Next Article in Journal
A High-Capacity and High-Security Image Steganography Network Based on Chaotic Mapping and Generative Adversarial Networks
Next Article in Special Issue
Adversarial Attacks with Defense Mechanisms on Convolutional Neural Networks and Recurrent Neural Networks for Malware Classification
Previous Article in Journal
Acoustic Simulations Applied to the Garden of Rufolo’s Villa in Ravello: Comparison between Different Scenarios
Previous Article in Special Issue
ICVTest: A Practical Black-Box Penetration Testing Framework for Evaluating Cybersecurity of Intelligent Connected Vehicles
 
 
Search for Articles:
Title / Keyword
Author / Affiliation / Email
Journal
Article Type
 
 
Advanced Search
 
Section
Special Issue
Volume
Issue
Number
Page
 
Journals
Applied Sciences
Volume 14
Issue 3
10.3390/app14031224
applsci-logo
Submit to this Journal Review for this Journal Propose a Special Issue
Article Menu

Article Menu

share Share announcement Help format_quote Cite question_answer Discuss in SciProfiles thumb_up
...
Endorse textsms
...
Comment
first_page
settings
Order Article Reprints
Font Type:
Arial Georgia Verdana
Font Size:
Aa Aa Aa
Line Spacing:
Column Width:
Background:
Article

Privacy-Preserving Deep Learning Framework Based on Restricted Boltzmann Machines and Instance Reduction Algorithms

by
Alya Alshammari
and
Khalil El Hindi
*
Department of Computer Science, College of Computer & Information Sciences, King Saud University, Riyadh 11543, Saudi Arabia
*
Author to whom correspondence should be addressed.
Appl. Sci. 2024, 14(3), 1224; https://0-doi-org.brum.beds.ac.uk/10.3390/app14031224
Submission received: 14 November 2023 / Revised: 7 January 2024 / Accepted: 9 January 2024 / Published: 1 February 2024
(This article belongs to the Special Issue Safety, Security and Privacy in Cyber-Physical Systems (CPS))
Browse Figures
Versions Notes

Abstract

:
The combination of collaborative deep learning and Cyber-Physical Systems (CPSs) has the potential to improve decision-making, adaptability, and efficiency in dynamic and distributed environments. However, it brings privacy, communication, and resource restrictions concerns that must be properly addressed for successful implementation in real-world CPS systems. Various privacy-preserving techniques have been proposed, but they often add complexity and decrease accuracy and utility. In this paper, we propose a privacy-preserving deep learning framework that combines Instance Reduction Techniques (IR) and the Restricted Boltzmann Machine (RBM) to preserve privacy while overcoming the limitations of other frameworks. The RBM encodes training data to retain relevant features, and IR selects the relevant encoded instances to send to the server for training. Privacy is preserved because only a small subset of the training data is sent to the server. Moreover, it is sent after encoding it using RBM. Experiments show that our framework preserves privacy with little loss of accuracy and a substantial reduction in training time. For example, using our framework, a CNN model for the MNIST dataset achieves 96% accuracy compared to 99% in a standard collaborative framework (with no privacy measures taken), with training time reduced from 133.259 s to 99.391 s. Our MLP model for MNIST achieves 97% accuracy compared to 98% in the standard collaborative framework, with training time reduced from 118.146 s to 87.873 s. Compared to other studies, our method is a simple approach that protects privacy, maintains the utility of deep learning models, and reduces training time and communication costs.

1. Introduction

Deep learning models trained on massive amounts of data may contain private and sensitive information that is subject to organizational or governmental regulations [1], resulting in serious privacy concerns related to the potential misuse or leakage of training data. Various attacks may compromise the privacy of deep learning frameworks, such as reconstructing [2] or extracting data points [3], stealing parameters [4], or constructing nearly identical models to the targeted models [5].
Collaborative deep-learning scenarios where multiple parties jointly train models further increase these concerns [6]. The privacy problems associated with collaborative deep learning become particularly pertinent in the setting of Cyber-Physical Systems (CPSs), which include the integration between computational and physical processes. CPS applications frequently deal with sensitive data from physical locations, and the collaborative nature of model training poses difficulties with safe data sharing and communication. Medical devices, for example, which are essential components of many CPS applications in healthcare, are particularly vulnerable to privacy threats. These devices deal with extremely sensitive data, such as personal health information and medical records [7]. In response to privacy concerns, privacy-preserving deep learning concepts have emerged [1]. These practices aim to preserve the privacy of training data, the trained model and its parameters, and the input and output in the prediction phase [1,8,9]. They use techniques such as Differential Privacy [1], Federated Learning [10], Homomorphic Encryption [11], Secure Multiparty Computation [12], and Trusted Execution Environments [13]. However, these solutions pose significant challenges, such as the trade-off between privacy and utility, the cost of encryption, communication and computation overheads, and the inability to handle complicated deep learning models and enormous datasets.
In this study, we propose a privacy-preserving collaborative deep learning framework that preserves the privacy of the client’s training data, the model and its parameters, and the client’s data point in the inference phase, maintains the utility of deep learning models, and reduces the training time and communication overhead. The framework combines Instance Reduction Techniques [14] and the Restricted Boltzmann Machine [15]. RBM learns the relevant features and generates encodings of input data that preserve the relevant features. Then, an Instance Reduction Technique is used to select the relevant encoded training instances to send to the central server for model training. Using our framework, clients only need to send the selected encoded instances to the server for model training rather than sending all their unencoded data. This approach ensures the complete preservation of privacy for the unsent data while also providing a certain degree of privacy protection for the subset of data that is sent. Our framework is novel, effective, and practical and can be applied to various deep-learning tasks in a privacy-preserving manner. Furthermore, it is suited to the special challenges of Cyber-Physical Systems (CPSs). It prioritizes training data privacy, fulfills real-time decision-making requirements, and allows for deep learning models’ utility in CPS applications. The framework’s goals of reducing training time and communication overhead effectively address the challenges posed by the time-sensitive and interconnected nature of CPS environments.
Our framework satisfies all privacy-preserving requirements specified and guarantees the privacy qualitative metrics [9] by guaranteeing the privacy of the training datasets by sending a small subset of the user-encoded data rather than the entire raw data. Furthermore, the same technique can be employed to protect the privacy of the input in the prediction phase. Additionally, the trained model and its parameters are protected from the training parties because no model sharing takes place.
We evaluated the proposed learning framework on three image classification benchmark datasets: MNIST [16], Fashion-MNIST [17], and EMNIST-LETTERS [18]. We compared our framework’s performance to a conventional collaborative deep learning framework that does not protect privacy. We used two neural network architectures: multilayer perceptron and convolutional neural networks [15]. Our experimental results show that our framework preserves privacy with some loss in accuracy. Also, it decreases the training time significantly compared to a conventional collaborative framework that does not protect privacy.
The main contribution of this work is the proposal of a novel paradigm in which Restricted Boltzmann Machines are used to extract salient features from training data, resulting in stochastic representations or encodings. These encodings act as a proxy for real data during deep learning model training, achieving equivalent accuracy. Additionally, our technique incorporates Instance Reduction, allowing a training entity to selectively share a portion of its encoded training data.
Our framework’s importance goes beyond privacy concerns. Extraneous noise and irrelevant instances are effectively filtered out by IR, leading to significant improvements in computer efficiency, communication time, memory use, and overall classification accuracy. In contrast to the existing literature, our approach stands out for its inherent simplicity, providing privacy preservation while preserving deep learning model efficiency, all while reducing computing and communication costs. Our study is notable for its synergistic combination of RBMs and Instance Reduction Techniques, which presents a unique framework that has not been previously studied in the literature, as far as we know. Our use of Restricted Boltzmann Machines (RBMs) to ensure privacy and security represents a novel approach. To the best of our knowledge, there are no previous studies that have utilized RBMs for security or privacy protection purposes [8].
The article is structured as follows: Section 2 introduces the key techniques used in our framework—Restricted Boltzmann Machines and Instance Reduction Techniques. In Section 3, we review related works on privacy preservation in deep learning. The heart of our contribution is in Section 4, where we present our innovative framework. Section 5 and Section 6 cover the evaluation and discussion of our results, respectively. Finally, Section 7 concludes our study and suggests directions for future research.

2. Background

2.1. Restricted Boltzmann Machines (RBMs)

We use Restricted Boltzmann Machine (RBM) models [19] to learn the relevant features before we use an IR technique to select the subset of relevant instances to send to the server. RBMs are generative models [19,20] and undirected probabilistic graphical models that are applied to a wide range of applications, including feature extraction, collaborative filtering, and image reconstruction [21]. RBMs are composed of two layers [15] as shown in Figure 1. The visible layer represents the observable variables like training data, while the hidden layer represents the latent variables of the extracted features from the visible data [22].
These two layers are linked to each other via weighted connections [19]. Furthermore, there are no links between the units of each layer [15]. The training dataset is presented to the network’s visible layer, while the network’s hidden layer learns how to represent these data in a low-dimensional probabilistic way [23]. For every pairing of visible and hidden units, the network assigns the following Boltzmann probability distribution P ( v , h ) [19]:
p ( v , h ) = 1 z exp ( E ( v , h ) )
where v represents visible layer inputs, v ≡ {v1, ..., vn}; and h represents the hidden layer outputs, h ≡ {h1, ..., hm}. Z is the partition function obtained by summing all possible pairs of v and h. E is the energy of the joint configuration of ( v , h ) given as:
E ( v , h ) = i v i s i b l e a i v i j h i d d e n b j h j i , j v i h j w i j
where ai and bj are biases, and wij is the weight between visible unit i and hidden unit j. RBMs use Gibbs Sampling to generate and sample units in the visible layer and hidden layer [22]. Gibbs Sampling is an algorithm that involves many steps, and in each step, a variable’s value is replaced with a value taken from its distribution that is conditioned on the values of the remaining variables [24]. RBMs are trained using the Contrastive Divergence Algorithm, which iteratively applies Gibbs sampling until convergence [25].
Restricted Boltzmann Machines can be employed to create new samples by learning the probability distribution of the visible layer P ( v ) . Also, RBMs can be used to extract features and reduce dimensionality by learning the probability distribution of the hidden layer P ( h ) [23]. The probability distribution of these layers is given as [23]:
p ( v ) = 1 z h exp ( E ( v , h ) )
p ( h ) = 1 z v exp ( E ( v , h ) )
In this study, our focus lies on exploring the latent space representation of the input data, specifically the hidden layer’s representation. We term these representations as “encodings” due to their ability to capture and encode the crucial features present within the input instances. These encodings serve as a condensed representation that captures the salient information from the input instances, allowing us to use them for training a global model instead of using the original instances.

