Institution

Enhancing Privacy Protection in AI Systems, Such as Federated Learning and

Differential Privacy Techniques

Student Name:

Course Code:
 ABSTRACT

As AI systems deal with increasingly sensitive data, the question of their privacy arises. In this chapter, the

study is going to discuss two effective models of privacy: Federated Learning and Differential Privacy. FL is the

training of models across sources of decentralized data without collecting the data whereby the privacy of individual

data is protected. DP guarantees that an AI model output does not expose sensitive information about any individual

data point. All these models are trained on the MNIST data set. This data set contains 60,000 samples for training

and 10,000 samples for testing with each being a 28×28 grayscale image. This means that in this study, FL had a

quite low training loss of 0.3189 and high accuracy of 90.74%, while its validation loss and accuracy were 0.1274

and 96.70%, respectively. In contrast, the DP had relatively large training loss of 1.4815 and an accuracy of 52.07%

with validation metrics of 0.8784 as the loss and 72.83% the accuracy. From the models, FL was strong with high

accuracy and low loss compared with a privacy-preserving mechanism DP.In this respect, the authors suggest that

although FL provides strong accuracy and data privacy, the latter can be enhanced using DP, at the expense of some

degree of performance metrics. A modulated hybrid of FL and DP is, hence, capable in real-world applications of

striking a balance between privacy and model performance. Optimal balancing in this respect, in view of different

degrees of privacy and frequency of clients' participation, will be explored in future research for purposes of

strengthening AI models' degree of effectiveness and privacy protection.

