An Asynchronous Federated Learning Aggregation Method Based on Adaptive Differential Privacy

Abstract

Federated learning is a distributed machine learning technique that allows multiple devices to collaborate on learning a shared model without exchanging data. It can be used to improve model accuracy while protecting user privacy. However, traditional federated learning is vulnerable to attacks from generative adversarial networks (GANs). As a new privacy protection method, differential privacy enhances privacy protection capabilities by sacrificing some data accuracy. To optimize the privacy budget allocation scheme in traditional differential privacy, we propose a differential privacy method called ADP-FL, which dynamically adjusts the privacy budget based on Newton’s Law of Cooling. While maintaining the overall privacy budget, it dynamically tunes adaptive parameters to improve training accuracy. Additionally, we propose an asynchronous federated learning aggregation scheme that combines privacy budget with data freshness, thereby reducing the impact of differential privacy on accuracy. We conducted extensive experiments on differential privacy algorithms based on Gaussian mechanisms and Laplace mechanisms. The experimental results show that, under the same privacy budget, our algorithm achieves higher accuracy and lower communication overhead compared to the baseline algorithm.

1. Introduction

With the increasing popularity of IoT devices, the amount of distributed data has skyrocketed. The total amount of global data will grow to 175 ZB by 2025 [1], and the increase in data volume has promoted the development of artificial intelligence in many fields such as smart medical, smart home, and traffic accident detection, leading artificial intelligence—driven by the big data environment—to enter its third golden period of development. Traditional centralized learning requires all data collected on local devices to be stored centrally in a data center or cloud server. This requirement not only raises concerns about privacy risks and data breaches but also places high demands on the storage and computing power of servers, particularly in cases involving large amounts of data. Distributed data parallelism enables multiple machines to train a copy of a model in parallel, using different datasets. While it may be a potential storage solution and address compute power issues, it still requires access to the entire training data, segmenting it into evenly distributed fragments, which can pose security and privacy concerns for the data.

Federated learning aims to train a global model that can train on data distributed across different devices while protecting data privacy. In 2016, McMahan et al. first introduced the concept of federated learning based on data parallelism [1] and proposed the federated averaging (FedAvg) algorithm. As a decentralized machine learning approach, FedAvg enables multiple devices to collaborate in training machine learning models while storing user data locally. FedAvg eliminates the need to upload sensitive user data to a central server, enabling edge devices to train shared models locally using their local data. By aggregating updates of local models, FedAvg meets the basic requirements of privacy protection and data security.

While federated learning offers a promising approach to privacy protection, numerous challenges arise when applying it to the real world [2]. The first is the problem of privacy. Studies in recent years have shown that gradient information during training can reveal private information [3,4,5,6,7,8,9], whether of third parties or central servers [10,11]. As shown in [12,13], even a slight gradient can reveal a significant amount of sensitive information about local data. By simply observing the gradient, a malicious attacker can steal training data within a few iterations [6]. Although traditional privacy protection methods, such as encryption and secure multi-party computing, can protect private information from being leaked, they are not designed for edge environments. Excessive algorithm complexity leads to high latency and communication overhead in practical applications. To solve the above problems, this paper proposes an efficient federated learning method that combines differential privacy and outdated level methods. The main contributions are as follows:

• This paper proposes a differential privacy method with adaptive parameters that dynamically adjusts privacy parameters during training. This method improves the accuracy of federated learning while maintaining the total privacy budget.
• This paper proposes an asynchronous federated learning aggregation scheme that combines privacy budget and device aging. This scheme adjusts weights based on privacy budget, device aging, and dataset during aggregation to improve training accuracy.
• This paper conducts extensive experimental testing and validates the effectiveness of the algorithm using real-world datasets under Gaussian and Laplace noise.

2. Related Work

Differential privacy is a new definition of privacy proposed in 2006 by Dwork [14] for addressing the problem of privacy leakage in databases. It is mainly implemented through the use of random noise to ensure that the results of querying publicly visible information do not reveal the private information of the individual, that is, to provide a way to maximize the accuracy of the data query when querying from a statistical database, while minimizing the chance of identifying its records. Differential privacy enhances the ability to protect privacy by sacrificing some data accuracy. Determining how to balance privacy and efficiency in the actual use process is a problem worth studying.

