Preserving Privacy of Finite Impulse Response Systems
Giulio Bottegal, Farhad Farokhi, Iman Shames

TL;DR
This paper proposes methods to add noise to FIR systems to protect their models from identification, balancing privacy with system performance, using optimal filtering and differential privacy techniques.
Contribution
It introduces novel noise design strategies for FIR systems that maximize identification error while controlling performance loss, combining optimal filtering and differential privacy.
Findings
Optimal filters for noise construction are developed.
Differential privacy mechanisms are applied to FIR systems.
Trade-offs between privacy and system performance are characterized.
Abstract
Adding input and output noises for increasing model identification error of finite impulse response (FIR) systems is considered. This is motivated by the desire to protect the model of the system as a trade secret by rendering model identification techniques ineffective. Optimal filters for constructing additive noises that maximizes the identification error subject to maintaining the closed-loop performance degradation below a limit are constructed. Furthermore, differential privacy is used for designing output noises that preserve the privacy of the model.
Peer Reviews
No public reviews on file for this paper yet. If you reviewed it on a platform where reviews are public (OpenReview, ICLR, NeurIPS, ICML), you can paste yours below so the community can read it here.
Videos
No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.
Preserving Privacy of Finite Impulse Response Systems
Giulio Bottegal, Farhad Farokhi, and Iman Shames F. Farokhi and I. Shames are with the University of Melbourne, Australia. G. Bottegal is with TU Eindhoven, The Netherlands. e-mails: [email protected] (F. Farokhi), [email protected] (I. Shames), [email protected] (G. Bottegal)The work was supported by a McKenzie Fellowship and the Australian Research Council (LP130100605).
Abstract
Adding input and output noises for increasing model identification error of finite impulse response (FIR) systems is considered. This is motivated by the desire to protect the model of the system as a trade secret by rendering model identification techniques ineffective. Optimal filters for constructing additive noises that maximizes the identification error subject to maintaining the closed-loop performance degradation below a limit are constructed. Furthermore, differential privacy is used for designing output noises that preserve the privacy of the model.
I Introduction
Innovative industries invest resources (e.g., money and time for research and development) to construct new systems and to improve the performance of the previously-deployed ones. To generate revenue and offset the cost of research, they ideally want to capitalize on their achievements. This is sometimes done by restricting the use of their ideas through patents or by hiding the features of their systems as trade secrets. When opting for trade secrets, reverse engineering techniques can be used by competitors to unravel their secrets. For instance, model identification tools can be utilized to identify a black-box system or to extract the parameters of a gray-box system. The gained information can be then used to reverse the financial gains. This motivates the use of methods that can render reverse-engineering techniques ineffective. Such methods, however, most often degrade the performance of the system. Therefore, a framework for balancing the need for preserving the trade secrets against maintaining the performance of the systems is required.
In this paper, linear time-invariant discrete-time finite impulse response (FIR) system are considered. Specifically, the idea of adding noises to the input and output for increasing the error of model identification is explored. A bound on closed-loop performance degradation caused by the additive noise is enforced. An optimal filter for constructing the additive input and output noises that maximizes the identification error subject to maintaining the performance degradation below a threshold is constructed. This is done for both known and unknown input sequences. The former is useful to make the identification difficult for given inputs, such as the optimal experimental design in the model identification literature [1]. The latter, which requires statistics of the input, can accommodate the belief of the designer on the reverse engineering techniques, e.g., a frequently used input for model identification purposes is a sequence of i.i.d.111i.i.d. stands for independently and identically distributed. Gaussian noise [2]. Finally, differential privacy framework is used for designing output additive noises that make the system identification difficult without any assumptions on the utilized inputs.
In differential privacy literature, noises are added to the outcome of statistical queries from databases to preserve the privacy of individuals in the database [3]. This framework was more recently used in dynamical systems [4, 5]. In differential privacy literature, most often, additive Laplace noises are used and the parameters of the noise are selected according to the sensitivity of the outcome to variations in the data (that should be kept private). However, weaker variants of differential privacy can be achieved by additive Gaussian noises. This is advantageous as adding Laplace noise can make the designer’s task considerably more difficult (in terms of utilizing the outputs of the system), e.g., optimal state estimation when measurements are corrupted by Laplace noise results in non-linearities and memory issues [6].