Table of Contents
Abstract.............................................................................................................................................................4
Chapter One: Introduction................................................................................................................................5
1.0 Introduction............................................................................................................................................5
1.1 Background............................................................................................................................................6
1.2 Motivation..............................................................................................................................................8
1.3 Objectives..............................................................................................................................................8
Chapter Two: Literature Review....................................................................................................................10
2. 1 Privacy Challenges of AI Systems.....................................................................................................10
2.1.1 Data Privacy Concerns................................................................................................................10
2.2.2 Model Privacy Concerns..............................................................................................................11
2.2 Federated Learning..............................................................................................................................12
2.2.1 Concept and Principles................................................................................................................14
2.3.2 The Threat Model........................................................................................................................15
2.3.3 Advantages and Limitations........................................................................................................15
2.3.4 Use Cases and Applications.........................................................................................................16
Chapter 3: Conceptual Framework.................................................................................................................18
3.0 Differential Privacy.............................................................................................................................18
3.1 Fundamental Concepts.........................................................................................................................19
3.2 Mechanisms for Achieving Differential Privacy.................................................................................19
3.3 Applications and Adoption..................................................................................................................20
3.4 Enhancing Privacy Protection: Federated Learning with Differential Privacy...................................22
3.6 Global Differential Privacy..................................................................................................................22
Chapter 4: Methodology.................................................................................................................................27
4.0 Python Implementation: Federated Learning and Differential Privacy...............................................27
4.1 Setup and Environment........................................................................................................................27
4.2 Data Preprocessing..............................................................................................................................27
4.3 Federated Learning Model...................................................................................................................28
4.4 Differential Privacy Mechanisms........................................................................................................28
4.5 Evaluation Metrics...............................................................................................................................28
Chapter 5: Results and Discussion.................................................................................................................30
5.1 Experimental Results...........................................................................................................................30
5.2 Analysis of Privacy Protection............................................................................................................32
6. Conclusion..........................................................................................................................................34
6.1 Key Findings........................................................................................................................................34
6.2 Contribution to Future Works..............................................................................................................34
References......................................................................................................................................................36
 Chapter One: Introduction
1.0 Introduction
In recent years, AI technologies have become transformative across many sectors, offering capabilities that
almost a decade ago would have seemed somewhat science-fiction-like. This is largely because AI systems leverage
vast volumes of sensitive data, from health records to financial transactions. However, their relevance and scale in
several domains make them prime targets for malicious actors and subjects of scrutiny within the wider regulatory
landscape[7]. Securing data privacy within AI systems is central to appropriately fostering user trust and ensuring
conformance with privacy regulations, such as the General Data Protection Regulation in Europe and the California
Consumer Privacy Act in the United States.
Traditional approaches to ensuring privacy of data, such as through encryption or access controls, appear
lackluster in the face of the large influx of data within the AI systems. The conventional approaches are often found
lacking in mitigating the risks that arise through data breaches and unauthorized access since the models are often
trained on a large, centralized dataset. A general problem with centralized training of such models is the high risk of
acute data breaches that sensitive information is exposed to[13]. These concerns represent the necessity of the
development of privacy-enhancing techniques at a more advanced level, at the same time ensuring the integrity of
the AI-driven system. In consequence, emerging and successful techniques, such as federated learning and
differential privacy, are promising techniques to guarantee user privacy and security within AI applications.
Among the most promising solutions to preserve privacy in AI systems is federated learning. Unlike
centralized techniques, federated learning enables model training on mobile devices and edge servers without
requiring raw data to be transferred to a central server, hence protecting individual data sources. This approach
toward distributed learning is that it maximizes privacy by avoiding moving data considered sensitive to other
locations. It also allows AI model training on siloed or regulated data, which may not be accomplished due to
concerns about privacy [5]. This makes federated learning particularly useful in situations where data can't be
centralized because it is regulated or logistically challenging, especially in sectors like healthcare or finance.
Another dominant privacy-preserving technique in AI work is differential privacy. It provides robust
protection against disclosure of sensitive details about any particular data point in computational results, even when
auxiliary information is known. It works by adding carefully calibrated noise to the data or to the process of
computation, such that it is difficult to infer anything about the data of any individual from the results. This thereby
keeps the output statistically reliable while providing protection for individual data points.
Differential privacy particularizes in guarding statistical queries such that if a query includes any particular
individual's data, differential privacy makes responses such that nothing could be inferred differently if that
particular individual's data were removed or not included in the query[16]. This statistical deniability is important in
the guarantee of privacy in AI applications, whereby it prevents the big threat of membership inference attacks, in
which an attacker tries to understand whether a particular individual's data is part of the dataset, and reconstruction
attacks, in which an attacker attempts to recover the original data from the outputs.
 Together, federated learning and differential privacy represent powerful tools for enhancing privacy in AI
systems. Federated learning works regarding the challenge posed by data centralization through decentralized model
training, while differential privacy ensures that each data point remains private upon analysis and computation. Used
collectively or independently, these are very important in constructing safe and trusted AI systems, following strict
privacy regulations and protecting user data against malicious actors[22]. Despite the potential of federated learning
and differential privacy, several practical issues still need to be figured out while integrating and deploying them.
One of the main challenges related to federate learning is the construction of robust communication protocols and
efficient aggregation mechanisms. As federated learning envisions several devices locally training models and
sending updates to a central server, highly reliable and secure communication channels are imperatively necessary.
Differential privacy also raises significant challenges, mainly concerning computational overhead, but it
involves trade-offs between privacy and utility. Differential privacy algorithms add noise to data or computations,
which can reduce the accuracy of results. Thus, there is a need to set the correct balance between these two metrics.
If the noise is too high, the utility of the data diminishes; if it is too low, privacy may be compromised. This makes
this tradeoff particularly challenging in the mandates of high-data-fidelity scenarios such as medical diagnostics or
financial modeling[14]. Moreover, the computational overhead associated with differential privacy can potentially
be substantial, since generating and applying the noise typically requires additional processing, rendering differential
privacy less feasible in resource-constrained environments.
To tackle these challenges, several prospective solutions are still under research. In the case of federated
learning, ongoing work on secure multi-party computation, homomorphic encryption, and communication-efficient
protocols aims to improve the security and decrease the pressure on communication resources. In the case of
differential privacy, adaptive privacy budgeting and developing hybrid models that combine differential privacy
with other means of privacy preservation are used to strike a better balance between privacy and utility.while
federated learning and differential privacy hold immense promise for the augmentation of privacy in AI systems,
their deployment in practice is associated with serious technical issues; solutions to these are key to unlocking the
promise of fully privacy-preserving AI technologies.
This research identifies the underlying principles, advantages and disadvantages, and applications of the federated
learning model. Federated learning enables decentralized model training, where data remains on local devices, thus
safeguarding individual privacy and avoiding raw data transfers to a central server. This approach is most beneficial
in industries like healthcare and finance, where sensitivity of data and other regulatory requirements are top
priorities.to federated learning, this paper will cover differential privacy, a mechanism introduced by adding
controlled noise to data or computations in order to prevent the identification of individuals within a dataset.
Differential privacy guarantees that nondisclosure or disclosure of whether a single data point is in the dataset
should not make a significant difference, hence preserving user privacy even if some auxiliary information exists to
potential attackers.

Figure 1: privacy preserving network

The relative comparison illustrated in the paper will contrast the strengths and weaknesses of the two methods
mentioned. While federated learning does well in an environment with decentralized data, varying privacy
requirements, and faces challenges from the communication overhead and data heterogeneity, differential privacy
with strict mathematical privacy guarantees poses the need for the preprocessing of data, which usually requires
delicate tuning to balance the privacy and utility of the data and at the cost of more computational need.this research
is the first to operationalize the practical utility of federated learning and differential privacy in a fully implemented
Python code base, bringing them to realistic settings.
The implementation illustrates how such techniques can be leveraged for developing privacy-preserving AI systems,
hence setting a practical groundwork for both developers and researchers alike. By showing the efficiency and the
challenges related to the use of such privacy-enhancing techniques, it will be highly responsible for the
dissemination and widespread adoption of privacy-preserving AI technologies[27]. This comprehensive study will
serve again to clear the air on practical considerations and potential regarding federated learning and differential
privacy, thus enabling more trust in AI systems and responsible use in sensitive applications. The insights gained
from this research will be invaluable for developing AI systems that prioritize respect of user privacy while
maintaining high utility and performance.
1.1 Background
The growing deployment of AI applications across society has increased the attention on privacy issues.
Often, AI systems require massive amounts of data to be effective. Henceforth, misuse of personal data through
advanced AI algorithms can enable unauthorized access and exploitation of sensitive information. Sensitization
around privacy in AI systems has spurred the development of concomitant new approaches by researchers and
practitioners for handling this.One of the key privacy challenges in AI systems is the centralization of sensitive data
for training models[31]. To this point, in traditional machine learning models, data from different sources are pooled
in and used to train models at a centralized location. Centralization of data creates risks for both security and
privacy. Firstly it acts as a honey pot for hackers, making it more data-breached and at more significant risks. When
data is pooled into a single repository, it creates a target that is incredibly profitable to hackers, significantly raising
the risk of breaches and unauthorized access.

