Hierarchical federated learning with global differential privacy

1.   Introduction

With the rapid development of mobile devices and Internet-of-Things (IoT), it is expected that everything will be connected closely^[1,2]. To apply artificial intelligence (AI) technology to different scenes, we prefer to choose distributed machine learning (ML) to process tasks in cooperation with each other^[3]. Though practical and pragmatic as it is, it suffers many reliability and security risks in a real distributed environment^[4,5]. When training the models cooperatively, the privacy of clients' sensitive datasets becomes a great concern. Hence, federated learning, in which datasets are processed only on the client side, has been proposed^[6,7]. FL aims to fit a common model by an empirical risk minimization (ERM) objective. Nevertheless, FL still poses many worrying crises on information leakage, communication efficiency and device diversity^{[8,9,10,11,12]}.

As a commonly used architecture, client-server FL also suffers from stability problems, especially in poor network ^[13]. To address these problems, the more efficient and stable architecture client-edge-cloud hierarchical FL has been proposed^[14]. The HFL allows multiple edge servers to perform partial model aggregation. In this way, the model can be trained faster, and better communication-computation trade-offs can be achieved. Edge servers are designed to aggregate the clients' model parameters. Hence, edge servers are capable of reducing the computing burden, message delay and communication burden of cloud servers^[15].

FL usually adopts stochastic gradient descent (SGD) in the training process. Based on distributed SGD with a one-step local update, ^[16,17] have analyzed the convergence performance of federated learning. Federated proximal (FedProx) ^[18], taking advantage of regularization on a local loss function, improves the convergence performance and system stability.

With FL becoming more and more attractive, data security and confidentiality also raise great concerns. FL seems to protect clients' individual data by exchanging parameters instead of sensitive information. However, there exist many malicious adversaries that are capable of stealing some secret information^[19]. The most useful way to prevent information exposure is to apply differential privacy by adding noises in trained parameters ^[20]. As to the research about DP in FL, there are mainly three aspects: client-level, sample-level and LDP-FL ^{[21,22,23,24,25,26]}.

Though there are various designs above, the global differential privacy on three-layer hierarchical federated learning is still unexplored. As to two-layer HFL-DP^[27], the authors proposed a privacy-preserving scheme based on the theory of local differential privacy, with addition of noise to the shared model parameters before uploading them to edge and cloud servers. However, they did not control the amount of Gaussian noise in the architecture. So, if we want to expand our layer architecture, we may add so much noise to damage the utility, even leading to a tough convergence. Our design solves this problem.

To design a practical and efficient algorithm to reach the balance between privacy of the sensitive data and the quality of a trained model, in this paper, we propose our novel framework based on a DP mechanism. The key value of our design is to realize the global privacy budget in the whole architecture. At each time, we control the overall amount of noise we add instead of letting it increase blindly. Consequently, the model accuracy can be adjusted due to the trade-off between model accuracy and privacy cost. From our perspective, there are few papers about the research of global privacy in hierarchical federated learning. We conduct extensive tests based on real-world datasets to validate the performance of our algorithm. Evaluations show that theoretical results and test results are consistent. To summarize, we propose a novel scheme that satisfied the requirement of DP with global data under a certain noises perturbation level by adding proper Gaussian noise and exploring the trade-off between privacy parameters and model utility to comprehend the relation between privacy level and model quality. By doing so, sensitive user data can be protected even if there exist many adversaries from inner and outer cyberspace.