In response to differential attacks, Robin C. et al. [15] propose a federated optimization algorithm for protecting client differential privacy. This algorithm dynamically adjusts the level of differential privacy during distributed training, aiming to hide customer contributions during training while balancing the trade-off between privacy loss and model performance. Xue J. et al. [16] proposed an improved SignDS-FL framework, which shares the same dimension-selection concept as FedSel but saves privacy costs during the value perturbation stage by assigning random sign values to the selected dimensions. Patil et al. [17] introduced the concept of differential privacy into traditional random forests [18]. The Random Forest algorithm was tested in three aspects. The experiments demonstrated that the traditional random forest algorithm and the random forest based on differential privacy achieved nearly identical classification accuracy. Badih Ghazi et al. [19] improved the privacy guarantee of the FL model by combining the shuffling technique with DP and masking user data using an invisibility cloak algorithm. Cai et al. [20] proposed the idea of differential private continuous release (DPCR) into FL and proposed a FL framework based on DPCR (FL-DPCR) to effectively reduce the overall error added to the parameter model and improve the accuracy of FL. Wang et al. [21] propose a Loss Differential Strategy (LDS) for parameter replacement in FL. The key idea is to maintain the performance of the Private Model by preserving it through parameter replacement with multi-user participation while significantly reducing the efficiency of privacy attacks on the model. However, these schemes introduce uncertainty in the uploaded parameters, which may affect training performance.

Although the above methods have promoted the application of differential privacy in federated learning from different perspectives [22,23,24,25,26], they have limitations in terms of dynamic adaptability and aggregation strategy. The ADP-FL algorithm proposed in this paper has formed significant advantages through targeted design, with the following specific differences:

1. Fundamental differences in privacy budget allocation logic: J. F. et al. [27] proposed a new differential privacy classification system. This study classified different differential privacy models based on their definitions, guarantees, and federated learning scenarios. However, this classification system remains at the theoretical framework level and does not involve specific dynamic allocation strategies, failing to resolve the privacy–accuracy trade-off across different training stages; J. L. [28] proposed a record-level differential privacy federated learning framework based on two-stage mixed sampling, and designed a simulated curve-fitting strategy (SCF) to determine the sampling probability of all records under a given personalized privacy budget. However, this personalized scheme focuses on privacy differentiation at the individual record level, ignoring the temporal characteristics of the training process in federated learning, and struggles to address the dynamic changes in gradient information sensitivity as training progresses.

2. Differences in the comprehensiveness of aggregation strategies: J.M. [29] et al. proposed a differential privacy framework based on optimal sparse responses, combining minimization of convergence rates to optimize sparse parameters adaptively. However, this optimal sparse response mechanism only optimizes sparse parameters to reduce noise effects, without considering the interference of device participation timeliness on the quality of aggregation. Some studies, such as DP-FLAGD [30], provide privacy budgets for different privacy requirements by adaptively allocating privacy budgets and corresponding learning rates. However, this linked scheme does not address the issue of differentiated weighting of contributions from multiple clients.

3. Differences in practical applicability: To address the risk of data leakage when broadcasting parameters to the central server and the issue of excessive noise affecting parameter aggregation quality, FedBADP [31] implements a bidirectional adaptive differential privacy scheme. By adaptively adding noise to the transmitted gradients, it protects data security without affecting model accuracy. However, the gradient sampling mechanism may lead to the loss of critical information.

In summary, the core advantage of this paper lies in its deep coupling of dynamic privacy control with multi-factor aggregation strategies, thereby forming a systematic solution that encompasses the entire training cycle and addresses the shortcomings of existing research in temporal adaptability and multidimensional collaborative optimization.

3. Problem Formulation

3.1. Model Definition

Neural networks update parameters through backpropagation. Similarly, in a federated learning framework based on gradient (weight) updates, gradient information is propagated between clients and servers. The gradient information transmitted by clients originates from local datasets. Attackers can use gradient information to reverse-engineer datasets, resulting in privacy leaks among participants in federated learning.

Definition 1

(Differential Privacy Problem Model). A trusted data regulator C has a set of data $D=D_1, D_2,\dots D_n$. The goal of the data regulator is to derive a random algorithm $A\left(D^{\prime }\right), D^{\prime }\in D$, where $A\left(D^{\prime }\right)$ describes certain information about the data set $D^{\prime }$, while ensuring the privacy of all data D.

