Portfolio item number 1
Short description of portfolio item number 1
Posts by Collection
portfolio
Portfolio item number 2
Short description of portfolio item number 2
publications
EaSTFLy: Efficient and secure ternary federated learning
Published in Computers & Security, 2020
Authors: Ye Dong, Xiaojun Chen, Liyan Shen, and Dakui Wang
KeyWords: Federated Learning, Binary Neural Network, Secret Sharing
Abstract: Privacy-preserving machine learning allows multiple parties to perform distributed data analytics while guaranteeing individual privacy. In this area, researchers have proposed many schemes that combine machine learning with privacy-preserving technologies. But these works have shortcomings in terms of efficiency. Meanwhile, federated learning has received widespread attention due to its ability to update parameters without collecting users’ raw data, but this method is short in communications and privacy. Recently, ternary gradients federated learning(TernGrad) has been proposed to reduce the communications, but it is still to various security and privacy threats.
In this paper, firstly, we analyze the privacy leakages of TernGrad. Then, we present our solution-EaSTFLy to solve the privacy issue. More concretely, in EaSTFLy, we combine TernGrad with secret sharing and homomorphic encryption to design our privacy-preserving protocols against semi-honest adversary. In addition, we optimize our protocols via SIMD. Compared to prior works on floating-point gradients, our protocols are more efficient in communication and computation overheads, and the accuracy is as high as the plaintext ternary federated learning. To our best knowledge, this is the first research combining ternary federated learning with privacy-preserving technologies. Finally, we evaluate our experiments to show improvements.
Efficient and Secure Federated Learning Based on Secret Sharing and Gradients Selection
Published in Journal of Computer Research and Development(计算机研究与发展), 2020
Authors: Ye Dong, Wei Hou, Xiaojun Chen, Shai Zeng
KeyWords: Federated Learning, Secret Sharing
Abstract: In recent years, federated learning (FL) has been an emerging collaborative machine learning method where distributed users can train various models by only sharing gradients. To prevent privacy leakages from gradients, secure multi-party computation (MPC) has been considered as a promising guarantee recently. Meanwhile, some researchers proposed the Top-K gradients selection algorithm to reduce the traffic for synchronizing gradients among distributed users. However, there are few works that can balance the advantages of the two areas at present. We combine secret sharing with Top-K gradients selection to design efficient and secure federated learning protocols, so that we can cut down the communication overheads and improve the efficiency during the training phase while guaranteeing the users privacy and data security. Also, we propose an efficient method to construct message authentication code (MAC) to verify the validity of the aggregated results from the servers. And the communication overheads introduced by the MAC is small and independent of the number of shared gradients. Besides, we implement a prototype system. Compared with the plaintext training, on the one hand, our secure techniques introduce small additional overheads in communication and computation; On the other hand, we achieve the same level of accuracy as the plaintext training.
A Shared-Word Sensitive Sequence-to-Sequence Features Extractor for Sentences Matching
Published in The 24th European Conference on Artificial Intelligence(ECAI), 2020
Authors: Jinqing Li, Dakui Wang, Xiaojun Chen, Pencheng Liao, Shujuan Chen
KeyWords: Nature Language Processing, Sequence2sequence model
Abstract: Sentences matching is a basic task in Natural Language Processing (NLP). Interaction-based methods, which employ interactions between words of two sentences and construct word-level matching features to classify, are generally used due to their fine-grained features. However, they have many invalid interactions that may affect matching precision. In this paper, we limit the objects of interacting to shared words4 of two sentences. On the one hand, they can reduce invalid interactions. On the other hand, because of the different context semantics, the representation of the same word may be quite different, conversely, the representation difference can also be used to reflect the semantic difference of different contexts. To better extract global features of shared words, we introduce a sequence-to-sequence features extractor to force decoder to learn more contextual information from encoder. We implement the method based on Transformer[28], with syntactic parsing as additional knowledge. Our proposed method achieved better performance than strong baselines and the experiment results also demonstrate the efficiency of sequence-to-sequence features extractor and significance of the shared words.
An Efficient 3-Party Framework for Privacy-Preserving Neural Network Inference
Published in European Symposium on Research in Computer Security(ESORICS), 2020
Authors: Liyan Shen, Xiaojun Chen, Jinqiao Shi, Ye Dong, and Binxing Fang
KeyWords: Secure Multiparty Computation, Secure Neural Network Inference
Abstract: In the era of big data, users pay more attention to data privacy issues in many application fields, such as healthcare, finance, and so on. However, in the current application scenarios of machine learning as a service, service providers require users’ private inputs to complete neural network inference tasks. Previous works have shown that some cryptographic tools can be used to achieve the secure neural network inference, but the performance gap is still existed to make those techniques practical.