New privacy-preserving measures try to address these issues. Some prominent ones include federated
learning and differential privacy. While federated learning decentralizes the model training process, with data
residing locally on devices and only model updates shared with a central server, which doesn't risk data breaches as
the raw data never leaves its original device, differential privacy only ensures that the participation of a single datum
will not significantly influence the gain or loss of a decision about any individual. It does this by introducing just the
right amount of noise into the data or computation. Such techniques hold much promise, but there are practical
challenges in their implementation: great communication protocols and efficient aggregation mechanisms are
required[22]. Differential privacy brings in some trade-offs between privacy and data utility through its parameter
optimization. It is paramount for these challenges to be addressed for the full-fledged adoption and effectiveness of
widespread privacy-preserving AI technologies.
 Aggregate data privacy is championed with decentralized model training, hence making federated learning
effective. Federated learning differs from traditional centralized methods in that model training occurs on edge
devices or user devices without sending raw data to the central server. Instead, it includes sharing model updates
such as gradients or weights between devices and with the central server[19]. This makes sure sensitive data is kept
local, considerably lowering risks of data breach or any unauthorized access. Dealing with sensitive medical data
can be successfully managed by federated learning, since the data never leaves the patient's device, hence
maintaining privacy and satisfying all regulations that prohibit data sharing and data transfer.
In federated learning, different data sources can be incorporated, thus making models more robust and
general without compromising privacy. It is in scenarios of sensitive data, where data cannot be moved because of
privacy regulations.Differential privacy can give strong mathematical assurance that privacy will not be breached by
an AI system. It guarantees that the output of a differentially private computation does not meaningfully change
whether any individual data point is included in the input. The noise is added in a way that leakage from the
computations prevents adversaries from being able to make any private inferences about any specific data point. The
noise addition ensures that the privacy of individuals is protected, as the presence or absence of any single data point
does not significantly alter the results.
Differential privacy is particularly beneficial when means, variances, or any other forms of descriptions of
the aggregated data results are shared or published because, even in the presence of auxiliary information, sensitive
information remains unattainable. By doing this incorporation of differential privacy, the AI systems can get strong
privacy guarantees and, at the same time, can maintain the utility of data. Together, federated learning and
differential privacy thus provide powerful solutions to enhance privacy[21]. While federated learning takes care of
the problem of data centralization by enabling decentralized model training, differential privacy caters to the
protection of individual data points by robust mathematical guarantees. These techniques are essential for building
secure, trustworthy AI systems in compliance with privacy regulations and protecting user data from malicious
actors.
However, both federated learning and differential privacy—the most promising avenues for enhancing AI
privacy—have their own major directions of improvement to jointly solve formidable challenges in implementation
and adoption. The key tools that make up federated learning include secure communication protocols, effective
mechanisms of aggregation, and the ability to deal with heterogeneity of data emanating from different sources. For
differential privacy, the major challenge is to optimize privacy parameters so that the trade-off between privacy and
utility is minimized, with usually large computational costs.
Federated learning involves robust communication protocols that guarantee secure transmission of the
model updates between the devices and the central server. This entails protection against possible attacks that may
intercept or tamper with the data in transit[14]. There is need for effective aggregation mechanisms able to combine
model updates from different devices in a way that preserves the integrity and accuracy of the global model. The
heterogeneity of data is a critical issue, given that data from different sources may largely differ in terms of features,
quantity, and quality. In that regard, it is crucial to ensure that federated learning systems can handle such diversity
to be broadly applicable.Differential privacy adds noise to the data or computations to protect individual data points.
Such a process calls for delicate recomposing of privacy parameters to ensure noise addition is enough, yet it is
sufficient to offer the necessary protection without rendering data valueless. This trade-off between privacy and
utility, in general, is associated with a huge computational overhead because addition of noise and the subsequent
analysis of data are resource-intensive activities. Researchers still need to discover effective algorithms and
techniques that successfully strike this trade-off with an improved computational profile with little impact on the
assurance of privacy and data utility
The rise in importance for privacy in AI systems therefore calls for a complete understanding of how
federated learning and differential privacy can be successfully implemented and optimized. The present study,
therefore, estreats to cover this gap by examining the principles, advantages, limitations, and applications of
federated learning and differential privacy[11]. The study will, through this examination of these techniques,
emphasize their importance in the development of AI systems offering a more considerable level of privacy to the
users.More than providing only a theoretical framework explanation of the privacy enhancement techniques in AI,
the research will be providing practical insights through Python implementation. providing an insight into how these
methods can be implemented in realistic settings, the study will push the field a step closer to the adoption and
development of privacy-preserving AI technologies. The results will be of great value for researchers, developers,
and practitioners seeking to implement effective privacy in AI systems while at the same time protecting user data
and preserving the utility and performance of AI models.