The schematic diagram of differential privacy is shown in Figure 1. For example, for a query on the average age, the average age of all individuals in the query dataset D is first calculated, followed by the average age of the adjacent dataset $D^{\prime }$, which lacks Bob’s age. This can be inferred from the results of the previous two queries, which constitute a differential attack. The figure illustrates the core idea of differential privacy technology, which involves processing query results to ensure that the query algorithm produces highly similar output probability distributions on adjacent datasets. Thus, for datasets with only one record difference, the query results are likely to be the same. Differential privacy applications can effectively prevent attackers from inferring information about datasets through gradient analysis. However, the added noise inevitably leads to reduced accuracy and slower convergence in federated learning, and may even prevent convergence altogether. Therefore, finding a method to minimize the impact of differential privacy on accuracy while ensuring privacy security has become an urgent research issue.

3.2. Algorithm Definition

This section introduces the relevant definitions and basic properties that will be applied in the composition of adaptive differential privacy algorithms. Differential privacy is defined as follows:

Definition 2

(Adjacent data sets). For data sets D and $D^{\prime }$ with the same data structure, if these two data sets differ only in a certain element x, then these two data sets are called adjacent data sets.

Definition 3

(Differential Privacy [14]). A randomized algorithm $\mathcal{M}$ with domain ${\mathbb{R}}^{\left|\mathcal{X}\right|}$ is $(ϵ,\Delta )$-differentially private if for all $\mathcal{S}\subseteq$ Range($\mathcal{M}$) and for all $x,y\in {\mathbb{R}}^{\left|\mathcal{X}\right|}$, such that ${\left|\right|x-y\left|\right|}_1\le 1$:

$$Pr\left[\mathcal{M}\left(x\right)\in \mathcal{S}\right]\le exp\left(ϵ\right)Pr\left[\mathcal{M}\left(y\right)\in \mathcal{S}\right]+\delta$$

(1)

where the probability space is over the coin flips of the mechanism $\mathcal{M}$. If $\delta =0$, we say that $\mathcal{M}$ is ϵ-differentially private. $\mathcal{M}$ satisfies $(ϵ,\delta )$-differential privacy, then when δ = 0, $\mathcal{M}$ satisfies ϵ-differential privacy.

$(ϵ,0)$-differential privacy guarantees that the absolute value of privacy loss for all adjacent databases is less than or equal to $ϵ$. $(ϵ,\delta )$-differential privacy guarantees that the probability of privacy loss for all adjacent databases being less than or equal to $ϵ$ is $1-\delta$, meaning that a privacy algorithm failure with a probability of $\delta$ is acceptable. This is a relatively lenient differential privacy strategy.

Definition 4

(Local Sensitivity). Local sensitivity of FL training is defined as follows:

$$\Delta f_{Ls}=\underset{D^{\prime }}{\max }\left|\right|f\left(D\right)-f\left(D^{\prime }\right){\left|\right|}_1$$

(2)

Definition 5

(Global Sensitivity). Global sensitivity of FL training is defined as follows:

$$\Delta f_{Ls}^{global}=\underset{D,D^{\prime }}{\max }\left|\right|f\left(D\right)-f\left(D^{\prime }\right){\left|\right|}_1$$

(3)

Definition 6

(Laplace Mechanism). For input dataset $\mathcal{D}$ and function $\mathcal{F}$, if the algorithm $\Gamma$ satisfies:

$$\Gamma =\mathcal{F}\left(\mathcal{D}\right)+Lap(\Delta \mathcal{F}/ϵ)$$

(4)

Theorem 1

(Gaussian Mechanism [14]). For any $\delta ,\sigma >{\displaystyle \frac{\sqrt{2ln(1.25/\delta )}\Delta f}{ϵ}}$, if algorithm $\Gamma$ satisfies:

$$\Gamma =\mathcal{F}\left(\mathcal{D}\right)+\mathcal{N}\left({\sigma }^2\right)$$

(5)

then algorithm $\Gamma$ satisfies $(ϵ,\sigma )$-differential privacy. $\mathcal{N}\left({\sigma }^2\right)$ is a Gaussian distribution with center $0$ and variance ${\sigma }^2$.

Theorem 2

(Composition Theorem [14]). Let ${\mathcal{M}}_i$ each provide ${ϵ}_i$ differentially private. The sequence of ${\mathcal{M}}_i\left(X\right)$ provides $\left({\sum }_i{ϵ}_i\right)$ differentially private.

The differential privacy method selected for this study is a differential privacy algorithm based on the Laplace noise mechanism and the Gaussian noise mechanism.

4. Adaptive Differential Privacy Mechanisms for Federated Learning

In this section, we will introduce the building blocks of our method and explain how to implement our algorithm. In Section 4.1, we introduced adaptive differential privacy design. In Section 4.2, we introduced security analysis and scheme design. In Section 4.3, we provided a detailed explanation of the ADP-FL algorithm implementation. The hyperparameter selection strategy in the algorithm and the actual deployment of the algorithm are analyzed separately in Appendix A.2 and Appendix A.3.