To the best of our knowledge, the differential privacy has not been explored in the context of preserving the privacy of dynamical systems with the aim of protecting the model as a trade secret. This has been explored thoroughly in one of the sections of the paper. In addition, in this paper, the problem of preserving the privacy of the systems is cast as a concrete optimization problem that balances the need for keeping the privacy with that of the maintaining the performance. This provides a different approach to that of differential privacy in which constraints on the performance degradation cannot be enforced directly to optimally balance between privacy and performance. Finally, note that the problem of releasing the dynamical model of a system under privacy constraints was considered in [7]. In this paper, we take a different approach, i.e., we do not release the model of the system. We want to ensure that inferring an exact model relating inputs and outputs is made difficult.
The rest of the paper is organized as follows. The design of optimal additive input and output noise to hinder system identification is studied in Section II. Section III uses the differential privacy for constructing additive output noises. A numerical example is provided in Section IV. Some concluding remarks are presented in Section V.
II Optimal Additive Noise
Here, we investigate the use of additive noise to preserve the privacy of the model information assuming that the eavesdropper uses the best linear unbiased estimate. These results are subsequently generalized (to the case where the model of the eavesdropper is not known) when using the differential privacy framework.
II-A Problem Formulation
In this paper, for sake of simplicity of presentation, linear single-input single-output (SISO) time-invariant discrete-time systems are considered. All the derivations can be extended to multi-input multi-output (MIMO) systems. The system is described by the following equation
[TABLE]
where represents the transfer function of the system, which is driven by the reference input . The output is corrupted by additive white Gaussian noise with variance , which is represented by . Assume that can be well-represented by a finite-impulse response (FIR) system of order , i.e., . Hence, the dynamics of the system is completely characterized by the vector of coefficients . In this paper, we assume null initial conditions (that is for ), though extension to any initial condition is straightforward due to the linearity of the underlying system.
Assume that an adversary is interested in inferring on the process relating to by attempting to estimate from a set of input/output measurements . To complicate the identification process, an additional component (which is not accessible to the adversary) can be added to the input or to the output of the system to lower the identification accuracy. Let capture such an additional component, which changes the model of the system as
[TABLE]
This term can capture both the additive input and output noise as discussed, in detail, in what follows.
Assumption II.1
The malicious entity is unaware of the presence of the additive input or output noise.
This assumption is rather conservative. When using the differential privacy framework in the next section, we can avoid such assumptions. Considering a FIR model for the system and in light of Assumption II.1, the best linear unbiased estimate (BLUE) of from perspective of the malicious entity is given by the standard least-squares estimate [8, Ch. 4]. Let us introduce the vectors , , and . Assuming that the system is at rest prior to the data collection (i.e., for all ) and defining the matrix
[TABLE]
it is evident that The least-squares estimate of is then given by
[TABLE]
Note that this estimator is not the true BLUE, which would require the knowledge of the second order statistics of . However, it is the best that the malicious entity can do without the knowledge that exists. This estimator is still unbiased because . Then, a measure of the accuracy of the estimation of the impulse response is the covariance matrix of [8, Ch. 4], namely
[TABLE]
The additional input determines the quality of the estimated system by entering into the expression of the parameter covariance matrix . Intuitively, the higher the power of , the higher (and thus the lower the identification accuracy). On the other hand, has an undesired effect on the output power. Therefore, the additive noise is designed to increase the total variance of (expressed through the trace of ) while keeping low the contribution of to the variance of . Let be such contribution. Note that, if , the output is driven only by the stationary noise processes and and so is constant in .
Problem II.2
For a given input , find an appropriate additive noise to maximize the identification error while keeping the performance degradation small by guaranteeing .
In Problem II.2, is a pre-selected constant that reflects the maximum tolerable output variance, which is a measure of the performance degradation caused by the additive input and output noises. If is very small, the optimal solution is add no noise. In this case, the closed-loop performance is far superior to protecting the model. However, if is too large, the output of the system is drowned in noise and thus the system becomes practically useless.
