Privacy-preserving Feature Extraction via Adversarial Training

Abstract

Deep learning is increasingly popular, partly due to its widespread application potential, such as in civilian, government and military domains. Given the exacting computational requirements, cloud computing has been utilized to host user data and model. However, such an approach has potential privacy implications. Therefore, in this paper, we propose a method to protect user’s privacy in the inference phase of deep learning workflow. Specifically, we use an intermediate layer to separate the entire neural network into two parts, which are respectively deployed on the user device and the cloud server. The <italic xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">encoder</i> , deployed on the user device, is used for raw data transformation, which removes the need for users to upload raw data to the cloud directly. However, we also demonstrate there exists potential for privacy leakage in the intermediate features of the neural network through two concrete experiments. In other words, the encoder on its own does not provide adequate privacy protection. Therefore, we also propose an approach to achieve <italic xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">Privacy-preserving Feature Extraction based on Adversarial Training (P-FEAT)</i> , where the goal of privacy attacking tasks and the goal of target tasks are adversarial in terms of sensitive attributes. By imposing privacy constraints during the feature extraction, we can reduce the contribution of the extracted features to the privacy leakage. In this way, privacy protection capability of the <italic xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">encoder</i> can be further strengthened. We then demonstrate the effectiveness of P-FEAT using a large number of experiments, whose findings show that P-FEAT can significantly reduce the threats of privacy attacking tasks while maintaining high accuracy of the target tasks.