In this paper, we focus on the efficiency problem of privacy-preserving neural network inference and propose novel 3-party secure protocols to implement amounts of nonlinear activation functions such as ReLU and Sigmod, etc. Experiments on five popular neural network models demonstrate that our protocols achieve about $1.2\times$ –$11.8\times$ and $1.08\times –4.8\times$ performance improvement than the state-of-the-art 3-party protocols (SecureNN) in terms of computation and communication overhead. Furthermore, we are the first to implement the privacy-preserving inference of graph convolutional networks.
FLOD: Oblivious Defender for Private Byzantine-Robust Federated Learning with Dishonest-Majority
Published in European Symposium on Research in Computer Security(ESORICS), 2021
Authors: Ye Dong, Xiaojun Chen, Kaiyun Li, Dakui Wang, and Shuai Zeng
KeyWords: Secure Multiparty Computation, Federated Learning
Abstract: Privacy and Byzantine-robustness are two major concerns of federated learning (FL), but mitigating both threats simultaneously is highly challenging: privacy-preserving strategies prohibit access to individual model updates to avoid leakage, while Byzantine-robust methods require access for comprehensive mathematical analysis. Besides, most Byzantine-robust methods only work in the honest-majority setting.
We present FLOD, a novel oblivious defender for private Byzantine-robust FL in dishonest-majority setting. Basically, we propose a novel Hamming distance-based aggregation method to resist $>1/2$ Byzantine attacks using a small root-dataset and server-model for bootstrapping trust. Furthermore, we employ two non-colluding servers and use additive homomorphic encryption (AHE) and secure two-party computation (2PC) primitives to construct efficient privacy-preserving building blocks for secure aggregation, in which we propose two novel in-depth variants of Beaver Multiplication triples (MT) to reduce the overhead of Bit to Arithmetic (Bit2A) conversion and vector weighted sum aggregation (VSWA) significantly. Experiments on real-world and synthetic datasets demonstrate our effectiveness and efficiency: (i) FLOD defeats known Byzantine attacks with a negligible effect on accuracy and convergence, (ii) achieves a reduction of $\approx 2\times$ for offline (resp. online) overhead of Bit2A and VSWA compared to $\mathsf {ABY}$-AHE (resp. ABY-MT) based methods (NDSS’15), (iii) and reduces total online communication and run-time by $167–1416\times$ and $3.1–7.4\times$ compared to FLGUARD (Crypto Eprint 2021/025).
Enhancing Label Representations with Relational Inductive Bias Constraint for Fine-Grained Entity Typing
Published in International Joint Conference on Artificial Intelligence(IJCAI), 2021
Authors: Jinqing Li, Xiaojun Chen, Dakui Wang, Yuwei Li
KeyWords: Graph Nerual Network
Abstract: Fine-Grained Entity Typing (FGET) is a task that aims at classifying an entity mention into a wide range of entity label types. Recent researches improve the task performance by imposing the labelrelational inductive bias based on the hierarchy of labels or label co-occurrence graph. However, they usually overlook explicit interactions between instances and labels which may limit the capability of label representations. Therefore, we propose a novel method based on a two-phase graph network for the FGET task to enhance the label representations, via imposing the relational inductive biases of instance-to-label and label-to-label. In the phase I, instance features will be introduced into label representations to make the label representations more representative. In the phase II, interactions of labels will capture dependency relationships among them thus make label representations more smooth. During prediction, we introduce a pseudo-label generator for the construction of the two-phase graph. The input instances differ from batch to batch so that the label representations are dynamic. Experiments on three public datasets verify the effectiveness and stability of our proposed method and achieve stateof-the-art results on their testing sets.
Robust node embedding against graph structural perturbations
Published in Information Sciences, 2021
Authors: Zhendong Zhao, Xiaojun Chen, Dakui Wang, Yuexin Xuan, Gang Xiong
KeyWords: Graph Federated Learning, Adversarial Attacks
Abstract: Despite achieving superior performance for many graph-related tasks, recent works have shown that Graph Neural Networks (GNNs) are vulnerable to adversarial attacks on graph structures. In particular, by adding or removing a small number of carefully selected edges in a graph, an adversary can maliciously manipulate a GNNs-based classifier. The vulnerability to adversarial attacks poses numerous concerns for employing GNNs in real-world applications. Previously research aims to overcome the negative impact from adversarial edges with graph-based regularization of some heuristic properties. However, the real-world graph data is far more intricate, and these defense mechanisms do not fully utilize comprehensive semantic information of graph data. In this work, we present a novel defense method, Holistic Semantic Constraint Graph Neural Network (HSC-GNN), which approaches the joint modeling of the node features, labels, and the graph structure to mitigate the effects of malicious perturbations. Extensive experimental evaluation under various graph datasets demonstrates that our approach results in more robust node embedding and better performance than existing models.