2.2. Instance Reduction Techniques (IR)

Instance Reduction Techniques (IR), sometimes referred to as Instance Selection Algorithms (IS), reduce the size of the training dataset by selecting which instances to keep for use in the generalization process [14]. Instance Reduction Techniques are most commonly utilized in the context of Instance-Based Learning (IBL) [26], although they are used to improve classification accuracy by removing noisy instances, speed up neural networks [27,28], and reduce excessive memory storage [29].
Instance Reduction Techniques aim to obtain a subset S from a training set, T, with the objective of excluding irrelevant instances that may be noisy or redundant. The resulting subset S should ideally preserve the overall characteristics of the original training set, ensuring that the accuracy of the learning algorithm on S (denoted as Accuracy(S)) is close to the accuracy on the full training set T (denoted as Accuracy(T)) [30].
The purpose of these techniques is to reduce the size of the training set while minimizing the impact on performance. Interestingly, it has been observed that instance reduction techniques can even enhance the classification accuracy of neural networks and reduce training time by eliminating outliers or border instances, which in turn helps to smooth the decision boundaries prior to the model training stage [27,28]. By removing these potentially misleading or noisy instances, the instance reduction techniques contribute to improving the overall quality of the training set, leading to more robust and accurate neural network models.
Various techniques for reducing the number of instances have been extensively studied and documented in the literature [14,30,31,32,33]. In this study, we select the Edited Nearest Neighbor (ENN) algorithm as our choice for instance reduction. Despite its moderate reduction rate [14], ENN is known for its efficiency, making it a suitable option for our purposes. Efficiency plays a crucial role in our study due to the large-scale nature of the datasets we use in our experiments, which are characterized by a high number of attributes. Additionally, ENN is readily available in popular open-source frameworks, ensuring its accessibility for implementation. It is important to note that this work should be seen as proof of concept, aiming to demonstrate the practicality of the proposed framework. While we have opted for the ENN algorithm, it is worth mentioning that any instance reduction algorithm can be utilized in the proposed framework, providing flexibility in the choice of techniques based on the characteristics of the datasets.
The ENN algorithm was developed by Wilson in 1972 [34]. Starting with S = T, this technique eliminates every instance in S if its class is different from the majority of its k nearest neighbors’ classes (k is often 3) [14]. ENN eliminates noisy instances as well as border instances that are close to instances from other classes [28]. Therefore, it usually increases classification accuracy while having a lower reduction rate because it keeps the internal instances. The Edited Nearest Neighbor algorithm is presented in Algorithm 1.
Algorithm 1: Edited Nearest Neighbor (T) [34]
Data: T = [ I n s t a n c e 1 , I n s t a n c e m ]
Result: Reduced dataset S
1begin
2   S = T
3      for I n s t a n c e i S
4         find the k-nearest neighbors to I n s t a n c e i
5         find the class with the majority of points among the k-nearest neighbors.
6         (Break ties randomly)
7         if the class of I n s t a n c e i is different from the majority class, then
8              S = S I n s t a n c e i
9     return S

3. Related Work

Much work has addressed privacy-preserving in deep learning. Shokri et al. [1] define privacy objectives as protecting the privacy of the model, the privacy of the model’s output, and essentially the data used to learn the model. Additionally, they distinguish between direct and indirect data leakage. Direct leakage may occur during the training phase when training sets are revealed to other parties, as well as during the prediction phase when input data or the model output are revealed to another party. In contrast, sharing model parameters and updates across parties may result in indirect leakage.
In their work, Zhang et al. [6] explore the topic of privacy in collaborative deep learning settings. Collaborative deep learning involves two main phases: the training phase, where algorithm parameters are optimized using labeled data, and the prediction phase, which utilizes user input to make predictions. The authors classify collaborative deep learning frameworks into two modes: direct collaborative deep learning and indirect collaborative deep learning. They further investigate the privacy-preserving technologies commonly employed in collaborative deep learning and examine their respective advantages and drawbacks. According to their analysis, current approaches in the field aim to strike a balance between data privacy and utility by combining secure multi-party computing, homomorphic encryption, and differential privacy techniques. These approaches strive to provide a reasonable trade-off between preserving the privacy of data and maintaining the usefulness of the collaborative deep learning process.
In [35], Nasr et al. employ white-box inference attacks to conduct privacy analysis on deep learning models. They define privacy leakage as the information that an adversary can extract from a model regarding its training data, which cannot be obtained from other models trained on different data from the same distribution. The authors utilize inference attacks to measure the extent of privacy leakage and provide empirical evidence showing the high effectiveness of white-box membership inference attacks against well-generalized models.
In their review paper [8], Tariq et al. delve into the current advancements in deep learning with a specific focus on security and privacy. They highlight the privacy-preserving requirements that a framework should fulfill, including the non-disclosure of training party data and predictions, as well as the client’s lack of awareness of the server and global model configurations. The authors conduct a comprehensive analysis of threats and attacks related to deep learning from both the security and privacy domains. They also provide a thorough examination of existing privacy-preserving techniques and frameworks in the literature.
Furthermore, Tariq et al. emphasize the need for further research and emphasis on the development of efficient private training methods in deep learning. They point out that existing solutions proposed in the literature often come with a higher computational overhead, highlighting the importance of exploring more efficient approaches in order to achieve privacy preservation in deep learning effectively.
In their studies [9,36], Tanuwidjaja et al. provide a comprehensive overview of privacy-preserving deep learning (PPDL) in the context of Machine Learning as a Service (MLaaS). The authors also delve into traditional privacy-preserving techniques like differential privacy and cryptography and discuss their applicability to deep learning architectures. They highlight that some adjustments need to be made to combine these traditional approaches with deep learning, such as the approximation of activation functions, inclusion of batch normalization layers, and utilization of large stride convolutional layers. Additionally, Tanuwidjaja et al. critically examine the challenges and limitations faced by privacy-preserving deep learning frameworks. They identify two main issues: communication overhead and computation overhead. These challenges remain open problems in the field of Deep Learning and present significant hurdles in achieving optimal performance and privacy. It is worth noting that in this work, we address these issues, particularly the communication and computation overheads. By tackling these challenges, we contribute to advancing the field of privacy-preserving deep learning and improving the overall performance and privacy guarantees of the framework.
The following subsection reviews the related work on privacy-preserving deep learning frameworks.

3.1. Privacy-Preserving Deep Learning (PPDL)

Privacy-Preserving Deep Learning (PPDL) studies involve the integration of deep learning frameworks with various privacy-preserving techniques. The following sections provide a brief overview of the mentioned techniques and their associated challenges.

3.1.1. Works Based on Differential Privacy

Differential Privacy (DP) aims to provide strong privacy guarantees by adding noise to the data or model parameters. It ensures that the presence or absence of individual data points does not significantly affect the model’s output. It has become a common approach for preserving privacy in machine learning [37]. Shokri et al. [1] is the first work considered privacy-preserving in collaborative deep learning where clients (training parties) learn a global model without sharing their data. In [1], each party obtains parameters from the server, runs the stochastic gradient descent (SGD) algorithm on its local dataset to update the local parameters, and then selectively uploads some of the gradients to the server. Sharing part of the gradients reveals some information about the training data; hence, they use differential privacy by adding noise to the parameter’s updates. Ref. [38] proposes a differentially private stochastic gradient descent (SGD) algorithm that calculates the gradients from a random sample and clips them. After that, it computes the average, adds noise, and descents in the opposite direction of the average noisy gradients. However, in this work, the accuracy is affected by using large privacy budgets. Different approaches suggest adding noise to the objective function [39] and the data [40] rather than gradients. Other works such as [41] suggest using local Differential Privacy to address scenarios where a centralized entity for data aggregation is not feasible or trustworthy, providing a decentralized alternative to protect individual data privacy without relying on a central curator. However, they are complicated approaches that demand much computation from the training party and result in lower accuracy even with low privacy budgets.
To implement differential privacy mechanisms in deep learning, compromises are necessary to preserve utility. The choice of differential privacy variants and privacy budgets also affects the privacy and utility of machine learning models in practical applications. Jayaraman and Evans [42] examined these matters in their work and discovered a significant difference between the upper bounds of privacy loss guaranteed by differential privacy mechanisms and the actual privacy losses measured through inference attacks.
Overall, the application of differential privacy in deep learning requires careful consideration of the compromises needed to preserve utility while ensuring privacy. The choice of privacy mechanisms, privacy budget values, and evaluation of privacy losses through inference attacks are important aspects to address in privacy-preserving machine learning research.

3.1.2. Works Based on Federated Learning

Federated Learning is a decentralized computation approach, proposed by Brendan McMahan and others [10]. In this method, each data owner trains a model locally on their own dataset and then sends the model’s updates, or gradients, to a central server. The server then combines, or averages, these gradients. This approach, however, does not inherently guarantee privacy, so it is often combined with other techniques like differential privacy, secure multi-party computation, and group signature as noted by [43,44,45].
Despite numerous improvements, Federated Learning still faces several problems and challenges, as identified by Kairouz et al. [46]. They argue that many of these problems are interdisciplinary, involving not only machine learning but also areas like distributed optimization, compressed sensing, privacy and differential privacy, security and cryptography, and fairness. Therefore, for a Federated Learning framework to be superior, it needs to address these issues and understand how they intersect.