1.2 Motivation
The present research is thus motivated by the pressing need to address issues of AI privacy that are
increasingly gaining prominence in our lives. With the increasing relevance of AI technologies in sectors like
healthcare, finance and transportation, ensuring data security has become even more imperative. Privacy breaches
not only compromise sensitive information from individuals but also erode public confidence and cause significant
legal and regulatory challenges for organizations. In particular, the GDPR applies to Europe, and the CCPA applies
to firms that collect personal data within the United States, establishing stringent procedures for maintaining
privacy. Failure to comply and meet these strict standards has resulted in drastic penalties levied against
noncomplying organizations. Organizations that fail to reach this level of privacy are subject to high penalties and
may face potential damage to brand reputation when legal ramifications and fines are passed.
Naturally, as the field of AI continues to become firmly established and shape several aspects that
contribute to value in society—ranging from healthcare delivery to financial decision-making and even
transportation systems—robust privacy measures become of utmost priority. It is for this reason that people prefer to
use AI programs, where their sensitive data is stored on the condition that it will not be accessed nonsensitively or
misused[26]. Thus, there must be a strong requirement for ensuring that AI systems preserve privacy and security in
order to maintain public trust and confidence in technology. With all these challenges and complexities of AI
privacy, in this research, we will provide insights towards the development of effective privacy-preserving
techniques that will guarantee regulatory compliance with individuals' privacy rights. Therefore, we will want to
propose a deep understanding of federated learning and differential privacy, substantiated with practical
implementations, to propose useful insights for organizations and policymakers working to negotiate the dynamic
landscape of regulation and enforcement in the area of AI privacy.
Federated learning and differential privacy are some of the most promising ways to ensure effective privacy
in AI systems, with a decentralized approach to model training that provides robust mathematical guarantees against
sensitive data distributions' exploitation. In this respect, particular interest in these techniques is driven by the
potential of changing the way AI and ML systems handle sensitive information, thus ensuring user privacy.The
proposed research shall evaluate these two strategies thoroughly, respecting their importance in empowering
companies and practitioners in the complex data privacy landscape[17]. More specifically, understanding the
principles and practical applications of federated learning and differential privacy will allow an organization to
develop and support trust and enhanced compliance in a data-driven society.In federated learning, model training is
performed by decentralized devices, such as mobile phones or edge servers, without requiring the raw data to be
transmitted to a central server. This will not just keep individual data sources private, but also make it possible to
develop and train AI models based on siloed or regulated data that reside across them, in full compliance with
regulations such as GDPR and CCPA.
On the other hand, differential privacy gives strong mathematical guarantees that the output of
computations remains unchanged, regardless of whether specific individual data points are included. By adding
carefully calibrated noise to data or computations, differential privacy ensures that sensitive information cannot be
revealed from a computation, thereby safeguarding user privacy even in the presence of auxiliary information. The
work shall evaluate the techniques of federated learning and differential privacy to provide leading companies and
practitioners with the tools and knowledge necessary for enhanced privacy protection in AI systems. Through the
adoption of these state-of-the-art approaches, an organization can bolster trust among users and stakeholders as
proof of its firm commitment to sound data-handling practices and seamless regulatory compliance.
1.3 Objectives
The main objective of this research is to explore and assess the effectiveness of federated learning and
differential privacy techniques in improving privacy protection in AI systems. Specifically, the research will seek to
apply:
1. A critical and deep review of federated learning and differential Privacy is presented in this paper, focusing
on their principles, advantages, limitations, application domains, and areas applied to solving real-world
problems
2. Compare federated learning with differential Privacy from both sides based on their strengths and
weaknesses to reveal the essentials of Privacy.
3. Explore the realistic applications of federated learning and differential privacy methods implemented in
Python code that need to be set in context with its application to a simulation.
 Chapter Two: Literature Review
2. 1 Privacy Challenges of AI Systems
In today's world, however, with the spread of artificial intelligence (AI) applications, driven by very
powerful machine learning algorithms, issues of privacy have developed into a matter of deep concern across many
application areas of modern life. From social media recommendation services to health diagnosis services, AI-based
systems have turned into a crucial component supporting day-to-day operations. Still, the ever-growing usage of AI
has also given rise to a host of privacy concerns at both the level of individual data points and the underlying models
themselves.Data privacy is a major concern in AI systems because they involve dealing with large volumes of
sensitive data. This includes personal information, medical records, and financial transactions, among many others,
which need to be kept confidential to avert unauthorized access, breaches, and misuse. Moreover, the centralized
nature of data storage and processing poses challenges to privacy[15]. This is because data may be combined from
myriad sources into one storing system. When this is done, the possibility of data breaches is higher, with exposure
to dangers that might be a threat to an individual's information.
Data privacy becomes even more complex in the context of regulatory compliance for AI systems. In fact,
regulations such as Europe's General Data Protection Regulation (GDPR) and the California Consumer Privacy Act
(CCPA) are strict with regard to the collection, processing, and storage of personal data. AI systems must operate
within these regulations to protect the privacy of users and avoid legal penalties. Compliance must be ensured
throughout the entire AI lifecycle through data governance, transparency, and accountability mechanisms [6].On top
of this, model privacy challenges present another layer of complexity on the privacy landscape of AI systems. AI
models can be used by adversaries to derive sensitive information about people in this connected world through