Efficient Byzantine-Resilient Stochastic Gradient Descent
Published in International Workshop on Federated and Transfer Learning for Data Sparsity and Confidentiality in Conjunction with IJCAI(Workshop in IJCAI), 2021
Authors: Kaiyun Li, Xiaojun Chen, Ye Dong, Peng Zhang, Dakui Wang, and Shuai Zeng
KeyWords: Federated Learning, Byzantine Attacks
Abstract: Distributed Learning often suffers from Byzantine failures, and there have been a number of works studying the problem of distributed stochastic optimization under Byzantine failures, where only a portion of workers, instead of all the workers in a distributed learning system, compute stochastic gradients at each iteration. These methods, albeit workable under Byzantine failures, have the shortcomings of either a sub-optimal convergence rate or high computation cost. To this end, we propose a new Byzantine-resilient stochastic gradient descent algorithm (BrSGD for short) which is provably robust against Byzantine failures. BrSGD obtains the optimal statistical performance and efficient computation simultaneously. In particular, BrSGD can achieve an order-optimal statistical error rate for strongly convex loss functions. The computation complexity of BrSGD is O(md), where d is the model dimension and m is the number of machines. Experimental results show that BrSGD can obtain competitive results compared with non-Byzantine machines in terms of effectiveness and convergence.
DEFEAT: Deep Hidden Feature Backdoor Attacks by Imperceptible Perturbation and Latent Representation Constraints
Published in Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition(CVPR), 2022
Authors: Zhendong Zhao, Xiaojun Chen, Yuexin Xuan, Ye Dong, Dakui Wang, Kaitai Liang
KeyWords: Graph Federated Learning, Backdoor Attacks
Abstract: Backdoor attack is a type of serious security threat to deep learning models. An adversary can provide users with a model trained on poisoned data to manipulate prediction behavior in test stage using a backdoor. The backdoored models behave normally on clean images, yet can be activated and output incorrect prediction if the input is stamped with a specific trigger pattern. Most existing backdoor attacks focus on manually defining imperceptible triggers in input space without considering the abnormality of triggers’ latent representations in the poisoned model. These attacks are susceptible to backdoor detection algorithms and even visual inspection. In this paper, We propose a novel and stealthy backdoor attack-DEFEAT. It poisons the clean data using adaptive imperceptible perturbation and restricts latent representation during training process to strengthen our attack’s stealthiness and resistance to defense algorithms. We conduct extensive experiments on multiple image classifiers using real-world datasets to demonstrate that our attack can 1) hold against the state-of-the-art defenses, 2) deceive the victim model with high attack success without jeopardizing model utility, and 3) provide practical stealthiness on image data.
KAFNN: A Knowledge Augmentation Framework to Graph Neural Networks
Published in International Joint Conference on Neural Networks (IJCNN), 2022
Authors: Bisheng Tang, Xiaojun Chen, Dakui Wang, Zhendong Zhao
KeyWords: Graph Nerual Network
Abstract:The semi-supervised node classification task is a basic problem in graph neural networks(GNNs). GNNs have shown their superiority in graph datasets over traditional neural networks such as Multilayer Perceptron. However, due to the limitation of Weisfeiler-Lehman, the existing GNNs will discard some prior knowledge, which is hard to be coped with, such as Dropout skill, etc. In this paper, we proposed a framework called KAFNN to introduce knowledge discarded obliviously to enhance data representation. KAFNN, based on the Siamese network, introduces the framework of combining GNNs and deep neural networks(DNNs) to capture the data presentation as whole as possible, which will inject more knowledge into GNNs. Extensive experiments based on seven public datasets and seven GNN models have shown that KAFNN has promoted presentation of several state-of-the-art GNN models in a competitive.
PrUE: Distilling Knowledge from Sparse Teacher Networks
Published in Joint European Conference on Machine Learning and Knowledge Discovery in Databases(ECML PKDD), 2022
Authors: Shaopu Wang, Xiaojun Chen, Mengzhen Kou, Jinqiao Shi
KeyWords: Federeated Learning, Distilling Knowledge
Abstract: Although deep neural networks have enjoyed remarkable success across a wide variety of tasks, their ever-increasing size also imposes significant overhead on deployment. To compress these models, knowledge distillation was proposed to transfer knowledge from a cumbersome (teacher) network into a lightweight (student) network. However, guidance from a teacher does not always improve the generalization of students, especially when the size gap between student and teacher is large. Previous works argued that it was due to the high certainty of the teacher, resulting in harder labels that were difficult to fit. To soften these labels, we present a pruning method termed Prediction Uncertainty Enlargement (PrUE) to simplify the teacher. Specifically, our method aims to decrease the teacher’s certainty about data, thereby generating soft predictions for students. We empirically investigate the effectiveness of the proposed method with experiments on CIFAR-10/100, Tiny-ImageNet, and ImageNet. Results indicate that student networks trained with sparse teachers achieve better performance. Besides, our method allows researchers to distill knowledge from deeper networks to improve students further.
