We present a privacy-preserving framework to verify whether a declared data preprocessing pipeline was correctly applied before training a machine learning model on sensitive data. The verifier has only black-box query access to the model and combines three behavior indicators: shift in prediction accuracy, Kullback-Leibler (KL) divergence between output distributions, and explanation vectors from Local Interpretable Model-agnostic Explanations (LIME) and SHapley Additive exPlanations (SHAP). The method requires neither the original training records nor ground-truth labels. It supports two tasks: (i) a binary decision on correctness and (ii) a multi-class diagnosis identifying which step is missing. Experiments on three tabular datasets (Diabetes, Adult-Income, Student-Record) show that the binary detector maintains over 75% F1 even under strong local differential privacy ( ). Machine-learning classifiers consistently outperform simple threshold rules in the binary setting, while the two approaches perform comparably for multi-class diagnosis. A label-free variant that clusters explanation vectors achieves competitive accuracy, enabling verification when no labeled pipelines are available. These results demonstrate a practical and scalable approach for safeguarding preprocessing integrity in privacy-sensitive machine learning workflows.
{"title":"Privacy-Preserving Verification of ML Preprocessing via Model Behavior Indicators.","authors":"Wenbiao Li, Anisa Halimi, Jaideep Vaidya, Xiaoqian Jiang, Erman Ayday","doi":"10.1109/tp.2025.3628998","DOIUrl":"10.1109/tp.2025.3628998","url":null,"abstract":"<p><p>We present a privacy-preserving framework to verify whether a declared data preprocessing pipeline was correctly applied before training a machine learning model on sensitive data. The verifier has only black-box query access to the model and combines three behavior indicators: shift in prediction accuracy, Kullback-Leibler (KL) divergence between output distributions, and explanation vectors from Local Interpretable Model-agnostic Explanations (LIME) and SHapley Additive exPlanations (SHAP). The method requires neither the original training records nor ground-truth labels. It supports two tasks: (i) a binary decision on correctness and (ii) a multi-class diagnosis identifying which step is missing. Experiments on three tabular datasets (Diabetes, Adult-Income, Student-Record) show that the binary detector maintains over 75% F1 even under strong local differential privacy ( <math><mrow><mi>ε</mi> <mo>=</mo> <mn>0.1</mn></mrow> </math> ). Machine-learning classifiers consistently outperform simple threshold rules in the binary setting, while the two approaches perform comparably for multi-class diagnosis. A label-free variant that clusters explanation vectors achieves competitive accuracy, enabling verification when no labeled pipelines are available. These results demonstrate a practical and scalable approach for safeguarding preprocessing integrity in privacy-sensitive machine learning workflows.</p>","PeriodicalId":519971,"journal":{"name":"IEEE transactions on privacy","volume":"2 ","pages":"144-158"},"PeriodicalIF":0.0,"publicationDate":"2025-01-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"https://www.ncbi.nlm.nih.gov/pmc/articles/PMC12807549/pdf/","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"146000303","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"OA","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Interest in supporting Federated Learning (FL) using blockchains has grown significantly in recent years. However, restricting access to the trained models only to actively participating nodes remains a challenge even today. To address this concern, we propose a methodology that incentivizes model parameter sharing in an FL setup under Local Differential Privacy (LDP). The nodes that share less obfuscated data under LDP are awarded higher quantum of tokens, which they can later use to obtain session keys for accessing encrypted model parameters updated by the server. If one or more of the nodes do not contribute to the learning process by sharing their data, or share only highly perturbed data, they earn less number of tokens. As a result, such nodes may not be able to read the new global model parameters if required. Local parameter sharing and updating of global parameters are done using the distributed ledger of a permissioned blockchain, namely HyperLedger Fabric (HLF). Being a blockchain-based approach, the risk of a single point of failure is also mitigated. Appropriate chaincodes, which are smart contracts in the HLF framework, have been developed for implementing the proposed methodology. Results of an extensive set of experiments firmly establish the feasibility of our approach.
