Balancing Privacy and Utility in Split Learning: An Adversarial Channel Pruning-Based Approach

IF 3.4 3区计算机科学 Q2 COMPUTER SCIENCE, INFORMATION SYSTEMS

IEEE Access Pub Date : 2025-01-13 DOI:10.1109/ACCESS.2025.3528575

Afnan Alhindi;Saad Al-Ahmadi;Mohamed Maher Ben Ismail

{"title":"Balancing Privacy and Utility in Split Learning: An Adversarial Channel Pruning-Based Approach","authors":"Afnan Alhindi;Saad Al-Ahmadi;Mohamed Maher Ben Ismail","doi":"10.1109/ACCESS.2025.3528575","DOIUrl":null,"url":null,"abstract":"Machine Learning (ML) has been exploited across diverse fields with significant success. However, the deployment of ML models on resource-constrained devices, such as edge devices, has remained challenging due to the limited computing resources. Moreover, training such models using private data is prone to serious privacy risks resulting from inadvertent disclosure of sensitive information. Split Learning (SL) has emerged as a promising technique to mitigate these risks through partitioning neural networks into the client and the server subnets. One should note that although only the extracted features are transmitted to the server, sensitive information can still be unwittingly revealed. Existing approaches addressing this privacy concern in SL struggle to maintain a balance of privacy and utility. This research introduces a novel privacy-preserving split learning approach that integrates: 1) Adversarial learning and 2) Network channel pruning. Specifically, adversarial learning aims to minimize the risk of sensitive data leakage while maximizing the performance of the target prediction task. Furthermore, the channel pruning performed jointly with the adversarial training allows the model to dynamically adjust and reactivate the pruned channels. The association of these two techniques makes the intermediate representations (features) exchanged between the client and the server models less informative and more robust against data reconstruction attacks. Accordingly, the proposed approach enhances data privacy without ceding the model’s performance in achieving the intended utility task. The contributions of this research were validated and assessed using benchmark datasets. The experiments demonstrated the superior defense ability, against data reconstruction attacks, of the proposed approach in comparison with relevant state-of-the-art approaches. In particular, the SSIM between the original data and the data reconstructed by the attacker, achieved by our approach, decreased significantly by 57%. In summary, the obtained quantitative and qualitative results proved the efficiency of the proposed approach in balancing privacy and utility for typical split learning frameworks.","PeriodicalId":13079,"journal":{"name":"IEEE Access","volume":"13 ","pages":"10094-10110"},"PeriodicalIF":3.4000,"publicationDate":"2025-01-13","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"https://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=10838505","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"IEEE Access","FirstCategoryId":"94","ListUrlMain":"https://ieeexplore.ieee.org/document/10838505/","RegionNum":3,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q2","JCRName":"COMPUTER SCIENCE, INFORMATION SYSTEMS","Score":null,"Total":0}

引用次数: 0

Abstract

Machine Learning (ML) has been exploited across diverse fields with significant success. However, the deployment of ML models on resource-constrained devices, such as edge devices, has remained challenging due to the limited computing resources. Moreover, training such models using private data is prone to serious privacy risks resulting from inadvertent disclosure of sensitive information. Split Learning (SL) has emerged as a promising technique to mitigate these risks through partitioning neural networks into the client and the server subnets. One should note that although only the extracted features are transmitted to the server, sensitive information can still be unwittingly revealed. Existing approaches addressing this privacy concern in SL struggle to maintain a balance of privacy and utility. This research introduces a novel privacy-preserving split learning approach that integrates: 1) Adversarial learning and 2) Network channel pruning. Specifically, adversarial learning aims to minimize the risk of sensitive data leakage while maximizing the performance of the target prediction task. Furthermore, the channel pruning performed jointly with the adversarial training allows the model to dynamically adjust and reactivate the pruned channels. The association of these two techniques makes the intermediate representations (features) exchanged between the client and the server models less informative and more robust against data reconstruction attacks. Accordingly, the proposed approach enhances data privacy without ceding the model’s performance in achieving the intended utility task. The contributions of this research were validated and assessed using benchmark datasets. The experiments demonstrated the superior defense ability, against data reconstruction attacks, of the proposed approach in comparison with relevant state-of-the-art approaches. In particular, the SSIM between the original data and the data reconstructed by the attacker, achieved by our approach, decreased significantly by 57%. In summary, the obtained quantitative and qualitative results proved the efficiency of the proposed approach in balancing privacy and utility for typical split learning frameworks.

查看原文本刊更多论文

在分裂学习中平衡隐私和效用：一种基于对抗性通道修剪的方法

机器学习（ML）已经在各个领域获得了巨大的成功。然而，由于计算资源有限，在资源受限的设备（如边缘设备）上部署ML模型仍然具有挑战性。此外，使用私人数据训练此类模型容易因敏感信息的无意泄露而带来严重的隐私风险。通过将神经网络划分为客户端和服务器子网，拆分学习（SL）已经成为一种很有前途的技术，可以减轻这些风险。需要注意的是，虽然只有提取的特征被传输到服务器，但敏感信息仍然可能在不知不觉中泄露。在SL中解决此隐私问题的现有方法难以保持隐私和实用之间的平衡。本研究引入了一种新的隐私保护分裂学习方法，该方法集成了：1)对抗学习和2)网络通道修剪。具体来说，对抗性学习旨在最大限度地降低敏感数据泄露的风险，同时最大限度地提高目标预测任务的性能。此外，与对抗训练联合进行的通道修剪允许模型动态调整和重新激活修剪后的通道。这两种技术的关联使得在客户端和服务器模型之间交换的中间表示（特征）信息量更少，但对数据重构攻击更健壮。因此，所提出的方法在不影响模型实现预期实用任务的性能的情况下增强了数据隐私。使用基准数据集验证和评估了本研究的贡献。实验表明，与相关的最新方法相比，所提出的方法具有更好的防御数据重构攻击的能力。特别是，通过我们的方法实现的原始数据与攻击者重建的数据之间的SSIM显著降低了57%。总之，所获得的定量和定性结果证明了该方法在平衡典型分裂学习框架的私密性和实用性方面的有效性。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

IEEE Access COMPUTER SCIENCE, INFORMATION SYSTEMSENGIN-ENGINEERING, ELECTRICAL & ELECTRONIC

CiteScore

9.80

自引率

7.70%

发文量

6673

审稿时长

6 weeks

期刊介绍： IEEE Access® is a multidisciplinary, open access (OA), applications-oriented, all-electronic archival journal that continuously presents the results of original research or development across all of IEEE''s fields of interest. IEEE Access will publish articles that are of high interest to readers, original, technically correct, and clearly presented. Supported by author publication charges (APC), its hallmarks are a rapid peer review and publication process with open access to all readers. Unlike IEEE''s traditional Transactions or Journals, reviews are "binary", in that reviewers will either Accept or Reject an article in the form it is submitted in order to achieve rapid turnaround. Especially encouraged are submissions on: Multidisciplinary topics, or applications-oriented articles and negative results that do not fit within the scope of IEEE''s traditional journals. Practical articles discussing new experiments or measurement techniques, interesting solutions to engineering. Development of new or improved fabrication or manufacturing techniques. Reviews or survey articles of new or evolving fields oriented to assist others in understanding the new area.