4.1. Design of Adaptive Differential Privacy

Differential privacy technology was first proposed by Dwork in 2006 [14] to prevent differential attacks from obtaining sensitive information about a single record, thereby protecting the confidentiality of data. For example, for a query for average wages, select a set of 100 people, query the average wages of these 100 people, and then query the average wages of any 99 people in the set. The wages of the remaining one person can be analyzed by the results of the first two queries, which is a differential attack. The core idea of differential privacy technology is to process query results in a way that, for a dataset with only one record difference, the query result is likely to remain the same.

According to the composition theorem, when deploying differential privacy multiple times on the same input data, the requirements of differential privacy can still be met. However, it should be noted that there is a correlation between the outputs of each algorithm in serial composition, which leads to an increase in the overall privacy budget $ϵ$ and failure probability $\delta$, thereby reducing the effectiveness of privacy protection. In particular, when different differential privacy methods are applied multiple times on the same dataset, the level of privacy protection may be significantly weakened.

Therefore, allocating privacy budgets of different sizes according to the various stages of federated learning has greater advantages than the traditional method of evenly distributing privacy budgets across all stages.

In the early stages of federated learning, the gradient information contains less sensitive information, allowing for a more relaxed privacy budget to be adopted. As training progresses, the privacy information contained in the delayed gradient increases, and the privacy budget must be reduced to protect user information. Based on this idea, this paper employs an optimization algorithm that adjusts the client’s privacy budget in real time according to the model’s training progress and accuracy, ensuring that the overall privacy budget remains unchanged. By dynamically allocating the privacy budget, this paper achieves a more balanced approach between privacy protection and model performance during federated learning. This strategy of allocating privacy budgets of different sizes for various stages of federated learning enables the method proposed in this paper to flexibly address privacy protection requirements while fully utilizing the dataset’s information to enhance the model’s accuracy and performance.

Since our overall method gradually reduces the privacy budget ${ϵ}_i^t$ as training progresses, we use Newton’s cooling law formula [32] to adjust ${ϵ}_i^t$ for each training round. We analyze the mathematical characteristics of Newton’s cooling law (rapid decay followed by stabilization) and find that it highly matches the dynamic requirements of the privacy budget in federated learning [33,34,35]. Existing privacy budget adjustment methods mainly include linear decay [36] and fixed allocation. However, linear decay may cause the privacy budget to decrease sharply in the later stages of training, introducing excessive noise that disrupts model convergence. Fixed allocation cannot adapt to the privacy requirements of different training stages. In contrast, the exponential decay characteristic of Newton’s cooling law enables a smooth transition in budget consumption and adaptive adaptation to training progress. A detailed comparison and verification of the plans is described in Appendix A.1.

The adaptive adjustment process of the privacy budget ${ϵ}_i^t$ can be formalized as:

$${ϵ}_i^t={ϵ}_i\times e^{-\alpha \times (E-t)}+{ϵ}_i$$

(6)

where t is current communication round, E is maximum communication round, and $\alpha$ is the adjustment coefficient that defaults to 0.1.

Algorithm 1 demonstrates the adaptive differential privacy process. When the client begins participating in federated learning, the cumulative privacy budget is set to 0. As training progresses, if the cumulative privacy budget exceeds the total privacy budget, continuing to participate in federated learning will result in privacy leakage risks, so the client exits federated learning. It is important to note that the decline curve of Newton’s cooling law is very rapid. To prevent the privacy budget from depleting too quickly, which could lead to excessive noise and negatively impact training, this paper introduces a detection callback mechanism. When the client detects that the model’s accuracy has decreased beyond a threshold—i.e., when noise is affecting model convergence—the privacy budget is adjusted accordingly. Through this mechanism, this paper achieves a balance between privacy and efficiency.