3.1.3. Works Based on Homomorphic Encryption

In homomorphic encryption (HE) [47], parties encrypt their data, and the server conducts operations on the ciphertexts and delivers the encrypted prediction to the parties. CryptoNets [11] was the first work to show how to apply homomorphic encryption to neural networks. They approximate the non-linear activation functions and transform a neural network to polynomials, and hence any polynomial function can be computed over encrypted data using homomorphic encryption [11]. CryptoDL is a similar work that approximates low-degree polynomials for activation functions and evaluates the convolutional neural networks over the encrypted data [48]. Furthermore, homomorphic encryption began to be adopted as a solution to protect the privacy of the learning process in combination with other technologies [49,50]. However, many of these works are limited to the predictive phase since the decryption and encryption processes add communication and computational overhead. To overcome the communication and computational issues, ref. [51] proposed a GPU acceleration solution to accelerate the full homomorphic evaluation of the CNN model on encrypted data. Due to the higher number of operations and the longer runtime, it does not tolerate the training stage on encrypted data.
Despite all efforts, the fundamental issue with using HE with neural networks is that they add a computational overhead to the training phase. Also, in practice, the poor approximation of the activation function might cause neural networks to perform poorly. It also generates larger encrypted messages, which consume more memory [52].

3.1.4. Works Based on Secure Multiparty Computation

Multi-party computing (MPC) protocols use cryptographic techniques including homomorphic encryption, secret sharing, and oblivious transmission to allow participants to jointly compute a function over their private inputs [53]. Traditional secure computation protocols are not easily scalable for Machine Learning (ML) applications. Therefore, many improvements have been proposed to make them suitable for training and inferencing in ML models [12,54,55]. However, the main drawback of MPC-based frameworks is the communication cost and computation overhead. Therefore, recent works [56,57,58] recommended utilizing graphics processing units (GPUs) to accelerate cryptographic operations and MPC implementation.
However, a recent work by Tramer et al. [59] doubts the privacy guarantees in multiparty computation protocols. Tramer et al. demonstrated that adversaries could increase information leakage by modifying their input even if they honestly follow the protocols. Therefore, the MPC-based frameworks fail to recognize all adversary threats in collaborative learning scenarios [59]. Moreover, combining MPC with other cryptographic primitives like differential privacy has issues such as limitations of both techniques will be applied to the hybrid framework, and the suitability of these mixed frameworks is a concern in their applications since they involve more complex assumptions and hence need more security investigation [60].
In contrast, our work eliminates these costs and overhead issues by sending a reduced subset of the encodings without too many privacy concerns. Furthermore, the RBM’s generation of the encodings has less computation overhead compared to cryptographic approaches like MPC and HE. Also, Applying the Instance Reduction Technique reduces training time.

3.1.5. Works Based on Trusted Execution Environments

Trusted execution environments (TEEs) provide secure hardware environments to isolate code and data from other software, even from the operating system and hypervisor [13]. The first attempt to employ the secure enclave is Intel’s Software Guard Extensions (SGX), which are a set of instructions and memory access mechanisms designed to secure running a trusted code on an untrusted platform [9]. The trusted code must be public to be inspected by the users [61]. Therefore, using simply SGX to protect privacy is insufficient from a security and privacy perspective, as the machine-learning service provider’s code may not be fully trustworthy [9].
Hunt et al. [61] proposed a combination of SGX and a sandbox to prevent data exfiltration, providing assurance to users that their data will not be compromised by untrusted code, even if they cannot inspect it [9]. They also introduced Chiron, a machine-learning solution within the SGX enclave, which allows data owners to train ML models without revealing their training data [61]. However, Chiron’s reliance on SGX means it is restricted to CPU and cannot utilize GPUs or other machine-learning processors. Tramèr et al. [62] expanded the use of TEEs to GPUs for machine-learning inference. They presented Slalom, a framework for evaluating deep neural networks that offloads all linear layers from a TEE, like SGX, to a GPU. While this approach enhances throughput and energy efficiency by assigning linear layers to GPU, using Slalom to train deep neural networks still presents complex, unresolved challenges [62].
In general, the fundamental problem with TEEs is their limited memory and CPU resources, which make the training of complex deep learning models a significant challenge [46]. Furthermore, there is a risk of data leakage due to side-channel attacks [9].

3.1.6. Works Based on Data Anonymization

More recent approaches use generative modeling and deep learning techniques like GAN, DGAN, AUTOENCODER, RBM, and others to anonymize data by generating synthetic data [23,63]. As a result, these synthetic data serve as an accurate representation of the distribution of the original data but are less sensitive, reducing privacy concerns [23]. The intention behind these generative models-based approaches is to enable the sharing and publishing of private data amongst various entities [63], rather than to ensure privacy in collaborative learning scenarios. To the best of our knowledge, there have been no studies that apply synthetic data generation using generative models to preserve privacy in collaborative learning scenarios or to maintain privacy in deep learning models more generally.

3.1.7. Works Based on Instance-Encoding Technique

A more recent approach to preserving privacy in deep learning is to encode the training instances before feeding them to a deep learning model. Huang et al. propose InstaHide [64], which is an instance encoding scheme for private learning. They assert that this scheme is efficient for distributed learning in federated learning, despite a reduction in accuracy. InstaHide [64] comprises two steps: the first involves mixing the images by taking the private image’s linear combination with randomly selected images from the private set (Inside dataset) or a public dataset (Cross dataset). The second step uses a random pattern of sign flips on the mixed image. Carlini et al. demonstrated in their work [65] that InstaHide fails to maintain privacy, as it does not comply with recognized privacy notions and is susceptible to privacy attacks. Moreover, they developed an attack strategy that successfully recovered source images with high similarity, thereby undermining the privacy protection offered by InstaHide.
Generally, InstaHide [64] is the work most closely related to ours, as it introduces the concept of encoding training instances before inputting them into a machine learning model, and it also proposes preserving privacy within a collaborative framework. However, as the authors themselves acknowledge, using the Mixup technique to blend instances with other instances does not guarantee privacy [64]. Additionally, random sign-flipping does not offer inherent privacy protection [65]. In contrast, our work efficiently preserves both the privacy and utility of data within collaborative deep learning frameworks.
In summary, the reviewed literature highlights significant challenges including the trade-off between privacy and utility, threat model assumptions, encryption, and communication and computation overheads, as well as the inability to handle complex deep learning models. These challenges underscore the need for a framework that safeguards privacy while addressing these issues. Our work steps in to address this gap by protecting the privacy of the training data, the model, and the prediction. Furthermore, compared to cryptographic methods like Multi-Party Computation (MPC) and Homomorphic Encryption (HE), our use of Restricted Boltzmann Machines to generate encodings introduces a significantly lower computational overhead.

4. Our Proposed Framework

In this section, we present a privacy-preserving learning framework based on Restricted Boltzmann Machines and Instance Reduction Algorithms. The goal of this framework is to preserve privacy while maintaining model accuracy and reducing the computation and communication overhead in collaborative learning settings. Our work differs from other privacy-preserving frameworks in the reviewed literature by addressing the privacy–utility trade-off, encryption, communication, and computation overheads, and the inability to handle complex deep learning models.
We assume that the deep learning framework is collaborative deep learning, where two or more training parties share their local data to jointly learn a deep learning model [6]. Each training party (user or client) applies an RBM model to their training data to encode it in a way that retains the relevant features. Then, a reduction technique is used to select a reduced subset of the encoded data to send to the server. This reduced and encoded set is sent to a central server without too many concerns about data privacy or computation and communication overhead, as the majority of the data are not sent depending on the retention rate of the reduction technique used. The central server combines the reduced datasets into one training set and then builds and trains an MLP or a CNN global model using the combined dataset. Figure 2 shows our privacy-preserving deep learning framework. The central server does not need to share any hyperparameters of the model with other parties. Similarly, in the prediction phase, the training party applies the RBM model to a data point to encode data and then sends it to a central server for prediction. The server then runs the deep learning models and returns the prediction output’s label, not the prediction score.
The server might be owned by a service provider operating in sectors such as healthcare or finance, or a Machine Learning as a Service (MLaaS) platform [9], which provides predictive services to clients. We also make the common assumption that the server and participants are honest but might be curious since they follow the same training protocol but might be curious about other participants’ training datasets. If they are not honest, then they may deviate from the protocol rules or even falsify data.

4.1. Phase 1: Encoding Instances Using Restricted Boltzmann Machine

In the first step, we use RBM to learn the hidden layer’s representation (latent representation) of the input data. We refer to these representations of the input data as “encodings” because they encode the essential features contained in the input instances, as shown in Figure 3.
The reason we do not utilize other generative models instead of RBM to generate the encodings is that, in contrast to conventional autoencoders that provide deterministic representations of the data in the hidden layer, Restricted Boltzmann Machines produce stochastic representations of the data since they learn the joint probability distribution of the visible and hidden units [25]. This stochasticity works in favor of privacy since it produces harmless noise during alternating Boltzmann sampling, making it difficult to trace the generated encodings back to the actual data points [23]. Therefore, the hidden layer learns the essential properties without being overly constrained by the samples from the training data. Furthermore, as far as we know, no work has used the mentioned method of generating the encodings of the inputs to preserve privacy.

4.2. Phase 2: Selecting a Subset of the Encoded Training Data Using Instance Reduction Techniques

Next, each client applies an instance reduction technique on the encodings produced by the RBM to obtain a reduced subset, R, from the encodings set E where RE, such that R does not contain irrelevant (noisy or redundant) instances. The goal of using IR is to select a subset of the encoded data points to send to the central server, as shown in Figure 4.
Furthermore, removing irrelevant instances tends to improve memory usage and reduce training time and communication overhead. Employing instance reduction strategies, mitigates the impact of outliers, reducing the training time and chances of overfitting the training data [27] and the susceptibility to privacy attacks that may exploit such outliers [66].
Despite the existence of numerous instance reduction techniques proposed in the literature, with several investigated by [27] for their efficacy in creating reduced datasets for multilayer neural network training, our work exclusively employs the Edited Nearest Neighbor method to produce reduced datasets. This study should primarily be viewed as proof of concept; the focus is not on employing the best instance reduction method Instead, we aim to verify whether a central server can build a practical model using reduced subsets of encoded training data from multiple sources, without having to decode this training data. Another question we address is the server’s ability to make accurate predictions using RBM-encoded data points rather than the data points themselves.

4.3. Phase 3: Sending the Subsets of Encoded Training Data to the Central Server to Train Deep Learning Models

As illustrated in Figure 5, the reduced sets of encodings are transmitted to a central server, which amalgamates them into a single training set for use in training global deep-learning models. During the prediction phase, clients can dispatch encodings of the data points to the server. The server then operates the deep learning models and returns the label of the predicted output. Notably, there is no need for the server to decode either the training data or the query data.