2.   Related work

2.1.   Client-level

In client-level, in order to protect the clients' information, we treat the clients' model as a piece of data. In ^[21] DP-FedAvg and DP-FedSGD were proposed. The sampling is to sample the client, and the noises are added at the center. Sensitivity is calculated based on the sampling rate, with average weights for each client. McMahan et al. suggest that with a huge number of users engaging in, realizing differential privacy costs more computation instead of decreasing utility. By their experiment, the LSTM language models can be similar to un-noised models from quantitative and qualitative aspects when using large datasets. They consider the effect of large step updates on the model. In ^[22] the model uploaded by the client is clipped at the center so that an adaptive clipping operation can be performed (such as taking the median value of the norm of each client model as the clipping norm). The key point is concealing the contribution of individual clients in the training process. It was shown that when the client's participation is hidden, the model obtained by federated learning still has a good performance. Then we can conclude that when enough clients are participating in the learning, the model can achieve high accuracy. In ^[23] the uplink privacy protection is carried out first, and then the downlink noises are added based on the uplink noises addition, and the convergence analysis is given. A theoretical convergence limit is specified for the loss function of the trained FL model. Based on this, we can know that the better the convergence performance is the lower the protection level. Vice, given a fixed privacy protection level, increasing the overall number N of clients participating in FL can improve the convergence performance of the final model; and under a given privacy protection level, there is an optimal maximum number of aggregations T in terms of convergence performance.

2.2.   Sample-level

In sample-level, we protect the sensitive information of the samples under the client. Each sample under the client is regarded as a piece of data, and the federation center is regarded as an opponent. In ^[24] integrates the DPAGD-CNN algorithm into federated machine learning. DPAGD-CNN is an adaptive allocation algorithm for differential privacy budget under centralized machine learning. Considering the difference in user data, the model gets accurate when adjusting differential privacy. In ^[25] sampling on the client instead of the data in the client side, but also applies the privacy measurement method of MA and then adds a method based on the privacy budget to adapt the optimal number of iterations, which is actually a novel form of self-adaptation privacy budget allocation. Wei et al. made an exact relation between communication round T and privacy level.

2.3.   LDP-FL

In LDP-FL, a client has only one sample datum, and if there are multiple sample data, multiple gradients will be trained and uploaded to the federation center. In ^[26] the CLDP-SGD algorithm was proposed, which first samples the clients, then samples again under the clients and finally shuffles the gradients of different clients. There are multiple sample gradients, and the clients will pass multiple gradients to the center. Noises are added locally based on coded perturbation.

2.4.   HFL-DP

In federated learning, each participant can build the model without disclosing the underlying data and only shares the weight update and gradient information of the model with the server. In order to ensure the security of federated learning, noise is added to the model update to obscure the contribution of the client. In ^[28], they suggest a novel DP aggregation scheme to the improve update strategy. Meanwhile, they adopt the f-differential privacy to analyze the privacy loss so that the loss will be calculated more accurately at every round. In ^[27], they suggest a design on local differential privacy. They analyze the privacy loss by the moment accounting, so their design can get a tight privacy guarantee. By adding the noise to the shared model parameters before uploading them to edge and cloud servers, they realize the strict differential privacy guarantee for the layers of clients and edge servers.

3.   Preliminaries

In this section, we present the HFL framework and the thread model on which our paper based and the related knowledge about DP.

3.1.   Hierarchical federated learning

Let us consider a general HFL system consisting of three different parts in three logistic layers, as shown in Figure 1. The clients connected to edge servers are various computers and mobile devices. They are to train a local model from their individual data, and then send local updates to edge server. Edge servers and cloud servers are responsible to aggregate and transmit back the aggregation to corresponding clients.

3.2.   Threat model

To further improve security in our system, we consider clients, edge servers, and the cloud server to be all semi-honest, which means they will strictly follow the HFL framework but may infer privacy. Also, there may be external attackers trying to usurp clients' privacy. They are capable of inverting the broadcast models from the servers in order to seize the private individual data, as explained in ^[29].

Factually, download channels suffer more security risks than upload channels. That is because clients upload their model updates through direct and ephemeral upload channels while download channels are broadcasting and lasting. We consider at most $t_1$ exposures of uploaded updates from each client to their edge server. Due to the broadcast effect, we assume that aggregated parameters will be exposed in the downlink channel for every communication. Therefore, we assume $t_2$ exposures from each edge server to clients. Moreover, the value of $t_2$ satisfies the condition that $t|k_1 \land t \nmid k_1k_2$. Similarly, we assume there are $t_4$ exposures from each edge server to the cloud server and $t_5$ exposures from the cloud server to edge servers. The value of $t_5$ also satisfies the condition that $t \mid k_1k_2$. To be more specific, we assume that there are $t_3$ exposures in $t_1$ for cloud aggregation, and $t_1-t_3$ exposures are counted as $t_1$ only for edge aggregation.