Here, the additive noise is designed for a given sequence of inputs captured by . This might not be generally feasible as, when dealing with causal systems, the additive noise should be designed and employed prior to receiving the entire sequence of inputs. This design methodology is however very useful to make the identification difficult for a given input, such as those in optimal experimental design in the model identification literature [1]. Alternatively, a distribution for the input signal can be considered. Furthermore, the length of the experiment that the malicious entity is collecting to identify the system is also unknown a priori, and shall be treated as a random quantity.
Assumption II.3
Let be a random number distributed according to for some such that . For a given , assume that is distributed according to the conditional probability density function such that for all Lebesgue-measurable sets .
Remark II.4
In general, the probability density function of the input signals might not be known in advance. In that case, an online or adaptive approach can be used to estimate the statistical properties of the input as more inputs are revealed over time and design (or update the design of) privacy-preserving filters based on the additional gathered information. The result of this paper can serve as a first step in that direction. This is because if rigorous treatment of the problem for known deterministic inputs or random inputs with known probability distributions is not well understood, the analysis of the online approach would not be possible (or straightforward to say the least).
In this case, the identification error which is used as a measure of privacy should be replaced with with the expectation being taken over random variables and . This allows us to generalize the problem of the interest as follows.
Problem II.5
For given distributions of random variables and following Assumption II.3, find an appropriate additive noise to maximize the identification error while keeping the performance degradation small by guaranteeing .
In this paper, two families of additive noise are considered, namely, additive output noise and additive input noise. In the remainder of this section, these two families are described.
II-A1 Additive Output Noise
Figure 1 (a) illustrates the schematic diagram of the closed-loop system with additive output noise. The additive noise is modelled by a zero-mean moving-average (MA) stochastic process of the form
[TABLE]
where is a sequence of i.i.d. zero-mean noise (which is not necessarily Gaussian) of unit variance and is a FIR filter of prescribed order . Then, is a stationary process with zero-mean and well-defined autocovariance function [9]. The additive noise can be expressed as , where and
[TABLE]
The identification error covariance, in this case, is
[TABLE]
Further, the output variance can be determined by
[TABLE]
where .
Remark II.6
It should be noted that by increasing the order of the noise generation filter , the performance can only be improved while maintaining the same privacy guarantee. This is because the optimal solution from the lower order is always feasible in the optimization problem relating to the higher order noise filters. The order of the system is thus only dictated by the available resources for preserving the privacy of the model.
II-A2 Additive Input Noise
Figure 1 (b) shows the schematic diagram of the closed-loop system with additive input noise. In this case, the additive input noise is denoted by and is modeled by a zero-mean MA stochastic process of the form
[TABLE]
where, similarly, is a sequence of i.i.d. zero-mean noise of unit variance and is a FIR filter of prescribed order determining the autocorrelation of . Then, the new system is described by
[TABLE]
The additive noise , in this case, is the contribution of to the output, i.e., . Define
[TABLE]
which can be expressed as
[TABLE]
Note that can be expressed as with and is defined similarly to in (6). The identification error covariance becomes
[TABLE]
Finally, it can be shown that , where .
II-B Deterministic Input
This part is dedicated to solving Problem II.2. The results are first presented for the output noise case.
II-B1 Additive Output Noise
For additive output noise, Problem II.2 can be rewritten as
[TABLE]
where denotes the maximum tolerated output variance. Define the performance degradation ratio
[TABLE]
If the goal of the designer is to keep the performance degradation ratio below , the constant can be selected to be smaller than . The following lemma is instrumental to obtain an analytic solution of (14).
Lemma II.7
Let
[TABLE]
and denote by a selection matrix such that , where is a vector composed of all the columns of the matrix . Then, for the additive noise model, .
Proof:
See Appendix -A, ∎
Defining and noting that the term is independent of (and thus can be discarded from the optimization problem), we transform (14) into
[TABLE]
The following result can be immediately proved.
Theorem II.8
The solution of (16) is , where is the normalized eigenvector corresponding to the largest eigenvalue of .
Proof:
The change of variable transforms the optimization problem in (16) to
[TABLE]
Note that has at least one positive eigenvalue (as otherwise ). Therefore, Courant–Fischer–Weyl min-max principle [10, p. 58] shows is the normalized eigenvector corresponding to the largest eigenvalue of .∎
It can be seen that the quality of the model identification drops linearly with increasing . At the same time, the performance degradation ratio increases linearly with . This capture the trade-off between these two objectives. Note that, for instance, simply increasing the noise variance to the upper bound would determine a linear increase of the identification error, as is proportional to . However, this strategy is non-optimal, and Theorem II.8 shows how to obtain the best trade-off between performance degradation and model quality degradation, namely how to get highest linear gain. A comparison between these two strategies is given in Section IV.