4.4. Privacy of the Proposed Framework

Our framework is designed for collaborative deep learning scenarios, specifically for image classification models that involve a service provider and various client institutions, which could be in fields such as healthcare or finance. In these collaborations, we adopt a commonly assumed behavior model in data privacy research—participants are considered to be “honest-but-curious” [9]. This means participants adhere to the proposed training protocol but may have an interest in gaining additional knowledge about others’ training datasets. The reason this assumption is common in data privacy is that it reflects a realistic scenario where entities follow protocol rules but might attempt to infer more information if possible. It allows us to develop mechanisms that protect sensitive information, even when entities are curious to learn beyond what they are permitted, hence ensuring robust privacy protection.
Using our framework, we seek to guarantee the privacy of the training datasets by training a global model on subsets of users’ data after encoding them using RBM. Thus, clients do not reveal their complete raw training data to the server. Furthermore, the trained model and its parameters are protected from other clients. Similarly, in the prediction phase, the client encodes the data to be classified using the RBM model before sending it to the central server. The central server runs the deep learning models and returns the prediction output’s label, not the prediction vector. Therefore, our model satisfies the privacy-preserving framework requirements [8] where a framework preserves the privacy of the client’s training data, the model and its parameters, and the client’s data point in the inference phase.
Furthermore, common privacy violation attacks cannot be used against our framework based on the definition of our framework. Membership Inference Attacks are built based on two assumptions: the first is that overfitting in machine learning models is the cause of the high confidence score for member instances more than it would be for non-member instances [42]. The second is that the gradient distribution is more distinct for member and non-member instances [35]. In our framework, we prevent such attacks by addressing these assumptions.
We only share the output label in the inference phase; we do not share the prediction vector. Further, we prevent direct access to the model and its parameters. Therefore, it is more challenging to launch a membership attack on our framework to determine if a specific data point is included in the training set or not. The target model training set is made up of a subset of the encoded versions of the data points rather than the entire data. Also, sharing the output label and preventing direct access to the model and its parameters prevent model-stealing attacks. The model extraction attacks [5] require the obtaining of the confidence score while hyperparameter-stealing attacks [4] require obtaining access to the training data and model parameters. Similarly, attribute inference attacks are prevented since they are used with collaborative systems that enable training parties to access the models or their parameters, as in federated learning.
Furthermore, data extraction attacks are inapplicable to our frameworks because the training dataset is made up of encodings rather than real data points. If the adversary in a black box setting tries to influence the model to leak information, it might do so with the encodings rather than the actual data. Also, by using Instance Reduction Techniques, we eliminate the effect of the outliers and the near-border instances, therefore reducing overfitting [27] and, thus, susceptibility to these privacy attacks [66].
Moreover, is it possible for a malicious server or a training party to retrieve the original instance from the encoding? The answer to this is probably not, because each instance has distinct weights that are not shared with the server or any other training party. An adversary needs the same weights and biases to learn the visible units’ probability and be able to generate reconstructions of the original images.

5. Evaluation

5.1. Datasets

In our experiments, we utilize three benchmark datasets for image classification, namely, MNIST [16], Fashion-MNIST [17], and EMNIST-Letters [18]. We selected these grayscale image datasets because our work employs the Learnergy implementation of RBM [67], which is designed to handle grayscale images.
The MNIST dataset [16] comprises 60,000 training instances and 10,000 testing instances. Each instance represents a handwritten digit formatted as a 28 × 28 grayscale image. The learning objective is to classify these images into one of ten classes, corresponding to integer values ranging from 0 to 9.
Similarly, Fashion-MNIST [17] consists of 60,000 grayscale images, with the training and testing split, image size, and format identical to those of MNIST. The goal is to classify each fashion product image (e.g., dresses, coats, and shirts) into one of ten classes from 0 to 9, each representing a different fashion product.
The EMNIST-Letters dataset [18] is a collection of 28 × 28 grayscale images of handwritten letters and contains 145,600 training examples and 20,800 testing examples. The learning objective here is to classify an image into one of 26 classes, corresponding to the letters from A to Z.
Both MNIST [16] and Fashion-MNIST [17] datasets have separate test sets of 10,000 instances each, whereas the EMNIST-Letters [18] dataset has a separate test set of 20,800 instances. We use these test datasets to evaluate the performance of the global models trained by the central server.

5.2. Computing Frameworks

To develop and test our framework, we use Colab notebooks [68], which come with a single NVIDIA Tesla K80 GPU and 12 GB of memory to accelerate computations. Also, we use Learnergy [67], which is a Python package to build an energy-based machine learning to build RBMs and imbalanced-learn tools [69] to implement instance selection algorithms. Furthermore, we use Pytorch [70] to train the deep neural network models.

5.3. Evaluation Metrics

In our experiments, we utilize a variety of evaluation metrics to monitor the model’s performance throughout the training and testing phases. Our primary metrics include accuracy, F1-score, and loss. We also record the overall times for training, validation, and testing. In terms of privacy evaluation, we adopt qualitative metrics as proposed by [9].

5.4. Experimental Setup

In our privacy-preserving framework, we have six clients (data owner parties) and one server (computing party). We randomly assigned each of the six clients a portion of the total training data. The same subset is maintained by each client throughout the different experiments, while the server has the corresponding test data. We used three datasets in our empirical work: MNIST [16], Fashion-MNIST [17], and EMNIST-Letters [18].
In the first phase of our framework, each client applies a Restricted Boltzmann Machine model to their data to encode data. We first build RBM models using the Learnergy library [67]. Table 1 shows the model architecture used for each data set. Then, each client uses and fits the built RBM model on its data to generate encodings, which are the learned hidden layer representations of the input data. In each RBM model, we set the size of the visible layer equal to input image 784 and the size of the hidden layer to 576 to generate 24 × 24 encodings. We also employed the same RBM architectures on the server to encode the test data. Of course, the training parties must use the same RBM architecture.
The next phase of our framework that follows the use of RBM is using an Instance Reduction Technique. Each client uses an Instance Reduction Technique to select a reduced set of data encodings to send to the server. We use the Edited Nearest Neighbor algorithm as implemented in the imbalanced-learn library [69]. The neighbor parameter is set to 3.
Finally, the reduced sets of encodings are used by a central server to train global models. After combining the reduced sets of encodings from all the clients into a single global training dataset on the server, we randomly divided the data into training and validation sets. The validation set represents 20% of the training set. We use the validation set to tune the model. We train two types of classifiers for the global model (trained by the server): multilayer perceptron (MLPs) and convolutional neural networks (CNNs). Table 2 and Table 3 show the CNN and MLP model architectures and training parameters for the MNIST and Fashion-MNIST, while Table 4 and Table 5 show the model architectures for the EMNIST-Letters dataset.

