SafeNet: The Unreasonable Effectiveness of Ensembles in Private Collaborative Learning

TL;DR

SafeNet demonstrates that model ensembles in secure multiparty computation (MPC) settings significantly enhance privacy, robustness, and efficiency in collaborative machine learning, outperforming traditional MPC protocols in attack resistance and training speed.

Contribution

This work introduces SafeNet, a framework leveraging ensembles in MPC to improve privacy, scalability, and robustness against poisoning and privacy attacks in collaborative ML.

Findings

SafeNet reduces backdoor attack success rates.

SafeNet achieves 39x faster training and 36x less communication.

Ensembling maintains robustness even in non-iid data settings.

Abstract

Secure multiparty computation (MPC) has been proposed to allow multiple mutually distrustful data owners to jointly train machine learning (ML) models on their combined data. However, by design, MPC protocols faithfully compute the training functionality, which the adversarial ML community has shown to leak private information and can be tampered with in poisoning attacks. In this work, we argue that model ensembles, implemented in our framework called SafeNet, are a highly MPC-amenable way to avoid many adversarial ML attacks. The natural partitioning of data amongst owners in MPC training allows this approach to be highly scalable at training time, provide provable protection from poisoning attacks, and provably defense against a number of privacy attacks. We demonstrate SafeNet's efficiency, accuracy, and resilience to poisoning on several machine learning datasets and models trained in end-to-end and transfer learning scenarios. For instance, SafeNet reduces backdoor attack success significantly, while achieving $39\times$ faster training and $36 \times$ less communication than the four-party MPC framework of Dalskov et al. Our experiments show that ensembling retains these benefits even in many non-iid settings. The simplicity, cheap setup, and robustness properties of ensembling make it a strong first choice for training ML models privately in MPC.