CLTS+: a new Chinese long text summarization dataset with abstractive summaries
Published in International Conference on Artificial Neural Networks(ICANN), 2022
Authors: Xiaojun Liu, Shunan Zang, Chuang Zhang, Xiaojun Chen, Yangyang Ding
KeyWords: Nature Language Processing,Text Summarization
Abstract:The abstractive methods lack of creative ability is particularly a problem in automatic text summarization. The summaries generated by models are mostly extracted from the source articles. One of the main causes for this problem is the lack of dataset with abstractiveness, especially for Chinese. In order to solve this problem, we paraphrase the reference summaries in CLTS, the Chinese Long Text Summarization dataset, correct errors of factual inconsistencies, and propose the first Chinese Long Text Summarization dataset with a high level of abstractiveness, CLTS+, which contains more than 180K article-summary pairs and is available online1 . Additionally, we introduce an intrinsic metric based on co-occurrence words to evaluate the dataset we constructed. We analyze the extraction strategies used in CLTS+ summaries against other datasets to quantify the abstractiveness and difficulty of our new data and train several baselines on CLTS+ to verify the utility of it for improving the creative ability of models.
Multi-initial-center federated learning with data distribution similarity-aware constraint
Published in International Conference on Algorithms and Architectures for Parallel Processing(ICA3PP), 2022
Authors: Xiaoying Li, Xiaojun Chen, Shaopu Wang, Yangyang Ding, Kaiyun Li
KeyWords: Federeated Learning, Non-IID
Abstract: Federated Learning (FL) has recently attracted high attention since it allows clients to collaboratively train a model while the training data remains local. However, due to the inherent heterogeneity of local data distributions, the trained model usually fails to perform well on each client. Clustered FL has emerged to tackle this issue by clustering clients with similar data distributions. However, these model-dependent clustering methods tend to perform poorly and be costly. In this work, we propose a distribution similarity-based clustered federated learning framework FedDSMIC, which clusters clients by detecting the client-level underlying data distribution based on the model’s memory of training data. Furthermore, we extend the assumption about data distribution to a more realistic cluster structure. The center models are learned as good initial points to obtain common data properties in the cluster. Each client in a cluster gets a more personalized model by performing one step of gradient descent from the initial point. The empirical evaluation on real-world datasets shows that FedDSMIC outperforms popular state-of-the-art federated learning algorithms while keeping the lowest communication overhead.
An Efficient Federated Convolutional Neural Network Scheme with Differential Privacy
Published in International Symposium on Emerging Information Security and Applications(EISA), 2022
Authors: Dayin Zhang, Xiaojun Chen & Jinqiao Shi
KeyWords: Federeated Learning, Differential Privacy
Abstract: Federated learning can complete the neural network model training without uploading users’ private data. However, the deep leakage from gradients (DLG) and the compensatory reconstruction attack (CRA) can reconstruct the training data according to the gradients uploaded by users. We propose an efficient federated convolutional neural network scheme with differential privacy to solve this problem. By adding Gaussian noise to the fully connected layers of the convolutional neural network, the attacker cannot identify the critical gradients that cause privacy leakage. The cumulative privacy loss is tracked using the analytical moments accountant technique. We conduct extensive experiments on the MNIST and CIFAR10 datasets to evaluate our defense algorithm. After selecting appropriate parameters, the results show that our defense algorithm can defend against DLG and CRA while maintaining a high model accuracy.
Improved Network Pruning via Similarity-Based Regularization
Published in Pacific Rim International Conference on Artificial Intelligence(PRICAI), 2022
Authors: Shaopu Wang, Xiaoying Li, Jiaxin Zhang, Xiaojun Chen & Jinqiao Shi
KeyWords: Model Compressing and Pruning
Abstract: Network pruning has been shown as an effective technique for compressing neural networks by removing weights directly. Although the pruned network consumes less training and inference costs, it tends to suffer from accuracy loss. Some recent works have proposed several norm-based regularization terms to improve the generalization ability of pruned networks. However, their penalty weights are usually set to a small value since improper regularization hurts performance, which limits their efficacy. In this work, we design a similarity-based regularization term named focus coefficient. Differing from previous regularization methods of directly pushing network weights towards zero, the focus coefficient encourages them to be statistically similar to zero. The loss produced by our method does not increase with the number of network parameters, which allows it easy to tune and compatible with large penalty weights. We empirically investigate the effectiveness of our proposed method with experiments on CIFAR-10/100, Tiny-ImageNet, and ImageNet. Results indicate that focus coefficient can improve model generalization performance and significantly reduce the accuracy loss encountered by ultra sparse networks.
Meteor: Improved Secure 3-Party Neural Network Inference with Reducing Online Communication Costs
Published in The 2023 ACM Web Conference(WWW), 2023
Authors: Ye Dong, Xiaojun Chen, Weizhan Jing, Kaiyun Li, Weiping Wang
KeyWords: Secure Multiparty Computation, Private Neural Network Inference
Abstract: Secure neural network inference has been a promising solution to private Deep-Learning-as-a-Service, which enables the service provider and user to execute neural network inference without revealing their private inputs. However, the expensive overhead of current schemes is still an obstacle when applied in real applications. In this work, we present \textsc{Meteor}, an online communication-efficient and fast secure 3-party computation neural network inference system aginst semi-honest adversary in honest-majority. The main contributions of \textsc{Meteor} are two-fold: \romannumeral1) We propose a new and improved 3-party secret sharing scheme stemming from the \textit{linearity} of replicated secret sharing, and design efficient protocols for the basic cryptographic primitives, including linear operations, multiplication, most significant bit extraction, and multiplexer. \romannumeral2) Furthermore, we build efficient and secure blocks for the widely used neural network operators such as Matrix Multiplication, ReLU, and Maxpool, along with exploiting several specific optimizations for better efficiency. Our total communication with the setup phase is a little larger than SecureNN (PoPETs’19) and \textsc{Falcon} (PoPETs’21), two state-of-the-art solutions, but the gap is not significant when the online phase must be optimized as a priority. Using \textsc{Meteor}, we perform extensive evaluations on various neural networks. Compared to SecureNN and \textsc{Falcon}, we reduce the online communication costs by up to $25.6\times$ and $1.5\times$, and improve the running-time by at most $9.8\times$ (resp. $8.1\times$) and $1.5\times$ (resp. $2.1\times$) in LAN (resp. WAN) for the online inference.
FLEXBNN: Fast Private Binary Neural Network Inference with Flexible Bit-Width
Published in IEEE Transactions on Information Forensics and Security(TIFS), 2023
Authors: Ye Dong, Xiaojun Chen, Xiangfu Song, Kaiyun Li
KeyWords: Secure Multiparty Computation, Private Binary Neural Network Inference
Abstract: Advancements in deep learning enable neural network (NN) inference to be a service, but service providers and clients want to keep their inputs secret for privacy protection. Private Inference is the task of evaluating NN without leaking private inputs. Existing secure multiparty computation (MPC)-based solutions mainly focus on fixed bit-width methodology, such as 32 and 64 bits. Binary Neural Network (BNN) is efficient when evaluated in MPC and has achieved reasonable accuracy for commonly used datasets, but prior private BNN inference solutions, which focus on Boolean Circuits , are still costly in communication and run-time. In this paper, we introduce FLEXBNN, a fast private BNN inference framework using three-party computation (3PC) in Arithmetic Circuits against semi-honest adversaries with honest-majority. In FLEXBNN, we propose to employ flexible and small bit-width equipped with a seamless bit-width conversion method and design several specific optimizations towards the basic operations: i) We propose bit-width determination methods for Matrix Multiplication and Sign-based Activation function. ii) We integrate Batch Normalization and Max-Pooling into the Sign-based Activation function for better efficiency. iii) More importantly, we achieve seamless bit-width conversion within the Sign-based Activation function with no additional cost. Extensive experiments illustrate that FLEXBNN outperforms state-of-the-art solutions in communication, run-time, and scalability. On average, FLEXBNN is 11× faster than XONN (USENIX Security’ 19) in LAN, 46× (resp. 9.3×) faster than QUOTIENT (ACM CCS’19) in LAN (resp. WAN), 10× faster than BANNERS (ACM IH&MMSec’21) in LAN, and 1.1-2.9× (resp. 1.5-2.7×) faster than FALCON (semi-honest, PoPETs’21) in LAN (resp. WAN), and improves the respective communication by 500×, 127×, and 1.3-1.5× compared to XONN, BANNERS, and FALCON.