6. Results and Discussion

We investigate and compare two scenarios: our proposed privacy-preserving collaborative framework, which we refer to as the ‘privacy-preserving collaborative scenario’, and a conventional collaborative learning scenario that does not protect privacy. We evaluate these two frameworks based on accuracy, loss, F1-score, and overall training time. Furthermore, we statistically evaluated if our results were significant using the Wilcoxon signed-rank test [71].
In a collaborative scenario that does not protect privacy, each client sends all of their available training data to the server. These data often contain sensitive details, thereby violating privacy. The server then combines the raw data from the clients and uses it to train a global model. Table 6 describes the sizes of the datasets used in the experiments.
As shown in Table 7, the CNN model achieved 99% accuracy on the MNIST test set, 91% on the Fashion-MNIST, and 93% on the EMNIST-Letters test set, while the MLP model achieved 98% on the MNIST test set, 89% on the Fashion-MNIST, and 89% on the EMNIST-Letters test set. Furthermore, Table 7 reports the training and testing time of the models on the different datasets. The training time for the CNN model ranged between 82 and 133 s, while for the MLP model, it ranged between 25.6 and 118 s.
In general, this conventional collaborative scenario represents a server-based framework or direct collaborative deep learning [6]. In this approach, each user uploads a local dataset to the central server during training to train the deep learning model. Since this framework uses all training data, it is expected to achieve the best classification performance. However, it comes with privacy risks; this scenario is susceptible to direct privacy leakage [1] by exposing data to another party. Moreover, as it transfers all client data to the server, it may result in significant network overheard.
In our privacy-preserving learning framework, the server gathers the encoded data sent by all clients and trains a global model. Table 8 displays the sizes and percentages relative to the full dataset sizes of the reduced encoded datasets, reduced by the ENN algorithm, and used to train and test privacy-preserving collaborative models.
Table 9 shows that the MLP model in the proposed framework achieved 97% accuracy on the MNIST test dataset, down from 98%. It also reached 85% on the Fashion-MNIST dataset, a decrease from 89%, and 85% on the EMNIST-Letters test set, also down from 89%. Furthermore, Table 9 indicates that the CNN model in the proposed framework achieved 96% accuracy on the MNIST test set, down from 99% in the conventional collaborative framework. It also achieved 84% on the Fashion-MNIST, down from 91% in the conventional framework, and 82% on the EMNIST-Letters test set, down from 93%. The larger gap between the CNN and MLP models in the two frameworks may be attributed to the fact that CNN, as a deep learning method, can make better use of the training data. Consequently, any reduction in the training data has a more significant impact on the CNN models compared to the MLP models. However, this trade-off in accuracy may be considered acceptable in sensitive domains where privacy is a primary concern.
Our results indicate that the MLP models were less impacted by the proposed framework, which uses subsets of data encoded using RBM. One possible explanation for this is that CNN incorporates a robust feature detection mechanism that generally requires large datasets to function effectively. While RBM does select features, its selection may not be as effective for classification tasks because it is not specifically oriented toward them. RBM focuses on identifying features that are necessary for data reconstruction, rather than those that are most relevant for classification. Consequently, when CNN is trained on only a subset of the data, it may fail to accurately identify all relevant features.
It is worth noting that the proposed framework reduces training time. Table 9 also summarizes the training and testing times for the models across different datasets. For example, training the CNN model on the MNIST dataset with the proposed framework takes 99.391 s, down from the 133.25 s required by the conventional collaborative framework (see Table 7 and Table 9). Similarly, training times for the CNN model on the Fashion-MNIST and EMNIST-Letters datasets are reduced to 68.51 and 35.24 s, respectively, down from 133.37 and 82.59 s in the conventional framework. Table 7 and Table 9 also show a similar reduction in training time for the MLP models. Figure 6 and Figure 7 show the percentage of training time using the reduced datasets in the proposed framework relative to the total time taken using the complete datasets in the conventional framework (which does not protect privacy).
Through the experiments and the results, we found that our framework preserves privacy with some loss in classification accuracy. In addition to preserving accuracy, the proposed framework proved to significantly reduce the models’ training time. Furthermore, it reduces the network overhead since it sends subsets of the data instead of the whole data.
Our results indicate that the use of the ENN algorithm in our framework significantly improves training time, a finding consistent with previous studies [27,28,29]. However, reducing the size of the training dataset does slightly impact the accuracy of our deep learning models. This is noteworthy because some Instance Reduction Techniques that remove noisy and borderline instances have been found to improve classification accuracy [27,28]. The divergence in outcomes might be attributable to our use of subsets of encoded data, while previous studies used the original, unencoded data. Additionally, it is worth noting that those studies focused on simpler neural network architectures, making their findings less directly applicable to deep learning models that typically require large datasets for effective learning. Nonetheless, this limitation may be less serious than it appears, as collaborative learning often involves many clients—significantly more than the six we used in our experiments—thus making ample training data available.
Comparing our work with other Privacy-Preserving Deep Learning (PPDL) frameworks in terms of performance presents a challenge. Various studies may be specific to a particular application or domain, diverge in their implementation of privacy-preserving technology, differ in their learning framework configurations, utilize distinct deep learning architectures, or employ different datasets and parameters. Additionally, some studies assess the performance of different approaches by citing results from relevant papers, rather than re-executing the code on the same datasets [9]. However, we opted not to use this method for comparing the performance of privacy-preserving frameworks.
In general, the existing Privacy-Preserving Deep Learning (PPDL) frameworks suffer from many performance issues like an unacceptable utility–privacy trade-off resulting from the practical implementations of differential privacy techniques [42]. Also, significant computation cost and communication overhead result from using many of the MPC-based and HE-based frameworks. For instance, the MPC-based framework detailed in [72] requires 80.5 h to train a simple neural network with two hidden layers on the MNIST dataset, largely due to extensive communication and interactions. Similarly, the use of Homomorphic Encryption (HE) increases communication overhead by generating large, encrypted representations of training instances [8].
In contrast, our framework minimizes communication overhead by transmitting a reduced subset of encodings, which are smaller than the original training sets. Additionally, the computational overhead for generating these encodings with RBMs and applying the ENN algorithm is significantly lower than that of cryptographic methods like MPC and HE. For example, encoding 10,000 images from the MNIST dataset [16] using our RBM model takes each client an average of 243.8 ms, while encoding 10,000 images from Fashion-MNIST [17] takes approximately 272.3 ms. Further, applying the ENN algorithm to these 10,000 MNIST encodings takes an average of 6.28 s, and for Fashion-MNIST encodings, it takes an average of 7.63 s.
To analyze and evaluate the privacy of our framework, we employ qualitative metrics, as suggested by [9]. These metrics include Privacy of the Client (PoC), Privacy of the Model (PoM), and Privacy of the Result (PoR). PoC ensures that neither the server nor other clients can access individual client data. PoM ensures that clients remain unaware of the deep learning model and its parameters, while PoR ensures that clients cannot access information about predicted outcomes. Our framework guarantees all three privacy metrics. We secure the privacy of training datasets by training global models on subsets of user-encoded data rather than the complete raw data. While it is possible that a determined server could decode this subset, our framework, like most privacy-preserving frameworks, assumes that participating parties are honest but may be curious. Also, the server is not required to disclose the trained model or its parameters to the training parties, also known as the donors of the training data. This ensures the Privacy of the Model (PoM). During the inference phase, clients maintain the privacy of their input data by encoding it using a Restricted Boltzmann Machine before sending it to the central server for a prediction. Additionally, we add an extra layer of protection to the prediction outcome: the server only sends back the prediction label without including the confidence score, thereby mitigating the risk of black-box privacy attacks that often leverage such scores.
The level of privacy achieved is directly proportional to the reduction rate enabled by the instance reduction technique employed. This makes it important to explore more effective reduction algorithms with higher reduction rates, such as DROP3 [14]. However, such algorithms often require substantial computational resources, especially when applied to image datasets with numerous attributes. Improving the efficiency of these algorithms and developing new, more efficient reduction methods remains an open area for future research.
Table 10 compares our framework with some of the Privacy-Preserving Deep Learning (PPDL) works surveyed by [9], using qualitative privacy metrics (PoC, PoM, and PoR). In Table 10, the results listed above the bold line are those provided by [9], while the last two rows are for Instance Encodings [64] and our framework.
From Table 10, we observe that our framework and Trusted Execution Environments (TEE) frameworks satisfy all the privacy qualitative metrics compared to other frameworks. In contrast to our framework, TEEs have restricted memory and CPU resources, making it challenging to train complex deep-learning models [46]. Also, the table shows that the secure MPC-based frameworks fail to ensure clients’ data privacy (PoC), while the HE-based frameworks fail to ensure model privacy (PoM). Additionally, we compare our work against InstaHide [64] since it proposes a similar idea of encoding the training instances before using them to train machine learning models. Nevertheless, InstaHide [64] does not guarantee model privacy since it is based on federated learning that shares parameters. Further, it does not guarantee the client’s data privacy as claimed by the authors, since it is vulnerable to privacy attacks that recover the training data [65].
In summary, our framework protects the learning framework privacy by satisfying all privacy metrics and maintaining utility. This approach ensures that clients do not need to disclose their entire raw training data to the server, but only subsets of them. Moreover, only the relevant features of subsets that are extracted using an RBM are sent to the server. Furthermore, our framework extends its privacy protection to the trained model and its parameters, safeguarding them from exposure to other clients, as the server does not need to share them with the clients. During the prediction phase, the clients encode the data for classification using the RBM model before transmitting it to the central server. The central server then executes the deep learning models, returning only the predicted output label to the client.
It is evident that our model adheres to the privacy-preserving framework requirements outlined by Tariq et al. [8]. These requirements focus on preserving the privacy of client training data, the model and its parameters, and individual client data points during the classification phase.
Furthermore, it reduces communication costs by sending a reduced subset of encodings that are smaller than the original images. Additionally, the use of RBMs for data encoding and ENN for data reduction incurs lower computational overhead compared to cryptographic techniques like Multi-Party Computation (MPC) and Homomorphic Encryption (HE). Accordingly, we posit that our work fills a notable gap in the existing literature. It offers a comprehensive solution that addresses the privacy-utility trade-off, encryption challenges, and overheads in communication and computation, while also accommodating the demands of complex deep learning models.
On the other hand, our work, like most research initiatives, has some limitations that need to be acknowledged. One significant constraint is that the framework is currently designed to work only with grayscale image datasets. This limitation is a direct consequence of utilizing Restricted Boltzmann Machines in our methodology. Furthermore, our reliance on Google Colab [68] for development and evaluation limited our computational resources. The platform’s inherent restrictions also prevented us from accurately assessing the actual communication time between clients and the server.

7. Conclusions

This study aims to propose and evaluate a privacy-preserving deep learning framework that combines Instance Reduction Techniques with the Restricted Boltzmann Machine to preserve privacy in collaborative deep learning frameworks and overcome the limitations of other privacy-preserving solutions. In such a framework, each participating party applies a Restricted Boltzmann Machine model to their data, encoding it in a manner that retains the important features relevant for training. Subsequently, a reduction technique (specifically, ENN) is used to select a subset of the data to send to the central server. These reduced sets of encodings are transmitted without concerns about data privacy or computational and communication overheads. Experimental evaluations on MNIST [16], Fashion-MNIST [17], and EMNIST-Letters [18] datasets using CNN and MLP architectures compare the proposed framework with a conventional collaborative learning scenario. The results show that our framework preserves privacy with a little loss of accuracy and a large reduction in training time. The study highlights the framework’s suitability for privacy-preserving collaborative deep learning in real-world applications, emphasizing its potential in sectors such as healthcare, finance, and smart security and surveillance systems, where both privacy and scalability are of utmost importance. For future work, we aim to address framework limitations, optimize reduction algorithms for diverse datasets, enhance model performance, and deploy the framework in real-world applications for comprehensive evaluation.

Author Contributions

Conceptualization, A.A. and K.E.H.; data curation, A.A. and K.E.H.; formal analysis, A.A. and K.E.H.; investigation, A.A. and K.E.H.; methodology, A.A. and K.E.H.; resources, A.A. and K.E.H.; software, A.A.; supervision, K.E.H.; validation, A.A. and K.E.H.; visualization, A.A.; writing—original draft, A.A. and K.E.H.; writing—review and editing, A.A. and K.E.H. All authors have read and agreed to the published version of the manuscript.

Funding

The authors extend their appreciation to the Deputyship for Research and Innovation, “Ministry of Education” in Saudi Arabia for funding this research (IFKSUOR3-400).

Institutional Review Board Statement

Not applicable.

Informed Consent Statement

Not applicable.

Data Availability Statement

The data that support the findings of this study are available from the corresponding author upon reasonable request. The data are not publicly available due to privacy.

Conflicts of Interest

The authors declare no conflicts of interest.