Algorithm 1 Adaptive Differential Privacy

Input:  privacy budget $ϵ$, accumulated privacy budget ${ϵ}_{acc}$, Coefficient $\lambda$, Maximum number of communication rounds E Output:  ${ϵ}_t$   1: ${ϵ}_{acc}=0$   2: while $t\le E$ and ${ϵ}_{acc}\le ϵ$ do   3:     if $Ac{c}_t-Ac{c}_{t-1}>-\lambda$ then   4:         ${ϵ}_t\leftarrow {ϵ}_{t-1}\times e^{-\alpha \times (E-E^t)}+{ϵ}_{t-1}$   5:     else   6:         ${ϵ}_t$ = ${ϵ}_{t-1}$   7:     end if   8:     ${ϵ}_{acc}+={ϵ}_t$   9: end while 10: return ${ϵ}_t$

4.2. Design of Weighted Aggregation

Due to communication or device issues, some devices may not participate in training for extended periods and are therefore considered outdated devices. These outdated devices can lead to a decline in model accuracy, a significant issue in practice. To address this issue, a common approach in the context of federated learning is to adjust the weight of the gradient based on the degree of model obsolescence, thereby reducing the impact of outdated gradient information on the model. This paper adjusts the weights of gradient information based on the number of training rounds the model has not participated in and uses an exponential function to implement this adjustment. Through this approach, this paper can more effectively address the impact of outdated devices that have not participated in training for an extended period, thereby improving the overall accuracy of the model. This dynamic weight adjustment strategy ensures that the contribution of outdated devices in model updates gradually decreases, allowing the updates from devices that participate on time to be more significant. Therefore, this paper can better balance the contributions of different devices, thereby enhancing the effectiveness of federated learning and the model’s performance. The obsolescence degree function we use is as follows:

$$f\left(\lambda \right)={\alpha }^{t_1-t_2}\lambda$$

(7)

where $t_1$ is the current communication round, $t_2$ is the last communication round of the client, and $\alpha$ is the adjustment coefficient. $\lambda$ is the outdated coefficient. It is initially set to 1 and reset to 1 each time it has participated in training.

According to the characteristics of the exponential function, the weights of clients who have not participated in training for multiple rounds will be tiny, effectively reducing the impact of outdated information.

During parameter aggregation, differential privacy noise impacts the model’s convergence. Clients with smaller privacy budgets have a higher probability of their uploaded gradient parameters deviating from the model convergence direction. Therefore, it is necessary to adjust the weights based on the amount of noise added by the client. Regarding how to assess the amount of noise added, the privacy budget $ϵ$ and the amount of noise added are negatively correlated. The smaller the privacy budget, the more noise is added and the greater the deviation of gradient information. Naturally, this paper uses the privacy budget $ϵ$ as a parameter to assess the degree of noise added and uses $ϵ$ as one of the weight parameters for model aggregation.

Combining the weight adjustment algorithm for outdated devices and the weight adjustment algorithm for noise, this paper proposes the following aggregation scheme:

$$g^{t+1}\leftarrow \sum _{i=1}^n{\displaystyle \frac{{ϵ}_i^t{\lambda }_i^t\left|D_i\right|}{{ϵ}_1^t{\lambda }_1^t|D_1|+{ϵ}_2^t{\lambda }_2^t|D_2|+\cdots +{ϵ}_n^t{\lambda }_n^t\left|D_n\right|}}{g}_i^t$$

(8)

where $g_i^t$ is the gradient of client i in round t. $|D_i|$ is the size of the dataset for client i. In this formula, the more noise, the older the model, and the smaller the weight of the gradient provided by the client. When the client continuously participates in training and adjusts the privacy budget ${ϵ}_i^t$, the weight in the aggregation will increase.

Accordingly, the calculation method for the global model is:

$$W^{t+1}\leftarrow W^t-\eta \sum _{i=1}^n{\displaystyle \frac{{ϵ}_i^t{\lambda }_i^t\left|D_i\right|}{{ϵ}_1^t{\lambda }_1^t|D_1|+{ϵ}_2^t{\lambda }_2^t|D_2|+\cdots +{ϵ}_n^t{\lambda }_n^t\left|D_n\right|}}{g}_i^t$$

(9)

The flowchart of the aggregation scheme is shown in Figure 2. As shown in the figure, in a training round, the green portion represents the time window during which the server receives gradients from clients. In contrast, the red portion represents the time window during which the server performs aggregation and updates the global model. Clients that upload gradients during the green time window are considered regular clients participating in aggregation. Clients who upload gradients during the red time window or do not upload gradients are marked as lagging clients. For users marked as lagging clients, their aggregation weights will decay exponentially over time, allowing them to participate in normal model aggregation again.