model inference attacks. This constitutes a huge breach of privacy because through this, attackers can have insights
into user behavior, preferences, and traits
Inferential abilities of AI models, especially those built up of deep neural networks, have created concerns
of achieving transparency and accountability. How data is manipulated and how AI must be making decisions is
incomprehensible to the end-user, which leads them to the distrust and hence reluctance to use these systems for
privacy protection. Multi-faceted strategies are required considering these challenges that include a combination of
better security measures with privacy-ensuring techniques and regulations that mandate compliance to protect
information. Privacy risks can be reduced and trust can be built with users and other stakeholders through the
implementation of techniques that protect data and models.
2.1.1 Data Privacy Concerns
The collection, processing, and utilization of large amounts of sensitive data for machine learning model
training have become an important source of privacy concern in AI systems. Particularly in an AI model, in which
the ultimate decisions are based on this database, it becomes especially important to ensure that the data is robustly
protected. However, privacy approaches, such as encryption and access controls, generally fail to apply in the
context of AI applications. This is mainly because of the unique challenges involved in this context, which come
from large, heterogeneous datasets sourced from diverse and possibly untrusted sources[13].In settings where such
extensive and varied datasets are used to train models, such as in the context of AI, traditional methods like
encryption and access controls are frequently inadequate. Such methods may not be scalable or adaptive to the size
and complexity of AI datasets. In addition, these approaches often do not sufficiently address the need to preserve
the privacy of individual data points or protect against attacks aimed at inferring sensitive information from model
outputs. Furthermore, this does not take into account the fact that some applications cannot share the data with the
servers.
There is a growing interest in more advanced privacy-preserving techniques, specifically tailored to the
demands of AI systems. In particular, approaches like federated learning and differential privacy have gained
attention as promising solutions to these problems. The data is trained in a decentralized manner in federated
learning, and the training data stay on local devices, while only the model updates travel between the devices, thus
minimizing the potential for data exposure. The latter offers strong, mathematically proven privacy guarantees by
the addition of carefully calibrated noise to the data or the computations conducted on them in order to prevent the
leakage of the privacy of individual data points.AI systems are able to preserve sensitive information effectively and
protect user privacy yet reap large-scale data analytic and model training benefits[18]. However, there is also a need
for future research and development that further refines these approaches, thus optimizing them to meet the
respective privacy challenges that will dawn with future AI systems. Together with further innovation, this will
move the area forward towards the goal of a future in which privacy and AI harmoniously coexist in support of
responsible and ethical data-driven technologies.
One major issue of concern for data privacy in AI is centralized data aggregation. Under a centralized
model, data from diverse sources is relayed to a single repository for purposes of aggregation. It is generally easy
and therefore convenient for training when in such a centralized training process, but it defies the odds and risks data
privacy and security. When data from different sources is aggregated and handled together, organizations expose
their critical data to breaches and unauthorized access.Centralized data repositories raise the stakes for malicious
actors attempting to exploit the weakest links in organizational security defenses[11]. Breaches of a centralized
database expose large quantities of sensitive information, including personal information, financial documents, and
proprietary information. Additionally, the impact of security incidents is multiplied by the single point of failure
inherent in centralized data storage systems. The breach or any security incident involving a centralized repository
will have far-reaching impacts, considering all data stored therein.
 What's more, centralized data aggregation increases the risk of regulatory non-compliance, especially for
organizations in highly regulated industries, such as healthcare and finance. The General Data Protection Regulation
in Europe and the California Consumer Privacy Act in the United States impose far-reaching requirements on how
personal information is collected, processed, and stored. Organizations that fail to secure centralized data
repositories stand the risk of heavy fines and reputational damage for noncompliance with the above.To mitigate
these risks, it has become important for organizations to look into alternative approaches such as federated learning
and differential privacy[14]. Such techniques enable decentralized model training and data analysis, allowing
organizations to benefit from AI without necessarily compromising data privacy and security. Decentralizing
approaches to data aggregation not only reduce the risk of data breaches and unauthorized access but also allow
compliance with regulatory rules and user privacy safeguards.
Recent privacy scandals and data breaches underline the critical importance of implementing robust
privacy-preserving techniques in AI systems. With the rise in data-driven technologies and growing reliance on AI
algorithms for decision-making, privacy of users has become a serious concern for organizations across the globe in
almost all domains. In response to these concerns, emerging techniques such as federated learning are gaining
traction as effective solutions to address data privacy issues in AI systems[12].Federated learning changes the
paradigm for model training by allowing training to proceed over many participating devices in a decentralized way
across using mobile devices and edge servers. Unlike conventional centralized approaches, where data is gathered
into one repository and analyzed, federated learning allows the training of such models while at the same time
keeping the data local at the source. This means the fact that the raw data transfer is very limited, which reduces the
exposure and unauthorized access to data.
The decentralized nature of federated learning brings several key benefits for privacy preservation within
AI systems. Since data remains on the local devices, federated learning involves no privacy risks regarding
centralized data aggregation. As each device has control over its data, this exercises the premise of the privacy and
control of the user, ensuring that no sensitive information is leaked to third parties. Besides, FL exchanges the
update of the model during the process, not the raw data, which improves the privacy level.It further promotes
collaboration between different sources while maintaining privacy. Such an ability to train models collaboratively
across different sources of data means that organizations can harness the collective intelligence of their data assets
while maintaining the privacy of respective users[8]. The source of the data here can collaborate in the training
mechanism for innovation and knowledge gain, with relevance to the issue of privacy being addressed sufficiently.
Privacy techniques such as differential privacy are gathering importance in improving privacy in AI.
Differential privacy attains mathematical guarantees of privacy by adding deliberately calibrated noise to the data or
computation, ensuring the protection of individual data points even in the face of auxiliary information. Federated
learning is a very promising solution to the data privacy issues surrounding AI systems. Federated learning, by
allowing decentralized model training over distributed data sources, offers a scalable and privacy-preserving
solution for organizations to leverage AI technologies while preserving user privacy. In light of increasing adoption
of federated learning, the frontier for development of AI will be radically transformed, leading to a new order in a
privacy-respecting and trusted digital ecosystem.
 At its core, differential privacy prevents individual data points from being revealed in the output of
computations, no matter how much auxiliary information an adversary has or how strong an attack is being
conducted. It does this by using calibrated noise in the computation to ensure the result is approximately the same
and indistinguishable whether a particular data point is included in the input. By obscuring the contribution of
individual data points to the computation result, differential privacy provides powerful privacy guarantees that
remain robust even when faced with adversarial attempts to draw inferences about sensitive information[13]. The
beauty of differential privacy falls in the fact that this strong guarantee of privacy is provided without in the least
way reducing utility from the data or the accuracy of computation results. By adding the right amount of noise to
make this balance, differential privacy makes sure that the data stays useful for analysis and decision-making while
privacy is ensured for every person. Differential privacy also provides an approach to privacy that is generally
applied to data computation and types of data sources. Sensitive health records or financial transactions can be
analyzed based on the principles of differential privacy so that individual privacy is preserved without
compromising the insight derived.
The adoption of differential privacy becomes especially significant in the case of AI systems, a domain
where privacy is a critical concern in applications like healthcare, finance, or social media. Organizations can
include differential privacy as part of an AI algorithm or data processing pipeline to build trust among users and
their stakeholders by showing an organizational-level commitment to protecting privacy rights.Adoption of
differential privacy further spans the gap into which organizations are required to adhere to strict privacy
requirements associated with regulatory compliance. In the implementation of differential privacy techniques,
organizations ensure that the use of their data complies with these regulations, while unlocking AI technologies for
data-driven insights and decision-making[16]. Differential privacy is a principled approach to privacy that provides
solid mathematical guarantees against the disclosure of sensitive information. The use of techniques related to
differential privacy in the implementation of AI algorithms and data processing increases privacy protection,
stimulates trust among users, and ensures compliance with regulations.
2.2.2 Model Privacy Concerns
Aside from the problem of privacy in the data point itself, AI systems also deal with the critical issue of
model privacy. Such issues may rise from adversaries obtaining sensitive information from the AI model directly
and manipulating its behavior against the user's interest.An acute problem in model privacy is the problem of model
inversion attacks, in which adversaries attack and attempt to recover sensitive input data given the model's output
behavior. For instance, an adversary can carry out model inversion attacks to deduce the sensitivity of people to
medical conditions or some demographic characteristics using a health dataset. Essentially, through repeated queries
to a predictive model and analysis of the responses, the adversary could backward-engineer the information that was
used to train such a model. If that information is sensitive, then turning this around would impact user privacy.
 Model inversion attacks have been studied in great length and continue to be one of the most acute
problems of privacy, especially if such attacks are performed on a large scale or there exists a direct degradation of
life quality with bad model decisions. For example, health data about patients would be inferable in healthcare
settings, leading to consequential discrimination or other adverse outcomes. The problem of model privacy is that
it's more general than the class of model inversion attacks, where adversaries might infer more than intended about
the training data, including the ability to perform attacks on model output, and thus compromise user privacy.Model
privacy concerns span a wide spectrum, with inversion attacks being only one example.
Adversaries can also compromise the behavior of AI models through other attacks, ranging from data
poisoning to adversarial examples, which introduce biases or vulnerabilities to the model in a way that debases
performance or its integrity. Ensuring this privacy involves various security measures, privacy-preserving
techniques, continuous monitoring, and evaluation embedded in AI systems. Organizations would need to
implement such protections against model inversion and other privacy risks, such as strong access controls,
encryption methods, and differential privacy mechanisms.
Research and development are also very important for organizations to stay ahead of the threats and
vulnerabilities of emerging threats in AI systems[4]. This way, research and development will constantly refine and
update the security and privacy measures that would always ensure that the AI systems are resilient to adversarial
attacks and hence supporting the privacy rights of users. An important worry for AI systems across the board is
model privacy, because adversaries are always on the lookout to exploit the vulnerable points and weak points of the
system to access crucial information or model tampering. If proper measures pertaining to security and privacy-
preserving techniques are employed, these can be mitigated and, hence, privacy for the users may be ensured in a
world where information is shared increasingly.