References

  1. Shokri, R.; Shmatikov, V. Privacy-Preserving Deep Learning. In Proceedings of the 2015 53rd Annual Allerton Conference on Communication, Control, and Computing (Allerton), Monticello, IL, USA, 29 September–2 October 2015; pp. 909–910. [Google Scholar]
  2. Fredrikson, M.; Jha, S.; Ristenpart, T. Model Inversion Attacks That Exploit Confidence Information and Basic Countermeasures. In Proceedings of the ACM Conference on Computer and Communications Security, Denver, CO, USA, 12–16 October 2015; Volume 2015, pp. 1322–1333. [Google Scholar]
  3. Carlini, N.; Tramèr, F.; Wallace, E.; Jagielski, M.; Herbert-Voss, A.; Lee, K.; Roberts, A.; Brown, T.; Song, D.; Erlingsson, Ú.; et al. Extracting Training Data from Large Language Models. In Proceedings of the 30th USENIX Security Symposium, Vancouver, BC, Canada, 11–13 August 2021; pp. 2633–2650. [Google Scholar]
  4. Wang, B.; Gong, N.Z. Stealing Hyperparameters in Machine Learning. In Proceedings of the IEEE Symposium on Security and Privacy, San Francisco, CA, USA, 21–23 May 2018; IEEE: Piscataway, NJ, USA; Volume 2018, pp. 36–52. [Google Scholar]
  5. Tramèr, F.; Zhang, F.; Juels, A.; Reiter, M.K.; Ristenpart, T. Stealing Machine Learning Models via Prediction APIs. In Proceedings of the 25th USENIX Security Symposium, Austin, TX, USA, 10–12 August 2016; pp. 601–618. [Google Scholar]
  6. Zhang, D.; Chen, X.; Wang, D.; Shi, J. A Survey on Collaborative Deep Learning and Privacy-Preserving. In Proceedings of the 2018 IEEE 3rd International Conference on Data Science in Cyberspace, (DSC 2018), Guangzhou, China, 18–21 June 2018; IEEE: Piscataway, NJ, USA, 2018; pp. 652–658. [Google Scholar]
  7. Keerthi, C.K.; Jabbar, M.A.; Seetharamulu, B. Cyber Physical Systems(CPS):Security Issues, Challenges and Solutions. In Proceedings of the 2017 IEEE International Conference on Computational Intelligence and Computing Research (ICCIC), Coimbatore, India, 14–16 December 2017; pp. 1–4. [Google Scholar]
  8. Tariq, M.; Memon, N.; Ahmed, S.; Tayyaba, E.D.S.; Tahir, M.; Mian, N.A.; Imran, M.; Ashrf, M. A Review of Deep Learning Security and Privacy Defensive Techniques. Mob. Inf. Syst. 2020, 2020, 6535834. [Google Scholar] [CrossRef]
  9. Tanuwidjaja, H.C.; Choi, R.; Baek, S.; Kim, K. Privacy-Preserving Deep Learning on Machine Learning as a Service-a Comprehensive Survey. IEEE Access 2020, 8, 167425–167447. [Google Scholar] [CrossRef]
  10. Brendan McMahan, H.; Moore, E.; Ramage, D.; Hampson, S.; Agüera y Arcas, B. Communication-Efficient Learning of Deep Networks from Decentralized Data. In Proceedings of the 20th International Conference on Artificial Intelligence and Statistics, AISTATS 2017, Fort Lauderdale, FL, USA, 20–22 April 2017; Volume 54, pp. 1273–1282. [Google Scholar]
  11. Xie, P.; Bilenko, M.; Finley, T.; Gilad-Bachrach, R.; Lauter, K.; Naehrig, M. Crypto-Nets: Neural Networks over Encrypted Data. arXiv 2014, arXiv:1412.6181. [Google Scholar]
  12. Bonawitz, K.; Ivanov, V.; Kreuter, B.; Marcedone, A.; McMahan, H.B.; Patel, S.; Ramage, D.; Segal, A.; Seth, K. Practical Secure Aggregation for Privacy-Preserving Machine Learning. In Proceedings of the ACM Conference on Computer and Communications Security, Dallas, TX, USA, 30 October–3 November 2017; pp. 1175–1191. [Google Scholar]
  13. Schunter, M. Intel Software Guard Extensions. In Proceedings of the 2016 ACM Workshop on Software Protection, Vienna, Austria, 24–28 October 2016. [Google Scholar]
  14. Wilson, R.; Martinez, T. Reduction Techniques for Instance-Based Learning Algorithms. Mach. Learn. 2000, 38, 257–286. [Google Scholar] [CrossRef]
  15. Goodfellow, I.; Bengio, Y.; Courville, A. Deep Learning; MIT Press: Cambridge, MA, USA, 2016. [Google Scholar]
  16. LeCun, Y.; Bottou, L.; Bengio, Y.; Haffner, P. Gradient-Based Learning Applied to Document Recognition. Proc. IEEE 1998, 86, 2278–2323. [Google Scholar] [CrossRef]
  17. Xiao, H.; Rasul, K.; Vollgraf, R. Fashion-MNIST: A Novel Image Dataset for Benchmarking Machine Learning Algorithms. arXiv 2017, arXiv:1708.07747. [Google Scholar]
  18. Cohen, G.; Afshar, S.; Tapson, J.; Van Schaik, A. EMNIST: Extending MNIST to Handwritten Letters. In Proceedings of the 2017 International Joint Conference on Neural Networks (IJCNN), Anchorage, AK, USA, 14–19 May 2017; pp. 2921–2926. [Google Scholar] [CrossRef]
  19. Hinton, G.E. A Practical Guide to Training Restricted Boltzmann Machines; Springer: Berlin/Heidelberg, Germany, 2012; Volume 7700. [Google Scholar]
  20. Harshvardhan, G.M.; Gourisaria, M.K.; Pandey, M.; Rautaray, S.S. A Comprehensive Survey and Analysis of Generative Models in Machine Learning. Comput. Sci. Rev. 2020, 38, 100285. [Google Scholar] [CrossRef]
  21. de Rosa, G.H.; Roder, M.; Santos, D.F.S.; Costa, K.A.P. Enhancing Anomaly Detection through Restricted Boltzmann Machine Features Projection. Int. J. Inf. Technol. 2021, 13, 49–57. [Google Scholar] [CrossRef]
  22. Ghojogh, B.; Ghodsi, A.; Karray, F.; Crowley, M. Restricted Boltzmann Machine and Deep Belief Network: Tutorial and Survey. arXiv 2021, arXiv:2107.12521. [Google Scholar]
  23. Kondratyev, A.; Schwarz, C.; Horvath, B. Data Anonymisation, Outlier Detection and Fighting Overfitting with Restricted Boltzmann Machines. SSRN Electron. J. 2020, 1–27. [Google Scholar] [CrossRef]
  24. Bishop, C.; Ligne, S. Pattern Recognition and Machine Learning; Springer: Berlin/Heidelberg, Germany, 2006; Volume 1. [Google Scholar]
  25. Aggarwal, C.C. Restricted Boltzmann Machines. In Neural Networks and Deep Learning; Springer International Publishing AG: Berlin/Heidelberg, Germany, 2018; pp. 235–270. [Google Scholar]
  26. Witten, I.H.; Frank, E.; Hall, M. Data Mining: Practical Machine Learning Tools and Techniques; Elsevier: Amsterdam, The Netherlands, 2005; ISBN 0080890369. [Google Scholar]
  27. EL Hindi, K.; AL-Akhras, M. Smoothing Decision Boundaries to Avoid Overfitting in Neural. Neural Netw. World 2011, 21, 311–326. [Google Scholar] [CrossRef]
  28. El Hindi, K.; Alakhras, M. Eliminating Border Instance to Avoid Overfitting. In Proceedings of the IADIS Multi Conference on Computer Science of Intelligent Systems and Agents 2009, Algarve, Portugal, 21–23 June 2009; pp. 93–99.
  29. Kordos, M. Data Selection for Neural Networks. Schedae Informaticae 2016, 25, 153–164. [Google Scholar] [CrossRef]
  30. Olvera-López, J.A.; Carrasco-Ochoa, J.A.; Martínez-Trinidad, J.F.; Kittler, J. A Review of Instance Selection Methods. Artif. Intell. Rev. 2010, 34, 133–143. [Google Scholar] [CrossRef]
  31. Carbonera, J.L.; Abel, M. A Novel Density-Based Approach for Instance Selection. In Proceedings of the 2016 IEEE 28th International Conference on Tools with Artificial Intelligence (ICTAI), San Jose, CA, USA, 6–8 November 2016; pp. 549–556. [Google Scholar]
  32. Grochowski, M.; Jankowski, N. Comparison of Instance Selection Algorithms II. Results and Comments. In Proceedings of the International Conference on Artificial Intelligence and Soft Computing, Zakopane, Poland, 7–11 June 2004; Volume 3070, pp. 580–585. [Google Scholar]
  33. Malhat, M.; El Menshawy, M.; Mousa, H.; El Sisi, A. A New Approach for Instance Selection: Algorithms, Evaluation, and Comparisons. Expert Syst. Appl. 2020, 149, 113297. [Google Scholar] [CrossRef]
  34. Wilson, D.L. Asymptotic Properties of Nearest Neighbor Rules Using Edited Data. IEEE Trans. Syst. Man Cybern. 1972, 2, 408–421. [Google Scholar] [CrossRef]
  35. Nasr, M.; Shokri, R.; Houmansadr, A. Comprehensive Privacy Analysis of Deep Learning: Passive and Active White-Box Inference Attacks against Centralized and Federated Learning. In Proceedings of the IEEE Symposium on Security and Privacy, San Francisco, CA, USA, 19–23 May 2019; Volume 2019, pp. 739–753. [Google Scholar]
  36. Tanuwidjaja, H.C.; Choi, R.; Kim, K. A Survey on Deep Learning Techniques for Privacy-Preserving. In Machine Learning for Cyber Security, Proceedings of the Second International Conference, ML4CS 2019, Xi’an, China, 19–21 September 2019; Lecture Notes in Computer Science; Springer International Publishing: Berlin/Heidelberg, Germany, 2019; Volume 11806, pp. 29–46. [Google Scholar]
  37. Dwork, C.; Roth, A. The Algorithmic Foundations of Differential Privacy. Found. Trends Theor. Comput. Sci. 2013, 9, 211–407. [Google Scholar] [CrossRef]