3.3.   Differential privacy

In our hierarchical architecture, we apply a DP mechanism with parameters $\epsilon$ and $\delta$ to provide strong privacy preservation. $\epsilon > 0$ represents the distinguishable bound of all outputs on neighboring datasets in a database, and $\delta$ is the probability of the event that the ratio of the probabilities for two adjacent datasets cannot be bounded by $e^{\epsilon}$ after the mechanism. Therefore, a larger $\epsilon$ entails a higher risk of privacy leakage for a clearer distinguishability of two neighboring datasets^[30]. Now, we will formally define DP as follows.

Definition 1. (($\epsilon$, $\delta$)-Differential privacy): A randomized mechanism $\mathcal{M}$ satisfies ($\epsilon$, $\delta$)-DP if for $\mathcal{X}$ $\to$ $\mathcal{R}$ with domain $\mathcal{X}$ and range $\mathcal{R}$, and all result set $\mathcal{S}$ $\subseteq$ $\mathcal{R}$, there can be any neighboring datasets $\mathcal{D}_i$, $\mathcal{D}'_i \in \mathcal{X}$ which only differ by one sample, and then we have

In this paper, we use a Gaussian mechanism which adopts $L_2$ norm sensitivity. To protect the function output $s(x)$, it needs to add zero-mean Gaussian noises with variance $\sigma^2$I in each coordinate.

where I is an identity matrix, and $s()$ is a real-valued function.

To achieve ($\epsilon$, $\delta$)-DP, the noise scale $\sigma \ge c\Delta s/ \epsilon$, and the constant $c \ge \sqrt{2ln(1.25/\delta)}$ for $\epsilon \in (0, 1)$. $\Delta s$ is the sensitivity of function $s(x)$, which can be computed easily by $\Delta s = max_{\mathcal{D}_i, \mathcal{D}'_i} ||s(\mathcal{D}_i)-s(\mathcal{D}'_i)||$. Seeing the definitions above, we ought to choose a proper value of $\sigma$ to satisfy ($\epsilon$, $\delta$)-DP.

4.   Hierarchical federated learning with differential privacy

4.1.   Global differential privacy

To protect the parameter in upload and download channels, we design a global ($\epsilon$, $\delta$)-DP. First, we elaborate our design from the clients' upload parameters to the edge server. In every iteration, we consider the batch size in a local training process to be equal to the number of training data, and then we can give the definition of the $i$-th client in a local training process

where $\mathcal{D}_i$ is the dataset of $i$-th clients, and $\mathcal{D}_{i, j}$ is the $j$-th sample in $\mathcal{D}_i$. Hence, we can define the sensitivity of $s_U^{\mathcal{D}_i}$

where $C$ is a clipping bound for $w_i$, and $\mathcal{D}_i$ and $\mathcal{D'}_i$ are neighboring datasets. Generally, we define the global sensitivity in the upload channel as

When clients take advantage of all the training datasets, it comes out to be a small global sensitivity. Hence, we set the number of local datasets ${\mathcal{D}_i}$ to be minimum by $m$. Due to exposure in the upload channel, we define the Gaussian noises ${\sigma}_U = c\Delta s_U / \epsilon$. After $t_1$ and $t_3$ exposures, the noises increase to ${\sigma}_{U_1} = ct_1\Delta s_U / \epsilon$ and ${\sigma}_{U_2} = ct_3\Delta s_U / \epsilon$ due to the linear relation of $\epsilon$ and $\sigma_U$. Similarly, $\sigma_E = ct_4\Delta s_E / \epsilon$ in the process from edge server to cloud server.

