作者投稿和查稿 主编审稿 专家审稿 编委审稿 远程编辑

计算机工程 ›› 2022, Vol. 48 ›› Issue (7): 29-35. doi: 10.19678/j.issn.1000-3428.0062665

• 热点与综述 • 上一篇    下一篇

面向车路协同推断的差分隐私保护研究

吴茂强, 黄旭民, 康嘉文, 余荣   

  1. 广东工业大学 自动化学院, 广州 510006
  • 收稿日期:2021-09-12 修回日期:2021-11-03 出版日期:2022-07-15 发布日期:2021-11-08
  • 作者简介:吴茂强(1989—),男,博士,主研方向为车载边缘计算;黄旭民,副教授、博士;康嘉文,教授、博士;余荣(通信作者),教授、博士、博士生导师。
  • 基金资助:
    国家自然科学基金(61971148);广西自然科学基金(2018GXNSFDA281013);桂林市科学研究与技术开发计划项目(20190214-3)。

Research on Differential Privacy Protection for Collaborative Vehicle-Road Inference

WU Maoqiang, HUANG Xumin, KANG Jiawen, YU Rong   

  1. School of Automation, Guangdong University of Technology, Guangzhou 510006, China
  • Received:2021-09-12 Revised:2021-11-03 Online:2022-07-15 Published:2021-11-08

摘要: 车路协同推断通过联合车载终端与路侧边缘服务器进行深度卷积网络推断运算,提高了网络架构推断效率,但是存在用户隐私泄露问题。攻击者在未知车载终端网络结构和参数的前提下,通过训练反卷积网络的方式,可复原车载终端上传的计算结果对应的图像数据,从而发起图像还原攻击。基于差分隐私理论,针对图像还原攻击设计模型扰动、输入扰动、输出扰动3种防御算法,分别在车载终端深度卷积网络的模型参数、输入原始图像、输出计算结果中加入随机拉普拉斯噪声,干扰攻击者的图像还原。通过理论分析得出3种算法均满足差分隐私保护,攻击者难以从计算结果中挖掘出原始数据的隐私信息。实验结果表明,3种算法在有效防御黑盒图像还原攻击的同时能保持推断精确度在90%以上,其中模型扰动算法在均衡隐私保护和推断精确度方面的性能表现优于输入扰动和输出扰动算法。

关键词: 车路协同推断, 差分隐私, 车联网, 边缘计算, 深度卷积网络

Abstract: Collaborative vehicle-road inference performs deep convolutional network inference operations by combining vehicular terminals and roadside edge servers.Although this process improves inference efficiency, it creates the issue of user privacy leaks.Attackers can use an image reconstruction attack to recover original image data from intermediate computation results uploaded by the vehicular terminal.This terminal's network structure and parameters are unknown by the attacker through training a deconvolutional network.This study proposes three different differential privacy-based defense algorithms:model perturbation, input perturbation, and output perturbation.These algorithms inject random Laplace noise into the model parameters, inputted original images, and outputted computation results, which inhibits the attacker's image recovery.A theoretical analysis is presented to verify that these defense algorithms satisfy differential privacy, making it difficult for attackers to extract sensitive information.Experimental results demonstrate that all three algorithms can effectively defend against black-box image reconstruction attacks while maintaining inference accuracy above 90%.Furthermore, the model perturbation algorithm yields higher performance on the balance between privacy protection and inference accuracy than the other two algorithms.

Key words: collaborative vehicle-road inference, differential privacy, Internet of Vehicle(IoV), edge computing, deep convolutional network

中图分类号: