联邦学习中的局部层间差分隐私 (Local Layer-wise Differential Privacy in Federated Learning)

Federated Learning (FL) enables collaborative model training without direct data sharing, yet it remains vulnerable to privacy attacks such as model inversion and membership inference. Existing differential privacy (DP) solutions for FL often inject noise uniformly across the entire model, degrading utility while providing suboptimal privacy-utility tradeoffs. To address this, we propose LaDP, a novel layer-wise adaptive noise injection mechanism for FL that optimizes privacy protection while preserving model accuracy. LaDP leverages two key insights: (1) neural network layers contribute unevenly to model utility, and (2) layer-wise privacy leakage can be quantified via KL divergence between local and global model distributions. LaDP dynamically injects noise into selected layers based on their privacy sensitivity and importance to model performance. We provide a rigorous theoretical analysis, proving that LaDP satisfies $(ε, δ)$-DP guarantees and converges under bounded noise. Extensive experiments on CIFAR-10/100 datasets demonstrate that LaDP reduces noise injection by 46.14% on average compared to state-of-the-art (SOTA) methods while improving accuracy by 102.99%. Under the same privacy budget, LaDP outperforms SOTA solutions like Dynamic Privacy Allocation LDP and AdapLDP by 25.18% and 6.1% in accuracy, respectively. Additionally, LaDP robustly defends against reconstruction attacks, increasing the FID of the reconstructed private data by $>$12.84% compared to all baselines. Our work advances the practical deployment of privacy-preserving FL with minimal utility loss.

翻译：联邦学习（FL）使得无需直接共享数据即可进行协作式模型训练，但其仍易受到模型反演和成员推断等隐私攻击。现有的联邦学习差分隐私（DP）解决方案通常在整个模型中均匀注入噪声，这会在提供次优的隐私-效用权衡的同时降低模型效用。为解决此问题，我们提出LaDP，一种新颖的面向联邦学习的层间自适应噪声注入机制，该机制在保护模型准确性的同时优化了隐私保护。LaDP利用了以下两个关键洞见：（1）神经网络各层对模型效用的贡献不均等，以及（2）层间隐私泄露可以通过本地模型与全局模型分布之间的KL散度进行量化。LaDP根据各层的隐私敏感度及其对模型性能的重要性，动态地向选定层注入噪声。我们提供了严格的理论分析，证明LaDP满足$(ε, δ)$-DP保证，并在有界噪声下收敛。在CIFAR-10/100数据集上进行的大量实验表明，与最先进（SOTA）方法相比，LaDP平均减少了46.14%的噪声注入，同时将准确率提高了102.99%。在相同的隐私预算下，LaDP在准确率上分别优于动态隐私分配LDP和AdapLDP等SOTA解决方案25.18%和6.1%。此外，LaDP能有效防御重构攻击，与所有基线方法相比，其重构出的私有数据的FID增加了$>$12.84%。我们的工作以最小的效用损失推动了隐私保护联邦学习的实际部署。