If, for a given application, the linear dependency between model quality degradation and system performance degradation is not suitable, one can use the following alternative formulation of the problem:
[TABLE]
where determines weight on the performance versus the privacy. This formulation is useful when the constraint on the performance is not hard (i.e., the degradation does not need to be maintained under a given level but large output variations are not pleasant). This problem is rewritten as
[TABLE]
where is defined in (15).
Theorem II.9
Let be the eigenvalues of and denote the corresponding eigenvectors. The solution of (18) is
[TABLE]
Proof:
See Appendix -B. ∎
II-B2 Additive Input Noise
Similarly, Problem II.2 can be expressed as
[TABLE]
Using the same line of reasoning as in Lemma II.7, we introduce the following instrumental result.
Lemma II.10
Let be a selection matrix such that . Then, for the additive input noise model,
[TABLE]
*where and are defined in (15). *
Proof:
The proof follows the same line of reasoning as in Lemma II.7.∎
Now, note that the coefficients of the filter and filter are related according to
[TABLE]
where is a Toeplitz matrix formed by the coefficients of . Substituting (21) in (20) gives Therefore, the optimization problem in (19) can be transformed into
[TABLE]
where . The following result can be immediately proved.
Theorem II.11
Assume . The solution of (22) is , where is the normalized eigenvector corresponding to the largest eigenvalue of .
Proof:
Introducing transforms the optimization problem in (16) to
[TABLE]
The rest of the proof follows the same line of reasoning as in the proof of Theorem II.8. ∎
The condition is satisfied so long as has full column rank. This is guaranteed if , i.e., no fewer than parameters are required for describing filter .
Remark II.12
The derivations of this section hold for arbitrary noise distributions as only the first and the second moments of the noise were considered. However, the choice of the Gaussian noise is highly preferred as it makes the integration of the closed-loop system with other control loops much easier. This is an important feature as, most often, off-the-shelf systems are interconnected to achieve complex tasks. Other noise distributions do not lend themselves that easily to integration as they might violate assumptions in the design of the control loops (e.g., Laplace noise results in an increased false alarm rate for fault detection schemes).
II-C Extension to regularized least-squares
We now modify the proposed privacy-preserving technique to cope with regularized least-squares estimators. The cost function associated with this type of estimators is
[TABLE]
where is a positive semidefinite matrix (usually called a kernel) inducing desired properties in the estimates , see [11] for details on regularized methods for system identification. The solution to (23) is
[TABLE]
with obvious defintion of . This solution is biased. Further, it can be verified (see, e.g., [11]) that the mean square error (MSE) of the estimate is given by
[TABLE]
the first term on the right hand side corresponding to the bias induced by the regularization penalty. Then, the results of Theorems II.8 and II.9 hold by redefining
[TABLE]
and, accordingly, updating the definition of matrix . Note that the identification performance depends on the parameter , regulating the bias-variance trade off, and on the kernel matrix . These are user choices, which are not accessible to privacy-preserving device. One possible way to circumvent this issue is to consider the best possible choice of kernel, which is given by [11].
II-D Random Inputs
The problem of designing an additive output noise is only considered in this section. The results can be easily extended to the design of input noises following the same line of reasoning. Problem II.5 can be cast as
[TABLE]
Note that . Although having the same definition, , , are used instead of , , and to emphasize they are functions of random variables and . Define . The optimization problem in (27) can be rewritten as
[TABLE]
Theorem II.13
The solution of (28) is , where is the normalized eigenvector corresponding to the largest eigenvalue of .
Proof:
The proof follows the same line of reasoning as in Theorem II.8. ∎
Unfortunately, calculating in an explicit from as a function of the distributions of and is generally difficult. The following remark provides a numerical algorithm for constructing an approximation of this matrix.
Remark II.14** (Monte Carlo Simulation)**
Samples of possible input length , , are selected randomly. For each , samples of the inputs of length can be selected. Let these samples be denoted by . Define Evidently, as both and tend to infinity for all . Therefore, by selecting enough samples, an arbitrarily close approximation of with a high probability can be constructed.