Then, we consider edge servers that upload parameters to the cloud server. The aggregation weight can be expressed as

where $n$ means the number of edge servers connecting, and $w$ represents the result of aggregation. Thus, the sensitivity of edge server's aggregation $\Delta s_{E}^{\mathcal{D}_i}$ can be expressed as

We have

and

Therefore, the sensitivity can be expressed as

To meet the demand of small global sensitivity in the channel, the sensitivity $\Delta s_{E}$ can be given as

where $m$ is the size of datasets in a client. To reach the proper sensitivity $\Delta s_E$, we set all $p_i = \frac{1}{n}$. Similarly, we can define the sensitivity in cloud server as $\Delta s_C = \max\{\frac{2Cp_iq_i}{m}\}$, where $p_i$ is the ratio of selecting client and $q_i$ is the ratio of selecting edge server. We ought to add enough Gaussian noises in upload channel and then consider whether or not to add noises in download channel to satisfy the global ($\epsilon, \delta$)-DP.

4.2.   HFL-DP

In our hierarchical system, we realize a secure and efficient model by global ($\epsilon$, $\delta$)-DP in Algorithm 1. We define the initial global parameter $w^{(0)}$ and introduce the proximal term $\mu$ to improve the stability of the overall framework. The essence of this correction term is to increase the difference between the parameters in the local model and the parameters in the global model.

Theorem 1. (DP guarantee for downlink channels): To ensure ($\epsilon$, $\delta$)-DP in the downlink channels with aggregations, the standard deviation of Gaussian noises $n_E$ and $n_C$ can be defined as

Proof. First, we start from proof of the value of $n_E$. According to the definition of global ($\epsilon$, $\delta$)-DP in the uplink channels, the additive noises of clients can be given as $\sigma_U = c*t_1\Delta s_U/\epsilon_1$, for the linear relation between $\epsilon_1$ and $\sigma_U$ with Gaussian mechanism. Here, we assume the noises added in clients obey the same distribution $n \sim \phi(n)$ due to the property of global ($\epsilon$, $\delta$)-DP. Then, the aggregation in an edge server with additive noises can be given as

Hence, the distribution of $\sum\limits_{i = 1}^n p_in_i$ can be given as

where $\bigotimes$ is a convolutional operation, and $p_in_i\sim \phi_i(n)$. If we set $n_i$ with clients' noise scale $\sigma_U$ by Gaussian mechanism, then $\sum\limits_{i = 1}^n p_in_i$ is a Gaussian distribution. According to the definition of $\Delta s_E$, $p_i = \frac{1}{n}$ will lead to a small sensitivity. To make it a global ($\epsilon$, $\delta$)-DP in download channels, we assume the value of noise scale to be $\sigma_A = ct_2\Delta s_E/\epsilon_1$. Therefore, the additive noises at edge server can be expressed as

Hence, the value of $n_E$ has been proved.

Then, we consider the value of $n_C$. In the uplink channels, we set the standard deviation of additive noise in clients and edge servers to be $\sigma_U = ct_3\Delta s_U/\epsilon_2$ and $\sigma_E = ct_4\Delta s_E/\epsilon_2$. To ensure the global ($\epsilon$, $\delta$)-DP, the noises vectors in each client obey the same distribution $n \sim \phi(n)$, and the noises in each edge server obey the same distribution $N \sim \phi(N)$. We can get the aggregation at cloud server with artificial noises from clients and edge server as

We know the distributions of $q_jp_in_i$ and $q_jN_j$ are Gaussian distributions. Moreover, we set the standard deviation of noises $\sigma_A = ct_5\Delta s_C/\epsilon_2$.Therefore, the additive noises at cloud server can be expressed as

Hence, the value of $n_C$ has been proved.

At the beginning of this algorithm, the edge servers and cloud server broadcast their own privacy guarantees, and the cloud server sends the initial global parameter to all clients. In every local update, the client trains the model parameters by using its own local datasets. After the local training of each client, the local parameter will be clipped by the threshold $C$, and then Gaussian noise are added to the parameter $w_i$ of each client $i$. The amount of noises depends on the parameter $\sigma_U$, which is calculated above. Upon receiving all its clients' local parameters, the edge server calculates the aggregated model parameter by weighted average.

