Differentially Private Vertical Federated Learning

TL;DR

This paper explores applying differential privacy to vertical federated learning to balance data privacy and model performance, demonstrating experimental results on real datasets with various privacy budgets.

Contribution

It introduces a differential privacy framework for vertical federated learning and analyzes the privacy-performance trade-off through experiments.

Findings

Privacy-utility trade-off depends on the amount of noise added.

Optimal privacy budgets balance model accuracy and data protection.

Vertical FL can be effectively combined with differential privacy techniques.

Abstract

A successful machine learning (ML) algorithm often relies on a large amount of high-quality data to train well-performed models. Supervised learning approaches, such as deep learning techniques, generate high-quality ML functions for real-life applications, however with large costs and human efforts to label training data. Recent advancements in federated learning (FL) allow multiple data owners or organisations to collaboratively train a machine learning model without sharing raw data. In this light, vertical FL allows organisations to build a global model when the participating organisations have vertically partitioned data. Further, in the vertical FL setting the participating organisation generally requires fewer resources compared to sharing data directly, enabling lightweight and scalable distributed training solutions. However, privacy protection in vertical FL is challenging due to the communication of intermediate outputs and the gradients of model update. This invites adversary entities to infer other organisations underlying data. Thus, in this paper, we aim to explore how to protect the privacy of individual organisation data in a differential privacy (DP) setting. We run experiments with different real-world datasets and DP budgets. Our experimental results show that a trade-off point needs to be found to achieve a balance between the vertical FL performance and privacy protection in terms of the amount of perturbation noise.