III Relationship to Differential Privacy
Throughout this section, the design of an additive output noise is only considered. The results for the additive input noise can be constructed similarly. Furthermore, is assumed to belong to a compact set .
Definition III.1
The system is -differential private if for all Lebesgue-measurable sets and that differ in at most only one entry, i.e., . The system is -differential private if .
Note that a random variable is said to follow the Laplace distribution with mean and (scaling) parameter if for all Lebesgue-measurable sets .
Theorem III.2
Assume is i.i.d. Laplace random variables with . Then, the system is -differential private.
Proof:
See Appendix -C. ∎
Note that exists and is finite because is assumed to be a compact set.
Theorem III.3
Assume is i.i.d. Laplace random variables with scaling parameter . Then, .
Proof:
The proof follows from that ∎
Combination of Theorems III.2 and III.3 illustrates the trade-off between preserving privacy and closed-loop performance because as tends to zero (to achieve a higher level of privacy), the performance degrades (i.e., goes to infinity).
Proposition III.4
Let . Then, .
Proof:
See Appendix -D.∎
Proposition III.4 illustrates that the parameter of the Laplace noise should be increased upon admitting larger input sequences. This is because, with larger , there are more data to extract the system parameters and, thus, the employed mechanism needs to be more conservative to avoid leaking the private information. Some relaxations of the differential privacy, e.g., -differential privacy, that lend themselves to using a Gaussian noise, e.g., [4]. Let for any and define with denoting the inverse of .
Theorem III.5
Assume is i.i.d. zero-mean Gaussian noise with . Then, the system is -differential private.
Proof:
The proof is similar to that of Theorem III.2 and can be found in [4]. ∎
IV Numerical Examples
Consider the discrete-time system where Clearly, is not a FIR system. This system can be approximated by the FIR filter The quality of the approximation is . In the following, we consider the deterministic input and the random input cases.
IV-1 Deterministic inputs
We assume that a sequence of input samples is injected by the malicious entity. The sequence is generated by filtering a white noise process through the low-pass filter . We set and , so that we are allow to double the variance of the output. First, we consider the least-squares estimator (3). We compute the identification error, given by , of least-squares equipped with the proposed privacy preserving technique using output additive noise case with , and the identification error of least-squares without any privacy preserving device. To get a fair comparison, in the latter case the noise variance is equal to the total noise variance of the former case, that is . The noise filter designed by the privacy preserving device yields , while the variance obtained using standard least-squares is ; we have thus obtained an error increase of approximately .
We now consider regularized least-squares estimators, as described in Subsection II-C. We employ as regularization kernel the stable spline kernel (see [11]), with . The trade off parameter is set as . Using the proposed privacy preserving technique the obtained MSE of the estimated system is , while without privacy preservation (and with the same noise variance) we get a MSE equal to . Increasing , the privacy preserving device tends to have a milder effect on the MSE, because the regularized least-squares estimator gives higher weight to the prior knowledge, penalizing the information acquired from data.
IV-2 Random inputs
Assume that the malicious entity injects a sequence of i.i.d. zero-mean unit-variance Gaussian variables of length chosen with equal probability from . The approach of Subsection II-D is considered for constructing an optimal additive output noise with . In this example, is approximated using the method of Remark II.14 with and . Set and . Therefore, the performance degradation ratio is upper-bounded as (indeed the upper bound is tight due to the nature of the optimal solution). The optimal additive input noise, in this case, is driven by the FIR filter . Using the Monte Carlo simulation, it can be shown that Therefore, the system identification error has been approximately doubled at the expense of doubling the output variance. From Theorem II.13, it can be inferred that
V Conclusions
Adding input and output noises for increasing the model identification error was considered. Optimal filters for constructing additive coloured noises were designed to maximize the identification error while maintaining the closed-performance degradation below a threshold. Differential privacy was also explored for designing output noises that preserve the privacy of the model.
-A Proof of Lemma II.7
We have Now, note that where the second step follows from [12, Lemma 4.3.1].
