨在以分布方式合作培训全球模式,将当地客户的模型参数共享到中央服务器,从而有可能保护用户的私人信息;然而,最近的研究表明,由于对手试图通过分析当地客户的共享参数来恢复培训数据,FL仍然受到信息泄漏的影响;为解决这一问题,采用了差异隐私(DP)来增加当地模型梯度的噪音,然后再汇总;然而,这导致基于梯度的可解释性方法表现不佳,因为地物图中突出区域的某些重量将受到干扰;为解决这一问题,我们提议了一个简单而有效的适应性差异隐私权机制,有选择地增加FL客户模型梯度的扰动。我们还从理论上分析了梯度对模型可解释性的影响。最后,关于ID和非IID数据的广泛实验表明,拟议的ADP可以在FL的隐私和可解释性之间实现良好的权衡。