Search

US-20260127315-A1 - USER-LEVEL PRIVACY PRESERVATION FOR FEDERATED MACHINE LEARNING

US20260127315A1US 20260127315 A1US20260127315 A1US 20260127315A1US-20260127315-A1

Abstract

User-level privacy preservation is implemented within federated machine learning. An aggregation server may distribute a machine learning model to multiple users each including respective private datasets. Individual users may train the model using the local, private dataset to generate one or more parameter updates. Prior to sending the generated parameter updates to the aggregation server for incorporation into the machine learning model, a user may modify the parameter updates by applying respective noise values to individual ones of the parameter updates to ensure differential privacy for the dataset private to the user. The aggregation server may then receive the respective modified parameter updates from the multiple users and aggregate the updates into a single set of parameter updates to update the machine learning model. The federated machine learning may further include iteratively performing said sending, training, modifying, receiving, aggregating and updating steps.

Inventors

  • Virendra Marathe
  • Pallika Haridas KANANI
  • Daniel Peterson
  • Swetasudha Panda

Assignees

  • ORACLE INTERNATIONAL CORPORATION

Dates

Publication Date
20260507
Application Date
20251219

Claims (20)

  1. 1 - 20 . (canceled)
  2. 21 . A system, comprising: a plurality of clients of a federated machine learning system respectively comprising at least a processor and memory, wherein individual clients of at least a portion of the plurality of clients are configured to perform a training iteration of the federated machine learning system, wherein to perform the training iteration the plurality of clients are individually configured to: receive a federated learning model comprising one or more training updates from a previous training iteration of the federated machine learning system; train the received machine learning model using a plurality of mini-batches of a dataset private to the respective client to generate one or more accumulated parameter updates, wherein individual ones of the one or more accumulated parameter updates comprise a sum of parameter updates generated for individual ones of the plurality of mini-batches; apply respective noise values to individual ones of the one or more accumulated parameter updates, the respective noise values scaled to provide a local differential privacy guarantee for the respective client; and send the one or more accumulated parameter updates to an aggregation server; and the aggregation server of the federated machine learning system comprising at least a processor and memory and configured to perform the training iteration of the federated machine learning system, wherein to perform the training iteration the aggregation server is configured to revise the federated learning model according to the sent one or more accumulated parameter updates.
  3. 22 . The system of claim 21 , wherein the parameter updates generated for individual ones of the plurality of mini-batches are clipped according to a clipping threshold prior to summing.
  4. 23 . The system of claim 21 , wherein the respective noise values are determined according to a gaussian distribution.
  5. 24 . The system of claim 21 , wherein applying the respective noise values to the individual ones of the one or more accumulated parameter updates comprises determining respective noise values proportional to: a privacy loss bound received from the aggregation server; or a privacy loss bound determined the respective client.
  6. 25 . The system of claim 21 , wherein applying the respective noise values to individual ones of the one or more accumulated parameter updates provides differential privacy for the respective dataset private to the respective client.
  7. 26 . The system of claim 21 , wherein the training iteration is one of a plurality of training iterations of the federated machine learning system, and wherein individual ones of the plurality of training iterations use different portions of the plurality of clients.
  8. 27 . The system of claim 21 , wherein to perform the training iteration the aggregation server is further configured to send the revised federated learning model to individual ones of the plurality of clients.
  9. 28 . A computer-implemented method, comprising: executing a training iteration of a federated machine learning system comprising an aggregation server and a plurality of clients, the executing comprising: performing at respective clients of the plurality of clients: receiving a federated learning model comprising one or more training updates from a previous training iteration of the federated machine learning system; training the received machine learning model using a plurality of mini-batches of a dataset private to the respective client to generate one or more accumulated parameter updates, wherein individual ones of the one or more accumulated parameter updates comprise a sum of parameter updates generated for individual ones of the plurality of mini-batches; applying respective noise values to individual ones of the one or more accumulated parameter updates, the respective noise values scaled to provide a local differential privacy guarantee for the respective client; and sending the one or more accumulated parameter updates to the aggregation server; and revising, at the aggregation server, the federated learning model according to the sent one or more accumulated parameter updates.
  10. 29 . The computer-implemented method of claim 28 , wherein the parameter updates generated for individual ones of the plurality of mini-batches are clipped according to a clipping threshold prior to summing.
  11. 30 . The computer-implemented method of claim 28 , wherein the respective noise values are determined according to a gaussian distribution.
  12. 31 . The computer-implemented method of claim 28 , wherein applying the respective noise values to the individual ones of the one or more accumulated parameter updates comprises determining respective noise values proportional to: a privacy loss bound received from the aggregation server; or a privacy loss bound determined the respective client.
  13. 32 . The computer-implemented method of claim 28 , wherein applying the respective noise values to individual ones of the one or more accumulated parameter updates provides differential privacy for the respective dataset private to the respective client.
  14. 33 . The computer-implemented method of claim 28 , wherein the training iteration is one of a plurality of training iterations of the federated machine learning system, and wherein individual ones of the plurality of training iterations use different portions of the plurality of clients.
  15. 34 . The computer-implemented method of claim 28 , the executing further comprising sending, by the aggregation server, the revised federated learning model to individual ones of the plurality of clients.
  16. 35 . One or more non-transitory computer-accessible storage media storing program instructions that when executed on or across a plurality of computing devices cause the one or more computing devices to implement a federated machine learning system to perform: executing a training iteration comprising: performing at respective clients of a plurality of clients of the federated machine learning system: receiving a federated learning model comprising one or more training updates from a previous training iteration of the federated machine learning system; training the received machine learning model using a plurality of mini-batches of a dataset private to the respective client to generate one or more accumulated parameter updates, wherein individual ones of the one or more accumulated parameter updates comprise a sum of parameter updates generated for individual ones of the plurality of mini-batches; applying respective noise values to individual ones of the one or more accumulated parameter updates, the respective noise values scaled to provide a local differential privacy guarantee for the respective client; and sending the one or more accumulated parameter updates to the aggregation server; and revising, at the aggregation server of the federated machine learning system, the federated learning model according to the sent one or more accumulated parameter updates.
  17. 36 . The one or more non-transitory computer-accessible storage media of claim 35 , wherein the parameter updates generated for individual ones of the plurality of mini-batches are clipped according to a clipping threshold prior to summing.
  18. 37 . The one or more non-transitory computer-accessible storage media of claim 35 , wherein the respective noise values are determined according to a gaussian distribution.
  19. 38 . The one or more non-transitory computer-accessible storage media of claim 35 , wherein applying the respective noise values to the individual ones of the one or more accumulated parameter updates comprises determining respective noise values proportional to: a privacy loss bound received from the aggregation server; or a privacy loss bound determined the respective client.
  20. 39 . The one or more non-transitory computer-accessible storage media of claim 35 , wherein applying the respective noise values to individual ones of the one or more accumulated parameter updates provides differential privacy for the respective dataset private to the respective client.