Practical and General Backdoor Attacks against Vertical Federated Learning
Published in Joint European Conference on Machine Learning and Knowledge Discovery in Databases(ECML PKDD), 2023
Authors: Yuexin Xuan, Xiaojun Chen, Zhendong Zhao, Bisheng Tang, Ye Dong
KeyWords: Vertical Federated Learning, Backdoor Attacks
Abstract: Federated learning (FL), which aims to facilitate data collaboration across multiple organizations without exposing data privacy, encounters potential security risks. One serious threat is backdoor attacks, where an attacker injects a specific trigger into the training dataset to manipulate the model’s prediction. Most existing FL backdoor attacks are based on horizontal federated learning (HFL), where the data owned by different parties have the same features. However, compared to HFL, backdoor attacks on vertical federated learning (VFL), where each party only holds a disjoint subset of features and the labels are only owned by one party, are rarely studied. The main challenge of this attack is to allow an attacker without access to the data labels, to perform an effective attack. To this end, we propose BadVFL, a novel and practical approach to inject backdoor triggers into victim models without label information. BadVFL mainly consists of two key steps. First, to address the challenge of attackers having no knowledge of labels, we introduce a SDD module that can trace data categories based on gradients. Second, we propose a SDP module that can improve the attack’s effectiveness by enhancing the decision dependency between the trigger and attack target. Extensive experiments show that BadVFL supports diverse datasets and models, and achieves over 93% attack success rate with only 1% poisoning rate.
Generalized heterophily graph data augmentation for node classification
Published in Neural Networks, 2023
Authors: Bisheng Tang, Xiaojun Chen, Shaopu Wang, Yuexin Xuan, Zhendong Zhao
KeyWords: Graph Neural Network
Abstract: Graph data augmentations have demonstrated remarkable performance on homophilic graph neural networks (GNNs). Nevertheless, when transferred to a heterophilic graph, these augmentations are less effective for GNN models and lead to reduced performance. To address this issue, we propose a unified augmentation approach called GePHo, a regularization technique for heterophilic graph neural networks based on self-supervised learning, leveraging graph data augmentation to acquire extra information to guide model learning. Specifically, we propose to generate a pseudo-homophily graph that is type-agnostic, enabling us to apply GePHo to both homophilic and heterophilic graphs. Then, we regularize the neighbors with a sharpening technique for data augmentation and generate the auxiliary pseudo-labels to classify the original GNN’s output, whose operations are to constrain the local and global…
Comet: Communication-Efficient Batch Secure Three-Party Neural Network Inference with Client-Aiding
Published in International Conference on Communications (ICC), 2024
Authors: Tingyu Fan, Xiaojun Chen, Ye Dong, Xudong Chen, and Weizhan Jing
KeyWords: Secure Multiparty Computation, Secure Model Inference
Abstract: Secure neural network inference enables server (model provider) and client to perform neural network inference without leaking their private inputs. Existing SOTA three-party computation (3PC) inference works emerge challenges on two fronts: i) GPU-accelerated CryptGPU (S&P’21) and P-FALCON (USENIX Security’22) face challenges related to high communication overhead. ii) communication-efficient Meteor(www’23) raises more computation burden and GPU memory usage. These challenges result in lower efficiency when handling large-scale batch inference requests on resource-constrained devices. In this work, we propose Comet,a communication-efficient batch secure three-party inference framework with client-aiding, which achieves semi-honest security in honest majority without collusion between the client and the servers. First, we propose client-aided sharing semantics, which leverages client-generated random values to enhance online communication efficiency. We also design efficient 3PC protocols for neural network operators based on GPU, improving the computational efficiency of both linear and nonlinear layers. Furthermore, we address the tradeoff between communication cost and GPU memory utilization, surpassing SOTA by 1.3-1.9× in communication, 1.5-3.8× in runtime on large-scale batch inference tasks.
Roger: A Round Optimized GPU-Friendly Secure Inference Framework
Published in International Conference on Communications (ICC), 2024
Authors: Xudong Chen, Xiaojun Chen, Ye Dong, Weizhan Jing, Tingyu Fan, and Qinghui Zhang
KeyWords: Secure Multiparty Computation, Secure Model Inference
Abstract: Secure neural network inference provides a promising solution to preserve the privacy of Deep Learning as a Service (DLaaS), but its substantial communication and computation overhead remain challenging. Recent works such as GForce [1] and Piranha [2] have introduced GPU-friendly secure inference protocols with improved computation efficiency, yet these approaches are either limited to supporting specialized-trained networks or expensive in communication. As a consequence, there remain potential improvements in functionalities and communication efficiency. To address the above challenges, we introduce Roger, a two-party secure inference framework with semi-honest security, designed to support general neural network inference with a reduced number of round complexity. Drawing inspiration from ABY2.0 [3], we propose the Partial-Fix technology, which fixes the share of one participant during the offline phase to improve its computation efficiency. Then, an online communication-free protocol for secure linear layer computation and a constant-round secure comparison protocol are proposed upon Partial-Fix. Implemented on top of Piranha, the experiments demonstrate that for the CIFAR10 dataset, a single inference on VGG16 requires only 0.40 seconds. In comparison to GForce (resp. Piranha), Roger at least achieves 1.20× (resp. 1.94×) improvement in LAN setting in terms of throughput.