After aggregating the model parameters, the edge server chooses to broadcast the aggregation to the selected client or to upload it towards the cloud server. In the case of the aggregation, the aggregated parameters need to be broadcast to clients, and it should add the noises $n_E$ to aggregation according to Theorem 1. In another case, the aggregation parameter which will be sent to the cloud server in edge also needs protection by adding noises according to the value of $\sigma_E$.

The cloud server aggregates the model received from all edge servers if iteration $t$ meets the preset condition. After the aggregation in the cloud server, the model parameters will have noises added according to the value of $n_C$. Here, we need to pay attention to the privacy protection performance of our algorithm. First, any malicious adversary cannot get reach to individual training datasets. Due to the local perturbations, it is very tough to infer any valid information from the uploaded parameters. Similarly, an adversary may reveal sensitive information from parameters in a download channel. Hence, when broadcasting the aggregated model parameters to clients, additive noises may be added to parameters based on the theorem above.

5.   Evaluation

In this part, we evaluate the proposed HFL-DP in Python 3.7 and PyTorch 1.12.1 with real-world datasets. To analyze the performance of our algorithm, we conduct the experiment by varying the protection levels $\epsilon$, the number of clients $n$, the number of Edge servers $N$, the value of clipping bound $C$.

We train our convolutional neural network (CNN) on the standard MNIST dataset for handwritten digit classification datasets and the CIFAR-10 dataset for ten class images with Python. MNIST dataset is composed of 60,000 training examples and 10,000 testing examples. Each example is a 28 $\times$ 28 grey-level image of handwritten digits. The CIFAR-10 dataset is composed of 32 $\times$ 32 color images in ten different classes. There are 60,000 examples for each class, with 40,000 examples for training, 10,000 for testing and 10,000 for validation.

In our neural network, we use two convolutional layers with ReLu units and softmax. We also use the cross-entropy function as a criterion. We assume the data we use are IID. In our experiment, the relevant parameters of the same layer are consistent, and we assume the communication channels among different layers are unimpeded.

5.1.   Performance loss with protection

To show the influence of privacy preservation, we compare the proposed algorithm with non-private HierFAVG^[14] on MNIST. We set $n = 50$, $N = 5$, $C = 15$, $\epsilon_1 = 20$ and $\epsilon_2 = 25$. Figures 2 and 3 indicate that privacy preservation costs a bit of accuracy. We can get that the non privacy-preserving trained model is better than the privacy-preserving trained model due to the unfavorable influence of Gaussian noise. Also, HFL converges faster than HFL-DP. However, the loss of accuracy is decreasing with the iteration round proceeding on. Though there may be $5$ and $11\%$ losses in the final model, it costs not much.

5.2.   Performance evaluation on protection levels

In Figure 4, we set different values of protection levels $\epsilon = 10$, $\epsilon = 20$ and $\epsilon = 50$, both for $\epsilon_1$ and $\epsilon_2$. In our experiment, we choose $n = 50$, $N = 5$, $T = 50$, $k_1 = 2$ and $k_2 = 2$ and then we can get model accuracy of the aggregation rounds. As shown in Figure 4, the accuracy of the model increases if we relax the privacy guarantees. That is because $\epsilon$ represents the distinguishable bound of all outputs on neighboring datasets in a database. A larger $\epsilon$ entails a higher risk of privacy leakage for a clearer distinguishability of two neighboring datasets. However, as we continue to increase the value of $\epsilon$, the accuracy does not increase much. So, a better choice of $\epsilon$ will balance the safety and utility. For example, when the value of $\epsilon$ gets bigger than 20, it will not entail a better model accuracy. We can set 20 as a preferable value in this case.