Membership inference attacks present another serious risk factor for privacy in AI systems, particularly in
protecting the confidentiality of training data. Such attacks work by inferring whether inferences generated by
specific data points within the dataset belong to a part of the in-sample training data used to train the AI model.
Through identifying the subtle changes in the model output, adversaries can deduce from that whether a certain
piece of data was part of training instances, thus risking subject privacy for in-scope data subjects. Membership
inference attacks aim to preserve the confidentiality of training data and, in extension, the privacy of participants in
the set[1]. Knowing which points were parts of the training set allows an adversary to potentially compromise
sensitive information about individuals, such as preferences, characteristics, or patterns of behavior. This
information can actually be used for malicious purposes or in personalized attacks on the data subjects to
discriminate against them or actually attack them.
Membership inference presents a huge privacy risk, primarily in contexts where models are trained on
sensitive or private data like health or finance data. If attackers can successfully identify those data points that
belong to the training data, it opens up potential breaches in security or compromise in the private nature of persons'
data.Fending off the threats of membership inference calls for the implementation of effective security mechanisms
and privacy-preserving technologies. This includes mechanisms such as differential privacy, which essentially
involves adding noise to the completion process to ensure that the privacy of individual data points is protected.
Organizations have to, therefore, be wary of the nature of data whose integrity they entrust to AI models and
subsequently implement proper access control and encryption strategies to avert unauthorized access or disclosure.
Organizations can better protect user privacy and establish trust among stakeholders by protecting attackers from
membership inference attacks and using effective privacy protections[2]. In addition, the continuous research and
development in this respect are important to be on top of new threats and vulnerabilities that may appear in AI
systems at all times and to ensure continued focus on user privacy in a more data-centric world.
Model poisoning and evasion attacks represent additional threats to privacy in AI systems, leveraging
vulnerabilities in learning models to compromise privacy and integrity. These attacks exploit weaknesses in AI
models to manipulate their behavior and undermine the confidentiality and accuracy of the predictions.In model
poisoning attacks, adversaries introduce poisoning samples into the model's training data with the objective of
altering the model's behavior. By strategically injecting malicious data points into the training dataset, adversaries
can induce the model to produce poor-performing or biased predictions. This manipulation of the training data can
result in significant privacy breaches, as the model may inadvertently learn to make inaccurate or discriminatory
predictions based on the poisoned dataset.
On the other hand, evasion attacks involve manipulating input samples to mislead the AI model during
inference. Adversaries exploit vulnerabilities in the model's decision-making process to craft input samples that are
specifically designed to evade detection or classification [15]. By subtly altering the input data, adversaries can
deceive the model into making incorrect predictions or failing to recognize certain patterns, compromising the
privacy and security of the system. Both model poisoning and evasion attacks pose significant threats to user privacy
in AI systems, as they can lead to inaccurate or biased predictions that may result in privacy breaches or
discriminatory outcomes. Moreover, these attacks can undermine the trust and confidence of users in AI
technologies, leading to widespread skepticism and reluctance to adopt AI-driven solutions.
To mitigate the risks associated with model poisoning and evasion attacks, organizations must implement
robust security measures and defense mechanisms. This may include techniques such as anomaly detection, model
verification, and adversarial training to detect and mitigate the impact of malicious attacks on AI systems.
Additionally, organizations should regularly monitor and evaluate their AI models for signs of tampering or
manipulation, and promptly respond to any detected threats or vulnerabilities. Addressing the threat of model
poisoning and evasion attacks, organizations can enhance the privacy and security of their AI systems, safeguarding
user data and maintaining trust among stakeholders. Moreover, ongoing research and development efforts are
essential to stay ahead of emerging threats and vulnerabilities in AI systems, ensuring that user privacy remains
protected in an increasingly interconnected and data-driven world.
Protecting model privacy from adversarial invasions requires a multifaceted approach that marries strong
defense mechanisms with robust mitigation strategies. Organizations can only boost the resilience of their AI models
to adversarial attacks by ensuring a high level of security measures through secure AI technologies. These would
entail the deployment of state-of-the-art security protocols, encryption techniques, and intrusion detection systems to
detect and avert potential threats to the model privacy[22].The use of secure AI technologies in the process of
verifying the resilience of AI models is very crucial. Verification techniques include adversarial training and model
verification, which provide organizations with insight into vulnerabilities or weak links in their AI models, thus
helping them to address possible security risks prior to exploitation by adversaries. As organizations are able to
further monitor and evaluate the posture of the security of their AI models, it will help improve their mitigation
defenses against adversarial invasions that might affect model privacy.
Ensuring the privacy of data in both training and sensitive output is carried out through the use of such
advanced privacy-preserving machine learning techniques as federated learning and differential privacy. Federated
learning enables decentralized model training over distributed data sources to ensure that sensitive data remains
local and is not exposed to third parties in the whole training process[11]. This approach helps in minimizing the
risks associated with data breaches and unauthorized access, thus enhancing the security and privacy of AI systems.
In the same vein, it gives strong mathematical assurance of privacy, by adding noise to the data or computation in a
carefully calibrated way, guaranteeing the protection of individual data even in the presence of auxiliary
information. By incorporating the mechanism of differential privacy into AI algorithms and data processing
pipelines, the organizations will make sure to mitigate the threats of privacy breaches and meet the compliance
requirements of regulatory bodies.