  38. Abadi, M.; McMahan, H.B.; Chu, A.; Mironov, I.; Zhang, L.; Goodfellow, I.; Talwar, K. Deep Learning with Differential Privacy. In Proceedings of the ACM Conference on Computer and Communications Security, Vienna, Austria, 24–28 October 2016; pp. 308–318. [Google Scholar]
  39. Phan, N.H.; Wu, X.; Dou, D. Preserving Differential Privacy in Convolutional Deep Belief Networks. Mach. Learn. 2017, 106, 1681–1704. [Google Scholar] [CrossRef]
  40. Mahawaga Arachchige, P.C.; Bertok, P.; Khalil, I.; Liu, D.; Camtepe, S.; Atiquzzaman, M. Local Differential Privacy for Deep Learning. IEEE Internet Things J. 2020, 7, 5827–5842. [Google Scholar] [CrossRef]
  41. Chen, Z.; Wang, Y. Locally Differentially Private Distributed Online Learning with Guaranteed Optimality. arXiv 2023, arXiv:2306.14094. [Google Scholar]
  42. Jayaraman, B.; Evans, D. Evaluating Differentially Private Machine Learning in Practice. In Proceedings of the 28th USENIX Security Symposium, Santa Clara, CA, USA, 14–16 August 2019; Volume 2019, pp. 1895–1912. [Google Scholar]
  43. Truex, S.; Steinke, T.; Baracaldo, N.; Ludwig, H.; Zhou, Y.; Anwar, A.; Zhang, R. A Hybrid Approach to Privacy-Preserving Federated Learning. In Proceedings of the 12th ACM Workshop on Artificial Intelligence and Security, London, UK, 15 November 2019; pp. 1–11. [Google Scholar]
  44. Wei, K.; Li, J.; Ding, M.; Ma, C.; Yang, H.H.; Farokhi, F.; Jin, S.; Quek, T.Q.S.; Poor, H.V. Federated Learning with Differential Privacy: Algorithms and Performance Analysis. IEEE Trans. Inf. Forensics Secur. 2020, 15, 3454–3469. [Google Scholar] [CrossRef]
  45. Kanchan, S.; Jang, J.W.; Yoon, J.Y.; Choi, B.J. Efficient and Privacy-Preserving Group Signature for Federated Learning. Futur. Gener. Comput. Syst. 2023, 147, 93–106. [Google Scholar] [CrossRef]
  46. Kairouz, P.; McMahan, H.B.; Avent, B.; Bellet, A.; Bennis, M.; Bhagoji, A.N.; Bonawitz, K.; Charles, Z.; Cormode, G.; Cummings, R.; et al. Advances and Open Problems in Federated Learning. Found. Trends Mach. Learn. 2021, 14, 1–210. [Google Scholar] [CrossRef]
  47. Ronald, R.; Len, A.; Michael, D. On Data Banks and Privacy Homomorphisms. Found. Secur. Comput. 1978, 4, 169–180. [Google Scholar] [CrossRef]
  48. Hesamifard, E.; Takabi, H.; Ghasemi, M. CryptoDL: Deep Neural Networks over Encrypted Data. arXiv 2017, arXiv:1711.05189. [Google Scholar]
  49. Phong, L.T.; Aono, Y.; Hayashi, T.; Wang, L.; Moriai, S. Privacy-Preserving Deep Learning via Additively Homomorphic Encryption. IEEE Trans. Inf. Forensics Secur. 2018, 13, 1333–1345. [Google Scholar] [CrossRef]
  50. Phong, L.T.; Phuong, T.T. Privacy-Preserving Deep Learning via Weight Transmission. IEEE Trans. Inf. Forensics Secur. 2019, 14, 3003–3015. [Google Scholar] [CrossRef]
  51. Al Badawi, A.; Jin, C.; Lin, J.; Mun, C.F.; Jie, S.J.; Tan, B.H.M.; Nan, X.; Aung, K.M.M.; Chandrasekhar, V.R. Towards the AlexNet Moment for Homomorphic Encryption: HCNN, the First Homomorphic CNN on Encrypted Data with GPUs. IEEE Trans. Emerg. Top. Comput. 2021, 9, 1330–1343. [Google Scholar] [CrossRef]
  52. Pulido-Gaytan, L.; Tchernykh, A.; Cortés-Mendoza, J.; Babenko, M.; Radchenko, G.; Avetisyan, A.; Drozdov, A. Privacy-Preserving Neural Networks with Homomorphic Encryption: Challenges and Opportunities. Peer-to-Peer Netw. Appl. 2021, 14, 1666–1691. [Google Scholar] [CrossRef]
  53. Goldreich, O. Secure Multi-Party Computation. Manuscript. Prelim. Version 1998, 78, 110. [Google Scholar]
  54. Rouhani, B.D.; Riazi, M.S.; Koushanfar, F. Deepsecure: Scalable Provably-Secure Deep Learning. In Proceedings of the 55th Annual Design Automation Conference, San Francisco, CA, USA, 24–29 June 2018; pp. 1–6. [Google Scholar]
  55. Wagh, S.; Gupta, D.; Chandran, N. SecureNN: 3-Party Secure Computation for Neural Network Training. Proc. Priv. Enhancing Technol. 2019, 2019, 26–49. [Google Scholar] [CrossRef]
  56. Kumar, N.; Rathee, M.; Chandran, N.; Gupta, D.; Rastogi, A.; Sharma, R. CrypTFlow: Secure TensorFlow Inference. In Proceedings of the IEEE Symposium on Security and Privacy, San Francisco, CA, USA, 18–21 May 2020; Volume 2020, pp. 336–353. [Google Scholar]
  57. Tan, S.; Knott, B.; Tian, Y.; Wu, D.J. CryptGPU: Fast Privacy-Preserving Machine Learning on the GPU. In Proceedings of the IEEE Symposium on Security and Privacy, San Francisco, CA, USA, 24–27 May 2021; IEEE: Piscataway, NJ, USA; Volume 2021, pp. 1021–1038. [Google Scholar]
  58. Knott, B.; Venkataraman, S.; Hannun, A.; Sengupta, S.; Ibrahim, M.; van der Maaten, L. CrypTen: Secure Multi-Party Computation Meets Machine Learning. Adv. Neural Inf. Process. Syst. 2021, 34, 4961–4973. [Google Scholar]
  59. Tramèr, F.; Shokri, R.; Joaquin, A.S.; Le, H.; Jagielski, M.; Hong, S.; Carlini, N. Truth Serum: Poisoning Machine Learning Models to Reveal Their Secrets. arXiv 2022, arXiv:2204.00032. [Google Scholar]
  60. Wagh, S.; He, X.; Machanavajjhala, A.; Mittal, P. DP-Cryptography: Marrying Differential Privacy and Cryptography in Emerging Applications. Commun. ACM 2021, 64, 84–93. [Google Scholar] [CrossRef]
  61. Hunt, T.; Song, C.; Shokri, R.; Shmatikov, V.; Witchel, E. Chiron: Privacy-Preserving Machine Learning as a Service. arXiv 2018, arXiv:1803.05961. [Google Scholar]
  62. Tramèr, F.; Boneh, D. Slalom: Fast, Verifiable and Private Execution of Neural Networks in Trusted Hardware. In Proceedings of the 7th International Conference on Learning Representations, ICLR 2019, New Orleans, LA, USA, 6–9 May 2019; pp. 1–19. [Google Scholar]
  63. Abay, N.; Zhou, Y.; Kantarcioglu, M.; Thuraisingham, B.; Sweeney, L. Privacy Preserving Synthetic Data Release Using Deep Learning. In Proceedings of the Joint European Conference on Machine Learning and Knowledge Discovery in Databases, Dublin, Ireland, 10–14 September 2018; pp. 510–526. [Google Scholar]
  64. Huang, Y.; Song, Z.; Li, K.; Arora, S. InstaHide: Instance-Hiding Schemes for Private Distributed Learning. In Proceedings of the 37th International Conference on Machine Learning, ICML 2020, Virtual Event, 13–18 July 2020; pp. 4457–4468. [Google Scholar]
  65. Carlini, N.; Deng, S.; Garg, S.; Jha, S.; Mahloujifar, S.; Mahmoody, M.; Thakurta, A.; Tramer, F. Is Private Learning Possible with Instance Encoding? In Proceedings of the IEEE Symposium on Security and Privacy, San Francisco, CA, USA, 24–27 May 2021; Volume 2021, pp. 410–427. [Google Scholar]
  66. Yeom, S.; Giacomelli, I.; Fredrikson, M.; Jha, S. Privacy Risk in Machine Learning: Analyzing the Connection to Overfitting. In Proceedings of the IEEE Computer Security Foundations Symposium, Oxford, UK, 9–12 July 2018; IEEE: Piscataway, NJ, USA; Volume 2018, pp. 268–282. [Google Scholar]
  67. Roder, M.; de Rosa, G.H.; Papa, J.P. Learnergy: Energy-Based Machine Learners. arXiv 2020, arXiv:2003.07443. [Google Scholar]
  68. Colaboratory. Available online: https://colab.research.google.com/ (accessed on 3 January 2023).
  69. Lemaître, G.; Nogueira, F.; Aridas, C. Imbalanced-Learn: A Python Toolbox to Tackle the Curse of Imbalanced Datasets in Machine Learning. J. Mach. Learn. Res. 2016, 18, 559–563. [Google Scholar]
  70. Mazza, D.; Pagani, M. Automatic Differentiation in PCF. Proc. ACM Program. Lang. 2021, 5, 1–27. [Google Scholar] [CrossRef]
  71. Wilcoxon, F. Individual Comparisons by Ranking Methods. Biom. Bull. 1945, 1, 80–83. [Google Scholar] [CrossRef]
  72. Mohassel, P.; Zhang, Y. SecureML: A System for Scalable Privacy-Preserving Machine Learning. In Proceedings of the IEEE Symposium on Security and Privacy; IEEE: Piscataway, NJ, USA, 2017; pp. 19–38. [Google Scholar]
  73. Liu, J.; Juuti, M.; Lu, Y.; Asokan, N. Oblivious Neural Network Predictions via MiniONN Transformations. In Proceedings of the ACM Conference on Computer and Communications Security, Dallas, TX, USA, 30 October–3 November 2017; pp. 619–631. [Google Scholar]
  74. Sadegh Riazi, M.; Songhori, E.M.; Weinert, C.; Schneider, T.; Tkachenko, O.; Koushanfar, F. Chameleon: A Hybrid Secure Computation Framework for Machine Learning Applications. In Proceedings of the ASIACCS 2018—2018 ACM Asia Conference on Computer and Communications Security, Incheon, Republic of Korea, 4–8 June 2018; pp. 707–721. [Google Scholar]