5.3.   Performance evaluation on number of clients and edge servers

In this experiment, we set the protection parameter $\epsilon = 20$ and four groups of different numbers of clients and servers. We choose n = 50, N = 5, T = 50, $k_1$ = 2 and $k_2$ = 2. Figure 5 shows that when the scale of communication system becomes larger, it needs more noise to realize security. So, a larger communication system may entail more performance loss. In our algorithm, we try to control the amount of noise by Eqs (4.10) and (4.11) instead of adding Gaussian noise blindly. So, it may not decrease the accuracy greatly. For example, when $n = 100$ and $N = 20$, it gets the result of 82%. Under the same condition, when $n = 10$ and $N = 5$, it gets the result of 91%. Moreover, we can also know that a more practical model can be trained by fewer participants while preserving sensitive information. A safe system that contains many users remains to be researched.

5.4.   Performance evaluation on clipping bound

We choose various clipping bounds $C = 5$, $C = 10$ and $C = 15$. In our experiment, we set $\epsilon = 20$, $n = 50$ and $N = 5$. Figure 6 indicates that once the value of the clipping bound is large enough, the model accuracy will not increase anymore. First, the gradient is clipped, so that the gradient of all samples is less than clipping bound $C$. Then, a sufficiently large Gaussian noise is added to the clipped gradient to achieve differential privacy. The clipping bound $C$ is equivalent to the concept of sensitivity mentioned before, i.e., the maximum impact that each sample can cause will not exceed $C$. When a large enough noise positively correlated with $C$ is added to the gradient, the sample can be hidden to meet the requirements of differential privacy.

6.   Result comparison

To further summarize the results of the existing methodological analysis of HFL-DP, the results of the analysis in this paper were compared with the existing literature. The results of the analysis of the different HFL-DP schemes are shown in the Table 3. In ^[28], the authors researched differential privacy on Server-Client architecture. They used f-DP for training tracking in order to get a tighter definition of privacy. This can make it more communication rounds than using a moment accountant. Meanwhile, they implemented a trick on the clipping method to let the model curve better. In their experiment, the final model accuracy of 25 rounds was 91%. In ^[27], the authors calculated the noises to realize ($\epsilon_i^l$, $\delta_i^l$)-DP for client and ($\epsilon^l$, $\delta^l$)-DP for edge. The final model accuracy was 90%. This idea effectively realized privacy leakage from the upload aspect.

In ^[28], the research is designed for Server-Client architecture from client level. The authors do not consider the three-layer HFL yet. In ^[27], though it gets a better result seemingly, it ignores the privacy leakage in the download channel. If we add directly adequate noises in download channel as the author mentions in ^[27], it will entail a negative effect of noise accumulation in the hierarchical system on the model utility. Because of the hierarchical structure, we may add noises on the edge side and cloud side in the download channel. Although the amount of noise on each side is different, it still makes a bad influence after several transmissions. Therefore, our design aims to control the amount of noise from the whole system as articulated in Algorithm 1. The additive noises in every download channel can be calculated by (4.13) and (4.15).

In summary, a better model utility can be obtained in a three-layer HFL-DP by studying the overall privacy loss and then controlling the amount of noise added each time.

7.   Conclusions

In this paper, we proposed a novel privacy-preserving method with the concept of global differential privacy. Our scheme provides confidentiality for clients' sensitive data to avoid security threats from not only participants in the communication system but also adversaries from outer cyberspace. We realize the communication protection by adding noises to shared model parameters in each channel. So, user data cannot be directly inferred by any adversary while still keeping high utility for the training model. In our experiment on the MNIST dataset, we get 91% model accuracy. Compared to previous two-layer HFL-DP^[27], our design is more secure while being as accurate. Then, we evaluated the performance based on the image classification. The experiment results show that our method is practical and efficient with proper parameters. Therefore, we can balance the trade-off between efficiency and safety by adjusting relevant parameters. In the future, we will do further research about adaptive adjustment to realize the preferable privacy budget and the non-IId data's effect on the utility of our algorithm. Meanwhile, we will tune our algorithm to adapt to the changes in user data distribution.

Acknowledgments

This work was supported by the National Key Research and Development Program of China (2020YFA0712300), National Natural Science Foundation of China (62132005), Shanghai Trusted Industry Internet Software Collaborative Innovation Center.

Conflict of interest

The authors declare there is no conflict of interest.