4.3. Adaptive Differential Privacy Federated Learning Algorithm

Based on the previously proposed method, we propose Adaptive Differential Privacy Federated Learning (ADP-FL). Figure 3 is the overview of ADP-FL. Algorithm 2 shows the whole process of ADP-FL. ${\mathcal{F}}_{adp}$ is the Adaptive Differential Privacy function. The specific details of the algorithm are as follows:

(1) Steps 2 to 7 are performed by the server. In Step 2, the server initializes the model w and sends it to all clients. Before reaching the maximum communication round E, the server receives the gradient information sent by the clients, aggregates the gradients of each participating client according to the aggregation scheme proposed in this paper, and updates the global model $W_{global}=W-\eta g^{t+1}$, then $W_{global}$ is sent to participating clients to update their local models. After the update is complete, the server resets the obsolescence level of participating clients to 1 based on their participation in this update, and sets the obsolescence level of non-participating clients to $\lambda \alpha$, thereby implementing the algorithm.

(2) Steps 8 to 15 are performed by the client. During the preparation phase of federated learning training, the client receives the initial model w. When the client is selected and the privacy budget has not been fully consumed, the client first receives the latest model parameters $W_{global}$ from the server. Based on the local dataset and the latest global model $W_{global}$, local training is performed to obtain the local gradient $g_t^i$. The privacy budget for this round of training is calculated as ${ϵ}_t^i\leftarrow {\mathcal{F}}_{adp}(t,{ϵ}_{t-1}^i,E)$. Based on the privacy budget ${ϵ}_t^i$ and the Laplace mechanism or Gaussian mechanism, perturbation noise is generated and added to the gradient information, yielding the perturbed gradient information $\widehat{g_t^i}$, while the cumulative consumed privacy budget is updated as ${ϵ}_i={ϵ}_t^i+{ϵ}_i$.

Figure 3. The overview of ADP-FL.

Figure 3. The overview of ADP-FL.

Algorithm 2 ADP-FL

Input:  initial paramenters w, privacy budget $ϵ$, maximum communication round E, accumulated privacy budget ${ϵ}_i=0$, current communication round t, outdated level $\alpha$.   1: Server does:   2: Send initial parameters w to all clients i   3: while $t\le E$  do   4:      $g^{t+1}\leftarrow {\sum }_{i=1}^n{\displaystyle \frac{{ϵ}_i^t{\lambda }_i^t}{{ϵ}_1^t{\lambda }_1^t+{ϵ}_2^t{\lambda }_2^t+\cdots +{ϵ}_n^t{\lambda }_n^t}}{g}_i^t$   5:      Return $g^{t+1}$ to each selected client i   6:      Set participating clients’$\lambda$ to 1, other clients’$\lambda =\lambda \times \alpha$   7: end while   8: Client does:   9: Recieve initial parameters w 10: if client i selected and ${ϵ}_i<ϵ$ then 11:      receive $g^t$ from server 12:      $g_i^t\leftarrow$ local train $(g^t+w_i^{t-1})$ 13:      ${ϵ}_i^t\leftarrow {\mathcal{F}}_{adp}(t,{ϵ}_i^{t-1},E)$ 14:      ${\widehat{g}}_i^t\leftarrow$ add noise $(g_i^t,{ϵ}_i^t)$ 15:      ${ϵ}_i+={ϵ}_i^t$ 16:      return ${\widehat{g}}_i^t,{ϵ}_i^t$ to server 17: end if

5. Experiment

5.1. Experimental Environment

The experimental environment for this paper is an AMD Ryzen 7 5800H (8 cores, 16 threads) with a Radeon Graphics @3.20 GHz processor and an NVIDIA GeForce RTX 4090 Laptop GPU, running on Windows 10. The experiment uses the PyTorch 1.13.1 (CUDA 11.7 GPU-accelerated) deep learning framework, with auxiliary libraries including Python 3.9.12 (code programming), NumPy (numerical computation), Pandas 1.4.2 (data processing), and Matplotlib 3.5.1 (result visualization).

This experiment simulates a server and 50 local client nodes using a simulation experiment. Non-IID data is constructed based on the MNIST, EMNIST, CIFAR10, and CIFAR100 datasets. The non-IID data was constructed based on the MNIST, EMNIST, CIFAR10, and CIFAR100 datasets. To test the algorithm’s impact on highly non-independent and identically distributed data, each client was randomly assigned two labels, with each client’s data accounting for 10% of the dataset. The neural network models include RNN, VGG9, CNN, and Transformer models. Their detailed parameters are shown in

Table 1. Details of datasets and models.

#Dataset	#Records	#Features	#Classes	#Model	#Parameters
MNIST	70,000	784	10	RNN	24,714
EMNIST	814,255	784	62	CNN	206,922
CIFAR10	60,000	1024	10	VGG9	3,491,530
CIFAR100	60,000	1024	100	Transformer	8,568,320

.