{"title":"Blockchain Based Secure Federated Learning With Local Differential Privacy and Incentivization.","authors":"Saptarshi DE Chaudhury, Likhith Reddy Morreddigari, Matta Varun, Tirthankar Sengupta, Sandip Chakraborty, Shamik Sural, Jaideep Vaidya, Vijayalakshmi Atluri","doi":"10.1109/tp.2024.3487819","DOIUrl":"10.1109/tp.2024.3487819","url":null,"abstract":"<p><p>Interest in supporting Federated Learning (FL) using blockchains has grown significantly in recent years. However, restricting access to the trained models only to actively participating nodes remains a challenge even today. To address this concern, we propose a methodology that incentivizes model parameter sharing in an FL setup under Local Differential Privacy (LDP). The nodes that share less obfuscated data under LDP are awarded higher quantum of tokens, which they can later use to obtain session keys for accessing encrypted model parameters updated by the server. If one or more of the nodes do not contribute to the learning process by sharing their data, or share only highly perturbed data, they earn less number of tokens. As a result, such nodes may not be able to read the new global model parameters if required. Local parameter sharing and updating of global parameters are done using the distributed ledger of a permissioned blockchain, namely HyperLedger Fabric (HLF). Being a blockchain-based approach, the risk of a single point of failure is also mitigated. Appropriate chaincodes, which are smart contracts in the HLF framework, have been developed for implementing the proposed methodology. Results of an extensive set of experiments firmly establish the feasibility of our approach.</p>","PeriodicalId":519971,"journal":{"name":"IEEE transactions on privacy","volume":"1 ","pages":"31-44"},"PeriodicalIF":0.0,"publicationDate":"2024-01-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"https://www.ncbi.nlm.nih.gov/pmc/articles/PMC11722199/pdf/","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"142974496","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"OA","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Privacy Enhancing Technologies (PETs) have the potential to enable collaborative analytics without compromising privacy. This is extremely important for collaborative analytics can allow us to really extract value from the large amounts of data that are collected in domains such as healthcare, finance, and national security, among others. In order to foster innovation and move PETs from the research labs to actual deployment, the U.S. and U.K. governments partnered together in 2021 to propose the PETs prize challenge asking for privacy-enhancing solutions for two of the biggest problems facing us today: financial crime prevention and pandemic response. This article presents the Rutgers ScarletPets privacy-preserving federated learning approach to identify anomalous financial transactions in a payment network system (PNS). This approach utilizes a two-step anomaly detection methodology to solve the problem. In the first step, features are mined based on account-level data and labels, and then a privacy-preserving encoding scheme is used to augment these features to the data held by the PNS. In the second step, the PNS learns a highly accurate classifier from the augmented data. Our proposed approach has two major advantages: 1) there is no noteworthy drop in accuracy between the federated and the centralized setting, and 2) our approach is flexible since the PNS can keep improving its model and features to build a better classifier without imposing any additional computational or privacy burden on the banks. Notably, our solution won the first prize in the US for its privacy, utility, efficiency, and flexibility.
{"title":"U.S.-U.K. PETs Prize Challenge: Anomaly Detection via Privacy-Enhanced Federated Learning.","authors":"Hafiz Asif, Sitao Min, Xinyue Wang, Jaideep Vaidya","doi":"10.1109/tp.2024.3392721","DOIUrl":"10.1109/tp.2024.3392721","url":null,"abstract":"<p><p>Privacy Enhancing Technologies (PETs) have the potential to enable collaborative analytics without compromising privacy. This is extremely important for collaborative analytics can allow us to really extract value from the large amounts of data that are collected in domains such as healthcare, finance, and national security, among others. In order to foster innovation and move PETs from the research labs to actual deployment, the U.S. and U.K. governments partnered together in 2021 to propose the PETs prize challenge asking for privacy-enhancing solutions for two of the biggest problems facing us today: financial crime prevention and pandemic response. This article presents the Rutgers ScarletPets privacy-preserving federated learning approach to identify anomalous financial transactions in a payment network system (PNS). This approach utilizes a two-step anomaly detection methodology to solve the problem. In the first step, features are mined based on account-level data and labels, and then a privacy-preserving encoding scheme is used to augment these features to the data held by the PNS. In the second step, the PNS learns a highly accurate classifier from the augmented data. Our proposed approach has two major advantages: 1) there is no noteworthy drop in accuracy between the federated and the centralized setting, and 2) our approach is flexible since the PNS can keep improving its model and features to build a better classifier without imposing any additional computational or privacy burden on the banks. Notably, our solution won the first prize in the US for its privacy, utility, efficiency, and flexibility.</p>","PeriodicalId":519971,"journal":{"name":"IEEE transactions on privacy","volume":"1 ","pages":"3-18"},"PeriodicalIF":0.0,"publicationDate":"2024-01-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"https://www.ncbi.nlm.nih.gov/pmc/articles/PMC11229673/pdf/","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"141560776","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"OA","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
扫码关注我们
求助内容:
应助结果提醒方式:
京公网安备 11010802042870号