  75. Mohassel, P.; Rindal, P. ABY3: A Mixed Protocol Framework for Machine Learning. In Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security—CCS ’18, Toronto, ON, Canada, 15–19 October 2018; pp. 35–52. [Google Scholar]
  76. Dowlin, N.; Gilad-Bachrach, R.; Laine, K.; Lauter, K.; Naehrig, M.; Wernsing, J. CryptoNets: Applying Neural Networks to Encrypted Data with High Throughput and Accuracy. In Proceedings of the International Conference on Machine Learning, New York, NY, USA, 19–24 June 2016; pp. 201–210. [Google Scholar]
Applsci 14 01224 g001
Figure 1. Restricted Boltzmann Machine [15].
Figure 1. Restricted Boltzmann Machine [15].
Applsci 14 01224 g001
Applsci 14 01224 g002
Figure 2. Privacy-preserving deep learning framework based on Restricted Boltzmann Machines and Instance Reduction Algorithms.
Figure 2. Privacy-preserving deep learning framework based on Restricted Boltzmann Machines and Instance Reduction Algorithms.
Applsci 14 01224 g002
Applsci 14 01224 g003
Figure 3. Encoding instances using Restricted Boltzmann Machine.
Figure 3. Encoding instances using Restricted Boltzmann Machine.
Applsci 14 01224 g003
Applsci 14 01224 g004
Figure 4. Selecting a subset of the encoded training data.
Figure 4. Selecting a subset of the encoded training data.
Applsci 14 01224 g004
Applsci 14 01224 g005
Figure 5. Sending the subsets of encoded training data to the central server.
Figure 5. Sending the subsets of encoded training data to the central server.
Applsci 14 01224 g005
Applsci 14 01224 g006
Figure 6. Comparative training times.
Figure 6. Comparative training times.
Applsci 14 01224 g006
Applsci 14 01224 g007
Figure 7. Model reduction percentage.
Figure 7. Model reduction percentage.
Applsci 14 01224 g007
Table 1. RBM architecture used for the datasets.
Table 1. RBM architecture used for the datasets.
DatasetsModel ArchitectureModel Parameters
MNISTVisible_Layer_Size = 784
Hidden_Layer_Size = 576
Activation_Function = sigmoid function		epochs = 500
Gibbs’ sampling steps = 1
learning_rate = 0.05
batch_size = 10
Fashion-MNISTVisible_Layer_Size = 784
Hidden_Layer_Size = 576
Activation_Function = sigmoid function		epochs = 500
Gibbs’ sampling steps = 1
learning_rate = 0.009
batch_size = 10
EMNIST-LettersVisible_Layer_Size = 784
Hidden_Layer_Size = 576
Activation_Function = sigmoid function		epochs = 500
Gibbs’ sampling steps = 1
learning_rate = 0.05
batch_size = 128
Table 2. CNN Architecture for MNIST and Fashion-MNIST datasets.
Table 2. CNN Architecture for MNIST and Fashion-MNIST datasets.
Model Architecture Conv1→relu→pool→Conv2→relu→pool→Conv3→relu→pool→dropout→fc1→relu→dropout→fc2
Conv1: 16 filters, size 3 × 3, padding = 1
Conv2: 32 filters, size 3 × 3, padding = 1
Conv3: 64 filters, size 3 × 3, padding = 1
pool: size = 2 × 2, stride = 2
dropout:(0.25)
fc1: linear layer (576 -> 500)
fc2: linear layer (500, 10)
Model Parameterscriterion = CrossEntropyLoss optimizer = SGD lr = 0.01 epochs = 50 batch_size = 10 valid_size = 0.2
Table 3. MLP Architecture for MNIST and Fashion-MNIST datasets.
Table 3. MLP Architecture for MNIST and Fashion-MNIST datasets.
Model Architecture FC1→relu→dropout→FC2→relu→dropout→FC3
fc1: linear layer (784 -> 512)
fc2: linear layer (512 -> 512)
fc3: linear layer (512 -> 10)
dropout: (0.2)
Model Parameterscriterion = CrossEntropyLoss optimizer = SGD lr = 0.01 epochs = 50 batch_size = 10 valid_size = 0.2
Table 4. CNN Architecture for the EMNIST-Letters datasets.
Table 4. CNN Architecture for the EMNIST-Letters datasets.
Model Architecture Conv1→relu→pool→Conv2→relu→pool→Conv3→relu→pool→dropout→fc1→relu→dropout→fc2
Conv1: 16 filters, size 3 × 3, padding = 1
Conv2: 32 filters, size 3 × 3, padding = 1
Conv3: 64 filters, size 3 × 3, padding = 1
pool: size = 2 × 2, stride = 2
dropout: (0.25)
fc1: linear layer (576 -> 500)
fc2: linear layer (500, 27)
Model Parameterscriterion = CrossEntropyLoss optimizer = SGD lr = 0.01 epochs = 50 batch_size = 128 valid_size = 0.2
Table 5. MLP Architecture for the EMNIST-Letters datasets.
Table 5. MLP Architecture for the EMNIST-Letters datasets.
Model Architecture FC1→relu→dropout→FC2→relu→dropout→FC3
fc1: linear layer (784 -> 512)
fc2: linear layer (512 -> 512)
fc3: linear layer (512 -> 27)
dropout: (0.2)
Model Parameterscriterion = CrossEntropyLoss optimizer = SGD lr = 0.01 epochs = 50 batch_size = 128 valid_size = 0.2
Table 6. The sizes of the datasets used in the conventional collaborative models experiments.
Table 6. The sizes of the datasets used in the conventional collaborative models experiments.
Training Data SizeTest Data Size
MNIST60,00010,000
Fashion-MNIST60,00010,000
EMNIST-Letters145,60020,800
Table 7. The performance of CNN and MLP on MNIST, Fashion-MNIST, and EMNIST-Letters datasets in the conventional collaborative models experiments.
Table 7. The performance of CNN and MLP on MNIST, Fashion-MNIST, and EMNIST-Letters datasets in the conventional collaborative models experiments.
DatasetCNNMLP
TrainingValidatingTestTrainingValidatingTest
AccuracyTimeAccuracyTimeAccuracyLossF-ScoreTimeAccuracyTimeAccuracyTimeAccuracyLossF-ScoreTime
MNIST98.59%133.25 s99.06%7.68 s99%0.02399.27%8.07 s98.56%118.14 s97.74%5.33 s98%0.05698.15%5.98 s
Fashion-MNIST90.88%133.37 s90.35%8.34 s91%0.23691.39%9.3 s90.83%109.86 s88.58%5.78 s89%0.31589.45%5.35 s
EMNIST-Letters86.19%82.59 s89.13%10.57 s93%0.19393.65%10.62 s79.45%25.65 s81.81%3.93 s89%0.34489.29%3.40 s
Table 8. The sizes of the datasets used in the privacy-preserving collaborative models experiments.
Table 8. The sizes of the datasets used in the privacy-preserving collaborative models experiments.
Training Data SizePercentage of the Reduced Training DataTest Data Size
MNIST54,35190.58%10,000
Fashion-MNIST41,35568.92%10,000
EMNIST-Letters83,28257.19%20,800
Table 9. The performance of CNN and MLP on MNIST, Fashion-MNIST, and EMNIST-Letters datasets in the privacy-preserving collaborative models experiments.
Table 9. The performance of CNN and MLP on MNIST, Fashion-MNIST, and EMNIST-Letters datasets in the privacy-preserving collaborative models experiments.
DatasetCNNMLP
TrainingValidatingTestTrainingValidatingTest
AccuracyTimeAccuracyTimeAccuracyLossF-ScoreTimeAccuracyTimeAccuracyTimeAccuracyLossF-ScoreTime
MNIST97.56%99.39 s97.69%5.30 s96%0.17596.43%7.24 s99.44%87.87 s99.44%3.19 s97%0.10897.40%3.99 s
Fashion-MNIST96.41%68.51 s96.65%4.40 s84%0.63784.17%7.14 s97.48%57.85 s97.29%2.85 s85%0.62685.14%4.51 s
EMNIST-Letters73.94%35.24 s77.87%4.15 s82%0.67382.91%9.80 s89.56%9.18 s91.72%1.00 s85%0.53085.60%2.17 s
Table 10. Privacy comparison [9].
Table 10. Privacy comparison [9].
Ref.The Used
Privacy Technique		PPDL
Frameworks		Privacy Metrics
PoCPoMPoR
[72]MPCSecureML-
[73]MPCMiniONN-
[74]MPCChameleon-
[54]MPCDeepSecure-
[75]MPCABY3-
[55]MPCSecureNN-
[76]HECryptoNets-
[48]HECryptoDL-
[61]TEEsChiron
[62]TEEsSlalom
[64]Instance EncodingsInstaHide-
-Instance EncodingsOur framework
Disclaimer/Publisher’s Note: The statements, opinions and data contained in all publications are solely those of the individual author(s) and contributor(s) and not of MDPI and/or the editor(s). MDPI and/or the editor(s) disclaim responsibility for any injury to people or property resulting from any ideas, methods, instructions or products referred to in the content.

Share and Cite

MDPI and ACS Style

Alshammari, A.; El Hindi, K. Privacy-Preserving Deep Learning Framework Based on Restricted Boltzmann Machines and Instance Reduction Algorithms. Appl. Sci. 2024, 14, 1224. https://0-doi-org.brum.beds.ac.uk/10.3390/app14031224

AMA Style

Alshammari A, El Hindi K. Privacy-Preserving Deep Learning Framework Based on Restricted Boltzmann Machines and Instance Reduction Algorithms. Applied Sciences. 2024; 14(3):1224. https://0-doi-org.brum.beds.ac.uk/10.3390/app14031224

Chicago/Turabian Style

Alshammari, Alya, and Khalil El Hindi. 2024. "Privacy-Preserving Deep Learning Framework Based on Restricted Boltzmann Machines and Instance Reduction Algorithms" Applied Sciences 14, no. 3: 1224. https://0-doi-org.brum.beds.ac.uk/10.3390/app14031224

Note that from the first issue of 2016, this journal uses article numbers instead of page numbers. See further details here.

Article Metrics

Back to TopTop