DualCOS: Query-Efficient Data-Free Model Stealing with Dual Clone Networks and Optimal Samples (ACCEPTED)
Published in IEEE Conference on Multimedia Expo 2024(ICME), 2024
Authors: Yunfei Yang, Xiaojun Chen etc…
KeyWords: Model Stealing and Defending
Abstract: Although data-free model stealing attacks are free from reliance on real data, they suffer from limitations, including low accuracy and high query budgets, which restrict their practical feasibility. In this paper, we propose a novel data-free model stealing framework called DualCOS, which adopts a dual clone model architecture and incorporates efficient data generation and sampling strategies. Initially, we use a dual clone model to address the challenge of querying victim model during generator training. Moreover, to optimize the usage of query budgets, we design three innovative modules: diversified sample generation, optimal sample selection, and sample potential mining. Through extensive evaluations, we demonstrate the superiority of our proposed method in terms of accuracy and query efficiency, particularly in scenarios involving hard labels and multiple classes.
STMS: An Out-Of-Distribution Model Stealing Method Based on Causality (ACCEPTED)
Published in International Joint Conference on Neural Networks (IJCNN), 2024
Authors: Yunfei Yang, Xiaojun Chen etc…
KeyWords: Model Stealing and Defending
Abstract: Machine learning, particularly deep learning, is extensively applied in various real-life scenarios. However, recent research has high lighted the severe infringement of privacy and intellectual property caused by model stealing attacks. Therefore, more researchers are dedicated to studying the principles and methods of such attacks to promote the security development of artificial intelligence. However, most of the existing attack methods rely heavily on prior information of the attacked models and consider ideal conditions. In order to better understand and defend against model stealing in real-world scenarios, we propose a novel model stealing attack method, named STMS, based on causal inference learning. For the first time, we introduce the problem of out-of-distribution generalization into the model stealing domain. The proposed approach operates under more challenging conditions, where the training and testing data of the target model are unknown, its internal information (structure, parameters, and gradients) is inaccessible, only hard labels of the output results are available, and there is a distribution shift during the testing phase. STMS achieves comparable or even better stealing and generalization performance than current mainstream works on multiple datasets and tasks. Moreover, this universal framework can be applied to improve the effectiveness of other model stealing methods and can be migrated to other areas of machine learning.
CipherDM: Secure Three-Party Inference for Diffusion Model Sampling (ACCEPTED)
Published in European Conference on Computer Vision 2024, 2024
Authors: Xin Zhao, Xiaojun Chen, Xudong Chen, He Li, Tingyu Fan, Zhendong Zhao
KeyWords: Privacy Preserving Machine Learning
Abstract: Abstract. Diffusion Models (DMs) achieve state-of-the-art synthesis results in image generation and have been applied to various fields. However, DMs sometimes seriously violate user privacy during usage, making the protection of privacy an urgent issue. Using traditional privacy computing schemes like Secure Multi-Party Computation (MPC) directly in DMs faces significant computation and communication challenges. To address these issues, we propose CipherDM, the first novel, versatile and universal framework applying MPC technology to DMs for secure sampling, which can be widely implemented on multiple DM based tasks. We thoroughly analyze sampling latency breakdown, find time-consuming part and design corresponding secure MPC protocols for computing nonlinear activations including SoftMax, SiLU and Mish. CipherDM is evaluated on popular architectures (DDPM, DDIM) using MNIST dataset and on SD deployed by diffusers. Compared to direct implementation on SPU, our approach improves running time by approximately 1.084× ∼ 2.328×, and reduces communication costs by approximately 1.212× ∼ 1.791×.
Effective Multiple Private Set Intersection (ACCEPTED)
Published in EAI SecureComm 2024, 2024
Authors: Qiang Liu, Xiaojun Chen, Weizhan Jing
KeyWords: Secure Multiparty Computation, Private Set Intersection
Abstract: to be added
OCE-PTree: An Online Communication Efficient Privacy–preserving Decision Tree Evaluation (ACCEPTED)
Published in EAI SecureComm 2024, 2024
Authors: Xiaojun Chen, Weizhan Jing etc.
KeyWords: Secure Multiparty Computation, Secure Model Inference
Abstract: Privacy-preserving Decision Tree Evaluation (PDTE) is a promising solution to private Machine-Learning-as-a-Service, which allows clients to classify their data using a tree model from model owners and only reveals the inference result to clients. However, the expensive overhead of current schemes is still an obstacle in practical applications.
In this work, we present OCE-PTree, an online communication efficient privacy-preserving decision tree evaluation protocol with semi-honest security. OCE-PTree’s main contributions are two-fold: i) We use vector inner product, combined with additive secret sharing and mask secret sharing, to achieve efficient feature selection. ii) We propose a path evaluation protocol based on One-Time Truth Table (OTTT) for reducing communication costs in the online phase.