Description

This application is a continuation of U.S. patent application Ser. No. 17/663,008, filed May 11, 2022, which claims benefit of priority of U.S. Provisional Patent Application No. 63/227,838, filed Jul. 30, 2021, which are hereby incorporated by reference herein in their entirety. BACKGROUND Field of the Disclosure This disclosure relates generally to computer hardware and software, and more particularly to systems and methods for implementing federated machine learning systems. Description of the Related Art Federated Learning (FL) has increasingly become a preferred method for distributed collaborative machine learning (ML). In FL, multiple users collaboratively train a single global ML model using respective private data sets. These users, however, do not share data with other users. A typical implementation of FL may contain a federation server and multiple federation users, where the federation server hosts a global ML model and is responsible for distributing the model to the users and for aggregating model updates from the users. The respective users train the received model using private data. While this data isolation is a first step toward ensuring data privacy, ML models are known to learn the training data itself and to leak that training data at inference time. There exist methods based on Differential Privacy (DP) that ensure that individual data items are not learned by the FL trained model, however each user can expose its data distribution to the federation server even when privacy of individual data items is preserved. In order to protect the user's data distribution from a potentially adversarial federation server, the user must enact a DP enforcement mechanism. SUMMARY Methods, techniques and systems for implementing user-level privacy preservation within federated machine learning are disclosed. An aggregation server may distribute a machine learning model to multiple users each including respective private datasets. Individual users may train the model using the local, private dataset to generate one or more parameter updates. Prior to sending the generated parameter updates to the aggregation server for incorporation into the machine learning model, a user may modify the parameter updates by applying respective noise values to individual ones of the parameter updates to provide or ensure differential privacy for the dataset private to the user. The aggregation server may then receive the respective modified parameter updates from the multiple users and aggregate the updates into a single set of parameter updates to update the machine learning model. BRIEF DESCRIPTION OF THE DRAWINGS FIG. 1 is a block diagram illustrating a collaborative, federated machine learning system that enables multiple users to cooperatively train a Machine Learning (ML) model without sharing private training data, in various embodiments. FIG. 2 is a block diagram illustrating a machine learning system that functions as a user of a collaborative, federated machine learning to cooperatively train a Machine Learning (ML) model without sharing private training data, in various embodiments. FIG. 3 is a block diagram illustrating an embodiment implementing a federated machine learning system providing user-level local Differential Privacy (DP), in various embodiments. FIG. 4 is a block diagram illustrating another embodiment implementing a federated machine learning system providing user-level privacy, in various embodiments. FIG. 5 is a block diagram illustrating one embodiment of a computing system that is configured to implement position-independent addressing modes, as described herein. While the disclosure is described herein by way of example for several embodiments and illustrative drawings, those skilled in the art will recognize that the disclosure is not limited to embodiments or drawings described. It should be understood that the drawings and detailed description hereto are not intended to limit the disclosure to the particular form disclosed, but on the contrary, the disclosure is to cover all modifications, equivalents and alternatives falling within the spirit and scope as defined by the appended claims. Any headings used herein are for organizational purposes only and are not meant to limit the scope of the description or the claims. As used herein, the word “may” is used in a permissive sense (i.e., meaning having the potential to) rather than the mandatory sense (i.e. meaning must). Similarly, the words “include”, “including”, and “includes” mean including, but not limited to. Various units, circuits, or other components may be described as “configured to” perform a task or tasks. In such contexts, “configured to” is a broad recitation of structure generally meaning “having circuitry that” performs the task or tasks during operation. As such, the unit/circuit/component can be configured to perform the task even when the unit/circuit/component is not currently on. In general, the circuitry that forms