The baseline algorithm used in this paper is the FedAvg algorithm, which evenly distributes the privacy budget. It is also the most commonly used algorithm in current research on federated learning based on differential privacy. Let the total privacy budget for each client be $ϵ$, the number of clients selected by the server each time be n, the total number of clients be N, and the total number of communication rounds in federated learning be E. Then, for a single client i, the differential privacy budget ${ϵ}_i$ for each upload is:

$${ϵ}_i={\displaystyle \frac{N_{ϵ}}{nE}}$$

(10)

To test the algorithm’s impact on highly non-IID data, each client was randomly assigned two labels, with each client’s data accounting for 10% of the dataset. The learning rate of the gradient descent model used was 0.01, and the batch size was 16. The number of local training rounds was 3, and the optimizer was SGD. The loss function was CrossEntropyLoss. When testing the accuracy of the ADP-FL algorithm and the baseline algorithm, the privacy budget was set to 1, 5, and 10, with the differential privacy relaxation parameter $\delta$ of the Gaussian mechanism set to 0.00001. When testing the impact of different noise mechanisms, the privacy budget was set more loosely to 10, 20, 30, 40, and 50 to better observe the experimental results.

5.2. Accuracy of Algorithm on Different Datasets

This paper tests the accuracy of the FedAvg algorithm without privacy protection, the FedAvg algorithm with evenly distributed privacy budgets (baseline algorithm), and the ADP-FL algorithm on three datasets under non-IID conditions. The total privacy budget is set to 1, 5, and 10, respectively. Other model evaluation metrics are described in Appendix A.4.

Figure 4, Figure 5, Figure 6 and Figure 7 show the accuracy rates of the proposed method and the baseline algorithm on the MNIST, CIFAR10, CIFAR100, and EMNIST datasets, with all final accuracy rates listed in

Table 2. Accuracy of baseline and ADP-FL algorithms under different privacy budgets $ϵ$.

Algorithm	MNIST	CIFAR10	CIFAR100	EMNIST
Non	87.24	56.08	53.85	67.26
Baseline $ϵ=1$	51.38	Nan	Nan	Nan
Baseline $ϵ=5$	86.20	55.92	53.05	65.43
Baseline $ϵ=10$	86.25	62.15	61.25	64.16
ADP-FL $ϵ=1$	66.73	Nan	Nan	Nan
ADP-FL $ϵ=5$	87.40	56.35	54.54	64.62
ADP-FL $ϵ=10$	92.36	63.85	62.88	69.55

. Among these, “Non” denotes the FedAvg algorithm without privacy protection, and “Nan” denotes the algorithm failing to converge. Non-convergence occurred on the CIFAR10 and EMNIST datasets when $ϵ=1$, as seen in the figure, where the accuracy rate remained at a low level. This paper speculates that this is due to the privacy budget being too small, resulting in excessive noise addition and making it difficult for complex models to converge. In contrast, under the same privacy budget, the algorithm successfully converged on the MNIST dataset with lower complexity.

Compared to the baseline algorithm, the method proposed in this paper achieves higher accuracy and faster convergence speed. When the privacy budget is relatively lenient, the accuracy rate is even higher than that of methods without differential privacy. When $ϵ=1$, compared to the baseline on MNIST, the proposed method improves accuracy by 15.35%. This is because the proposed aggregation method not only considers the impact of noise but also adjusts the weights of lagging clients. Compared to the baseline algorithm, ADP-FL can effectively address the impact of lagging clients. From the experimental results, it is evident that in most cases, ADP-FL achieves higher accuracy compared to traditional local differential privacy algorithms.

5.3. Accuracy of Algorithm Under Differential Privacy Mechanisms

In order to verify the accuracy of the adaptive differential privacy algorithm on different differential privacy mechanisms, this paper conducted comparative experiments on differential privacy algorithms based on Laplace and Gaussian mechanisms. The experimental results are shown in

Table 3. Comparison of accuracy between ADP algorithm and baseline algorithm under different differential privacy mechanisms and privacy budgets on different datasets.

	Gaussian
	$ϵ$	10	20	30	40	50
MNIST	Baseline	73.46	85.82	82.32	83.3	80.28
	ADP-FL	75.04	86.91	82.26	84.91	80.60
CIFAR10	Baseline	27.72	41.13	48.6	47.68	51.4
	ADP-FL	27.98	42.39	50.11	46.34	53.56
CIFAR100	Baseline	30.08	43.13	48.45	47.078	51.43
	ADP-FL	32.98	46.56	46.11	48.34	53.56
EMNIST	Baseline	88.47	97.12	98.05	97.85	98.40
	ADP-FL	90.45	97.70	97.26	98.00	98.91

and

Table 4. Comparison of accuracy between ADP algorithm and baseline algorithm under different differential privacy mechanisms and privacy budgets on different datasets.