Experimental results on various decision trees and datasets demonstrate that our online communication costs is less than the work of Ma $\textit{et al.}$ (NDSS’21) and Mostree (ACSAC’23), two state-of-the-art solutions. To be more specific, we reduce the online communication by upto 7-12$\times$, and improve the online running-time by at most 2.3$\times$, 1.5$\times$ and 1.3$\times$ in LAN, MAN and WAN compared to the work of Ma $\textit{et al.}$. In addition, we reduce the online communication by upto 1.7$\times$, and improve the online running-time by at most 25$\times$ in LAN, MAN and WAN compared to Mostree.
Graph Federated Learning with Center Moment Constraints for Node Classification (ACCEPTED)
Published in The 53rd International Conference on Parallel Processing(ICPP), 2024
Authors: Bisheng Tang, Xiaojun Chen, Shaopu Wang, Yuexin Xuan, Zhendong Zhao
KeyWords: Graph Federeated Learning
Abstract: Centralized learning graph-structured data representation commonly exists in various institutions, while it is challenging to learn other institutions’ graph-structured data representations without data leakage. Federated learning (FL) is proposed to federally learn a global model while keeping data privacy and security. However, FL is notorious for the non-i.i.d data. The existing works aim to form an undivided graph by linking all party subgraphs while neglecting the local non-i.i.d feature in the training phase. To this end, we propose a novel graph FL framework called FedOMD to leverage global independent and identically distributed (i.i.d) hidden feature representation to guide the local graph model training. Specifically, We first model each local feature as a Gaussian distribution to decrease the representation discrepancy in different parties and then calculate a global Gaussian distribution in the server. Finally, we use central moment discrepancy to minimize the distance between the party local and the server global distribution. With such distribution constraints, all parties can train the graph model in a unified feature space. Our extensive experiments on five datasets have manifested the competitive effectiveness of FedOMD over the seven mentioned FL models. The relevant ablation and sensitivity analysis also verify the effectiveness of FedOMD.
talks
Talk 1 on Relevant Topic in Your Field
Published:
This is a description of your talk, which is a markdown files that can be all markdown-ified like any other post. Yay markdown!
Tutorial 1 on Relevant Topic in Your Field
Published:
This is a description of your tutorial, note the different field in type. This is a markdown files that can be all markdown-ified like any other post. Yay markdown!
Talk 2 on Relevant Topic in Your Field
Published:
This is a description of your talk, which is a markdown files that can be all markdown-ified like any other post. Yay markdown!
Conference Proceeding talk 3 on Relevant Topic in Your Field
Published:
This is a description of your conference proceedings talk, note the different field in type. You can put anything in this field.
teaching
2024-Spring-Big Data Privay Perserving(大数据隐私保护)
专业研讨课, School of Cyber Security, University of Chinese Academy of Sciences, 2023
课程简介:
《大数据安全隐私保护》是为网络空间安全等相关专业研究生开设的专业研讨课,课程通过讲述在大数据时代面临的隐私安全问题,及安全多方计算,联邦学习等基础理论,挑选科研前沿的论文,以研讨班形式组织报告和讨论。
授课对象:研究生
授课时间:20课时
课程大纲:
第一讲:大数据隐私保护概述
第二讲:安全多方计算简介与安全性
第三讲:联邦学习与安全攻击
Seminar-MPC-1:高效安全多方计算协议
Seminar-MPC-2:隐私保护机器学习
Seminar-FL-1:非独立同分布下的联邦学习
Seminar-FL-2:联邦学习中的安全攻击与防御
2024-Spring-Big Data Privay Perserving(大数据隐私保护)
专业课, School of Cyber Security, University of Chinese Academy of Sciences, 2024
课程简介: 《大数据隐私保护》是为网络空间安全等相关专业研究生开设的专业课,课程重点讲述在大数据时代面临的隐私安全问题,讲述安全多方计算,联邦学习等基础理论知识及相关应用。
授课对象:研究生
授课时间:40课时
课程大纲:
第一讲:大数据隐私保护概述
第二讲:安全多方计算简介与安全性
第三讲:安全多方计算-基础-Oblivious Transfer
第四讲:安全多方计算-基础-Garbled Circuit
第五讲:安全多方计算-基础-Secret Sharing
第六讲:安全多方计算-进阶-Vector Oblivious Linear Evaluation
第七讲:安全多方计算-进阶-Comparison Protocol
第八讲:安全多方计算-进阶-Malicious MPC
第九讲:安全多方计算-应用-Private Set Intersection
第十讲:安全多方计算-应用-Privacy Preserving Machine Learning
第十一讲:联邦学习-基础-NonIID
第十二讲:联邦学习-Secure Aggregation
第十三讲:联邦学习-Backdoor Attacks and Defending
第十四讲:联邦学习-Model Stealing Attacks and Defending