-B Proof of Theorem II.9
Taking the derivative of the cost function with respect to results in Setting this derivative equal to zero gives The candidate solutions for this equation are either (referred to as the type-1 solution) or vectors that are parallel to with the condition that for all (referred to as the type-2 solutions). An eigenvalue may generate a type-2 solution only if (since otherwise would have a negative norm, which is not possible).
Therefore, if , the only solution to (18) can be the type-1 solution (as the condition cannot be satisfied for any if it cannot be satisfied for the largest eigenvalue ). This is the case if the penalty on the variance of is too large and no variations can be tolerated.
If , the two types of solution coincide.
We now verify whether type-1 and type-2 solutions correspond to global minima of the cost function in (18). Let us define , and also denote the -th row of by . Computing the Hessian of the cost function in (18) at yields where is a matrix such that its entry is . Then which is positive definite only if . This observation shows that the type-1 solution is only a minimum when . Noting that for the case where , is the only stationary point of the cost function, then it is a global minimum.
We now study type-2 solutions. Let us define , so that a candidate type-2 solution can be written . In what follows, we first assume that . We then relax this assumption at the end of the proof. For any , we have , where is the -th entry of . Consequently and, in matrix notation, Hence, for any of these solutions, we have Since is positive semidefinite, its eigenvectors form an orthonormal basis [12, p. 229]. Hence, admits the decomposition . Consequently, we can write where
[TABLE]
Due to the orthonormality of the , the eigenvalues of are then .
Consider now a candidate type-2 solution corresponding to an eigenvalue . In this case, one of the eigenvalues of is , which is negative under the assumption . Therefore, all the candidate type-2 solution corresponding to an eigenvalue , are not minimums so we must discard them. As for , the set of eigenvalues of are
[TABLE]
which are all positive for . Therefore, is positive definite for and, since there are no other minimums, this corresponds to a global minimum.
Now, assume that . Following the same steps as the proof above, we can show that none of the type-2 solutions corresponding to with can be a minimizer (because the Hessian is indefinite for them). Similarly, we can also show that all the type-2 solutions corresponding to with are at least local minimums (because the Hessian is positive definite). To show that these points are also a global minimizer, we need to prove that they have the same cost. Let and for any . We have where the first equality follows from that .
-C Proof of Theorem III.2
It can be proved that
[TABLE]
where is a characteristic function, i.e., if and if , and the inequality follows from Integrating (29) over gives .
-D Proof of Proposition III.4
If only differ in entry , . Thus, The rest of the proof follows from that all the terms in the sum are positive (and setting keeps the most terms).
The reference list from the paper itself. Each links out to its DOI / PubMed record.
- 1[1] C. R. Rojas, J. S. Welsh, G. C. Goodwin, and A. Feuer, “Robust optimal experiment design for system identification,” Automatica , vol. 43, no. 6, pp. 993–1008, 2007.
- 2[2] M. Gevers, “A personal view of the development of system identification: A 30-year journey through an exciting field,” Control Systems, IEEE , vol. 26, no. 6, pp. 93–105, 2006.
- 3[3] C. Dwork, “Differential privacy,” in Automata, Languages and Programming: 33rd International Colloquium, ICALP 2006, Venice, Italy, July 10-14, 2006, Proceedings, Part II (M. Bugliesi, B. Preneel, V. Sassone, and I. Wegener, eds.), pp. 1–12, Berlin, Heidelberg: Springer, 2006.
- 4[4] J. Le Ny and G. J. Pappas, “Differentially private filtering,” IEEE Transactions on Automatic Control , vol. 59, no. 2, pp. 341–354, 2014.
- 5[5] Z. Huang, Y. Wang, S. Mitra, and G. E. Dullerud, “On the cost of differential privacy in distributed control systems,” in Proceedings of the 3rd International Conference on High Confidence Networked Systems , pp. 105–114, 2014.
- 6[6] F. Farokhi, J. Milosevic, and H. Sandberg, “Optimal state estimation with measurements corrupted by laplace noise,” in Proceedings of the 55th Conference on Decision and Control , pp. 302–307, IEEE, 2016.
- 7[7] J. Le Ny and G. J. Pappas, “Privacy-preserving release of aggregate dynamic models,” in Proceedings of the 2nd ACM International Conference on High Confidence Networked Systems , pp. 49–56, 2013.
- 8[8] T. Söderström and P. Stoica, System identification . Prentice-Hall, 1988.