	Laplace
	$ϵ$	10	20	30	40	50
MNIST	Baseline	80.95	82.28	82.86	84.74	87.37
	ADP-FL	82.75	80.89	83.67	86.59	87.24
CIFAR10	Baseline	50.23	28.88	43.3	51.53	49.39
	ADP-FL	35.99	46.61	46.64	51.91	49.41
CIFAR100	Baseline	43.76	31.28	42.67	50.56	46.99
	ADP-FL	36.67	43.17	49.07	52.94	50.83
EMNIST	Baseline	97.77	98.35	98.30	98.33	98.24
	ADP-FL	97.80	95.55	98.46	98.41	97.90

. Intuitive experimental results are shown in Appendix A.5. Other model evaluation metrics are described in Appendix A.4.

From the experimental results, it is evident that in the vast majority of cases, the ADP algorithm achieves higher accuracy compared to traditional privacy budget allocation algorithms. Especially under the premise of the same privacy budget, the adaptive differential privacy algorithm proposed in this article outperforms traditional differential privacy algorithms in terms of accuracy, with an average privacy budget allocation in most cases, whether using the Laplacian mechanism or the Gaussian mechanism. Especially on the CIFAR10 and CIFAR100 datasets, the accuracy of the ADP algorithm is generally higher than that of the baseline algorithm. This article speculates that this is because, on more complex datasets, the noise added by differential privacy significantly increases, and the superiority of the ADP algorithm in the reasonable allocation of the privacy budget can be better reflected. On the MNIST dataset, the accuracy of the ADP algorithm can exceed that of the baseline algorithm in most cases. The performance is not significant on the EMNIST dataset because the accuracy of the EMNIST dataset is relatively high, leaving limited room for improvement. A large number of experiments have shown that the ADP algorithm has a certain improvement in accuracy compared to the baseline algorithm.

5.4. Time Complexity of Algorithm Under Differential Privacy Mechanisms

Table 5. Time complexity of the baseline algorithm and ADP-FL algorithm on different datasets, in minutes.

	MNIST	CIFAR10	CIFAR100	EMNIST
Baseline	28	45	295	159
ADP-FL	22	32	248	122

shows the computational time costs of the baseline algorithm and ADP-FL algorithm across different datasets. Since federated learning focuses more on client performance, and servers typically have powerful computational resources, this paper selected the average time consumption of the client, primarily including local training, noise addition, and gradient transmission processes. It did not test the server’s time consumption. The results demonstrate that the ADP-FL algorithm proposed in this paper exhibits lower time consumption and is more advantageous in terms of aggregation efficiency.

5.5. Gradient Leakage Attack

Figure 8 shows the performance of the ADP-FL algorithm in the face of gradient leakage attacks. From the experimental results, it can be concluded that under the premise of privacy budget $ϵ$ and relaxation term $\delta$ within the conventional value range, the ADP-FL algorithm in this paper has a significant effect on gradient leakage attacks.

After multiple tests, we found that the ADP-FL algorithm failed when the privacy budget $ϵ=1000$ and the slack term $\delta =0.1$. At this point, the privacy budget and relaxation term settings have far exceeded the parameter range in general situations. It can be concluded that the ADP-FL algorithm proposed in this paper is resistant to gradient leakage attacks.

6. Conclusions

In the paper, we proposed ADP-FL, a federated learning method based on adaptive differential privacy. First, based on Newton’s cooling law, ADP-FL dynamically adjusts the privacy budget $ϵ$ according to the training progress and accuracy changes. Additionally, this paper optimizes the federated learning aggregation scheme by changing the aggregation weights based on the privacy budget and model obsolescence. Based on MNIST, CIFAR10, CIFAR100, and EMNIST, this paper constructs corresponding Non-IID datasets and validates them using RNN, VGG9, CNN, and Transformer networks. Extensive experiments are conducted on differential privacy algorithms based on Gaussian mechanisms and Laplace mechanisms. The experimental results show that, under the same privacy budget, ADP-FL achieves higher accuracy and lower communication overhead compared to baseline algorithms. In future work, we will explore the method of introducing clusters [37] into the ADP-FL algorithm, while better compressing the model’s parameters, improving communication efficiency [38], and enhancing the security of federated learning.