Umeå University's logo

Deep neural networks (DNNs) are one of the most widely used machine learning algorithm. DNNs requires the training data to be available beforehand with true labels. This is not feasible for many real-world problems where data arrives in the streaming form and acquisition of true labels are scarce and expensive. In the literature, not much focus has been given to the privacy prospect of the streaming data, where data may change its distribution frequently. These concept drifts must be detected privately in order to avoid any disclosure risk from DNNs. Existing privacy models use concept drift detection schemes such ADWIN, KSWIN to detect the drifts. In this paper, we focus on the notion of integrally private DNNs to detect concept drifts. Integrally private DNNs are the models which recur frequently from different datasets. Based on this, we introduce an ensemble methodology which we call 'Integrally Private Drift Detection' (IPDD) method to detect concept drift from private models. Our IPDD method does not require labels to detect drift but assumes true labels are available once the drift has been detected. We have experimented with binary and multi-class synthetic and real-world data. Our experimental results show that our methodology can privately detect concept drift, has comparable utility (even better in some cases) with ADWIN and outperforms utility from different levels of differentially private models.

The Choquet integral is a well known aggregation function that generalizes several other well known functions. For example, appropriate parameterizations reduce a Choquet integral to the arithmetic mean, the weighted mean, order statistics, and linear combination of order statistics. This integral has been used extensively in data fusion. We find applications in computer science, economy, and decision making. Formally, Choquet integrals integrate a function (the data to be aggregated) with respect to a non-additive measure also called a fuzzy measure (which represents the background knowledge on the information sources that provide the data to be aggregated). In this paper we propose a privacy preserving Choquet integral which satisfies differential privacy. Then, we study the sensitivity of the Choquet integral with respect to different types of fuzzy measures. Our results generalize previous knowledge about the sensitivity of minimum, maximum, and the arithmetic mean.

Privacy regulations like the GDPR in Europe and the CCPA in the US allow users the right to remove their data from machine learning (ML) applications. Machine unlearning addresses this by modifying the ML parameters in order to forget the influence of a specific data point on its weights. Recent literature has highlighted that the contribution from datapoint(s) can be forged with some other data points in the dataset with probability close to one. This allows a server to falsely claim unlearning without actually modifying the model’s parameters. However, in distributed paradigms such as federated learning (FL), where the server lacks access to the dataset and the number of clients are limited, claiming unlearning in such cases becomes a challenge. An honest server must modify the model parameters in order to unlearn. This paper introduces an efficient way to achieve machine unlearning in FL, i.e., federated unlearning, by employing a privacy model which allows the FL server to plausibly deny the client’s participation in the training up to a certain extent. Specifically, we demonstrate that the server can generate a Proof-of-Deniability, where each aggregated update can be associated with at least x (the plausible deniability parameter) client updates. This enables the server to plausibly deny a client’s participation. However, in the event of frequent unlearning requests, the server is required to adopt an unlearning strategy and, accordingly, update its model parameters. We also perturb the client updates in a cluster in order to avoid inference from an honest but curious server. We show that the global model satisfies (𝜖, 𝛿)-differential privacy after T number of communication rounds. The proposed methodology has been evaluated on multiple datasets indifferent privacy settings. The experimental results show that our framework achieves comparable utility while providing a significant reduction in terms of memory (≈ 30 times), as well as retraining time (1.6-500769 times). The source code for the paper is available https://github.com/Ayush-Umu/Federated-Unlearning-under-Plausible-Deniability

Probabilistic metric spaces are natural extensions of metric spaces, where the function that computes the distance outputs a distribution on the real numbers rather than a single value. Such a function is called a distribution function. F-spaces are constructions for probabilistic metric spaces, where the distribution functions are built for functions that map from a measurable space to a metric space. In this paper, we propose an extension of F-spaces, called Generalized F-space. This construction replaces the metric space with a probabilistic metric space and uses fuzzy measures to evaluate sets of elements whose distances are probability distributions. We present several results that establish connections between the properties of the constructed space and specific fuzzy measures under particular triangular norms. Furthermore, we demonstrate how the space can be applied in machine learning to compute distances between different classifier models. Experimental results based on Sugeno λ-measures are consistent with our theoretical findings.

Differential privacy allows to publish graph statistics in a way that protects individual privacy while stillallowing meaningful insights to be derived from the data. The centralized privacy model of differential privacyassumes that there is a trusted data curator, while the local model does not require such a trusted authority.Local differential privacy is commonly achieved through randomized response (RR) mechanisms. This doesnot preserve the sparseness of the graphs. As most of the real-world graphs are sparse and have several nodes,this is a drawback of RR-based mechanisms, in terms of computational efficiency and accuracy. We thus,propose a comparative analysis through experimental analysis and discussion, to compute statistics with localdifferential privacy, where, it is shown that preserving the sparseness of the original graphs is the key factorto gain that balance between utility and privacy. We perform several experiments to test the utility of theprotected graphs in terms of several sub-graph counting i.e. triangle, and star counting and other statistics. Weshow that the sparseness preserving algorithm gives comparable or better results in comparison to the otherstate of the art methods and improves computational efficiency.

