Controlling Federated Learning for Covertness

Download PDF

Adit Jain, Vikram Krishnamurthy

Published: 08 Feb 2024, Last Modified: 08 Feb 2024Accepted by TMLREveryoneRevisionsBibTeX
Abstract: A learner aims to minimize a function $f$ by repeatedly querying a distributed oracle that provides noisy gradient evaluations. At the same time, the learner seeks to hide $\arg\min f$ from a malicious eavesdropper that observes the learner's queries. This paper considers the problem of \textit{covert} or \textit{learner-private} optimization, where the learner has to dynamically choose between learning and obfuscation by exploiting the stochasticity. The problem of controlling the stochastic gradient algorithm for covert optimization is modeled as a Markov decision process, and we show that the dynamic programming operator has a supermodular structure implying that the optimal policy has a monotone threshold structure. A computationally efficient policy gradient algorithm is proposed to search for the optimal querying policy without knowledge of the transition probabilities. As a practical application, our methods are demonstrated on a hate speech classification task in a federated setting where an eavesdropper can use the optimal weights to generate toxic content, which is more easily misclassified. Numerical results show that when the learner uses the optimal policy, an eavesdropper can only achieve a validation accuracy of $52\%$ with no information and $69\%$ when it has a public dataset with $10\%$ positive samples compared to $83\%$ when the learner employs a greedy policy.
Submission Length: Regular submission (no more than 12 pages of main content)
Changes Since Last Submission: The following changes were made to manuscript on 8th Feburary 2024, We have changed the main text to incorporate the weaker assumptions of a bounded noise variance and improved the convergence result in Theorem~1. Accordingly we have updated the proof (which is based on the earlier proof from Appendix B.2.) We have made the proof more cleaner with a proper structure, first showing the sum of the descent lemma and then taking the expectation to get the desired result We have also made nit changes, including specifying clearly with respect to what random variable we are taking the expectations to avoid confusion.
Code: https://github.com/aditj/CovertHateSpeechClassification
Supplementary Material: zip
Assigned Action Editor: ~Konstantin_Mishchenko1
License: Creative Commons Attribution 4.0 International (CC BY 4.0)
Submission Number: 1477