Federated Learning ( FL ) has emerged as a prominent distributed learning paradigm that allows multiple users to collaboratively train a model without sharing their data thus preserving privacy.Within the scope of privacy preservation, information privacy regulations such as GDPR entitle users to request the removal (or unlearning) of their contribution from a service that is hosting the model. For this purpose, a server hosting an ML model must be able to unlearn certain information in cases such as copyright infringement or security issues that can make the model vulnerable or impact the performance of a service based on that model. While most unlearning approaches in FL focus on Horizontal Federated Learning (HFL), where clients share the feature space and the global model, Vertical Federated Learning (VFL) has received less attention from the research community. VFL involves clients (passive parties) sharing the sample space among them while not having access to the labels. In this paper, we explore unlearning in VFL from three perspectives: unlearning passive parties, unlearning features, and unlearning samples. To unlearn passive parties and features we introduce VFU-KD which is based on knowledge distillation(KD) while to unlearn samples, VFU-GA is introduced which is based on gradient ascent (GA). To provide evidence of approximate unlearning, we utilize Membership Inference Attack (MIA) to audit the effectiveness of our unlearning approach. Our experiments across six tabular datasets and two image datasets demonstrate that VFU-KD and VFU-GA achieve performance comparable to or better than both retraining from scratch and the benchmark R2S method in many cases, with improvements of (0 − 2%). In the remaining cases, utility scores remain comparable, with a modest utility loss ranging from 1 − 5%. Unlike existing methods, VFU-KD and VFU-GA require no communication between active and passive parties during unlearning. However, they do require the active party to store the previously communicated embeddings.

This study explores the Sugeno exponential function, which is the solution to a first order differential equation with respect to nonadditive measures, specifically distorted Lebesgue measures. We define k-distorted semigroup property of the Sugeno exponential function, introduce a new addition operation on a set of distortion functions, and discuss some related results. Furthermore, m-Bernoulli inequality, a more general inequality than the well-known Bernoulli inequality on the real line, is established for the Sugeno exponential function. Additionally, the above concept is extended to a system of differential equations with respect to the distorted Lebesgue measure which gives rise to the study of a matrix m-exponential function.

Finally, we present an appropriate m-distorted logarithm function and describe its behavior when applied to various functions, such as the sum, product, quotient, etc., while maintaining basic algebraic structures. The results are illustrated throughout the paper with a variety of examples.

This paper studies attribute disclosure risk in aggregated smart meter data. Smart meter data is commonly aggregated to preserve the privacy of individual contributions. The published data shows aggregated consumption, preventing the revelation of individual consumption patterns. There is, however, a potential risk associated to aggregated data. We analyze some datasets of smart meter data consumption to show the potential risk of attribute disclosure. We observe that, even if data is aggregated with the most favorable aggregation approach, it presents this attribute disclosure risk.

Machine learning has shown remarkable performance in modeling large datasets with complex patterns. As the amount of data increases, it often leads to high-dimensional feature spaces. This data may contain confidential information that must be safeguarded against disclosure. One way to make the data accessible could be by using anonymization. An alternative is to use synthetic data that mimics the behavior of the original data. GANs represent a prominent approach for generating synthetic samples that faithfully replicate the distributional characteristics of the original data. In scenarios involving high-dimensional data, preserving the geometric properties, structural integrity, and relative positioning of data points is paramount, as neglecting such information may compromise utility. This research aims to investigate the manifold properties of synthetically generated data and introduces a novel framework for producing privacy-preserving synthetic data while upholding the manifold structure of the original data. While existing studies predominantly focus on privacy preservation within GANs, the critical aspect of preserving the manifold structure of data remains unaddressed. Our novel approach adeptly addresses both privacy concerns and manifold structure preservation, distinguishing it from prior research endeavors. Comparative assessments against baseline models are conducted using metrics such as Maximum Mean Discrepancy (MMD), Fréchet Inception Distance (FID), and F1-score. Additionally, the privacy risk posed by the models is evaluated through data reconstruction attacks. Results demonstrate that the proposed framework exhibits diminished vulnerability to privacy breaches while more effectively preserving the intrinsic structure of the data.

In the continuous case, analytical computations of the Choquet integral are limited, despite being commonly used in various applications. One can either use the definition, which is computationally demanding and impractical, or apply already existing formulas restricted only to monotone nonnegative functions on a real interval starting at zero. This article aims to present more convenient computational formulas for continuous functions without imposing restrictions on their monotonicity given any real interval. First, a more general approach to monotone functions is provided for both positive and negative functions. Then, reordering techniques are introduced to compute the Choquet integral of an arbitrary continuous function, and with these, a monotone equivalent to every function can be constructed. This equivalent function preserves the final Choquet integral value, implying that only formulas for monotone functions are required. In addition to general fuzzy measures, the article assumes particular cases of distorted Lebesgue measures and distorted probabilities as the most commonly used fuzzy measures.