Chapter 3: Conceptual Framework

3.0 Differential Privacy

Differential Privacy is a privacy-preserving mechanism that provides strong guarantees in terms of protection of
sensitive information present in statistical databases or machine learning models. These considerations make it a
strong tool to be used for ensuring privacy-aware applications over different domains.At its core, differential privacy
aims to provide privacy guarantees by introducing randomness into data analysis processes. The basic idea at the
core of differential privacy is to try as much as possible to ensure that the presence or absence of the data associated
with any individual makes little difference to the outcome of any calculation. That is to say that differential privacy
looks to make individual contributions to the data much harder to decipher, while the data at an aggregate level
remains amenable to reasonable analysis.

One of the paramount mechanisms to achieve differential privacy is data or response perturbation using the addition
of noise. Carefully calibrated noise that is added to either the data or the query output makes it far more difficult for
attackers to determine individual contribution back to the data, or to generally infer—through a nontrivial machine
computation—anything sensitive to a particular individual[7]. The noise infusion mechanism also obfuscates the
genuine individual data points and permits meaningful analysis of the aggregated results.a good inducer of
differential privacy having close proximity is the use of noise injection mechanisms to ensure privacy. Thus, noise
addition protocols introduce privacy protection, called privacy budgets, in sequential risk-calling series or
computations that refer to the results of the queries or computations made before. The idea of managing privacy
budgets well is of crucial importance in order to keep long-term privacy protection associated with preserving the
ability to extract useful information from data.
Differential privacy has its realization with these choices: the noise mechanism, the exact amount of noise to be
added, and how to manage privacy budgets. Also, differential privacy techniques require careful tailoring to specific
application scenarios and data types for best privacy protection while still enabling data analysis. the deployment of
differential privacy comes with certain challenges, such as the trade-offs between privacy protection and data utility.
Adding noise to the data or the responses of some query can then degrade the accuracy or precision of the results
and lead to some degradation in utility for some applications. Such trade-offs between privacy and utility are crucial
to taken into concern in the design and implementation of differential privacy.As privacy becomes one of the most
important notions in various application domains, enabling differential privacy is expected to become more
widespread in the development of privacy-respecting applications.

Figure 2: Conceptual Framework of Differential Privacy

3.1 Fundamental Concepts

The mechanism's output distribution should not be hugely affected by the presence or absence of any one
data point in the dataset. Formally, a randomized algorithm satisfies ε-differential privacy if, for all pairs of neighbor
datasets D and D' differing on one individual's data, and all subsets of outputs S, the probability that the mechanism
returns an output in S when presented with D is at most e^ε times the probability that it returns an output in S when
presented with D. Here, ε is the privacy parameter, giving the level of privacy protection; smaller values mean
stronger privacy. It is known that with ε = 0, we have perfect privacy as a probability loss value.Differential privacy
formalizes the idea that no observer with any amount of knowledge, intention, or computational resources can
determine whether any specific piece of data was in the input to a mechanism or not by looking at its output. While
it is a very powerful property from the viewpoint of privacy attack, including reconstruction attacks and membership
inference attacks, by guaranteeing in distinguishability, differential privacy provides plausible deniability
concerning the inclusion of individual data points in the data set.
The power of this property is strong, allowing the approach to ensure individuals' privacy in data analysis
related to machine learning tasks. Through the introduction of randomness in the computation process and the
guarantee of in distinguishability between two neighboring datasets, differential privacy ensures strong privacy
while allowing for meaningful data analysis[18]. Hence, differential privacy acts as a powerful tool in developing
privacy-preserving applications in a wide range of domains, from health and finance to telecommunication and the
Internet of Things. Differential privacy techniques are also bound to be used widely in the design and
implementation of data-driven systems, as concerns over privacy issues continue to grow in relevance.Central to the
differential privacy definition is indistinguishability: a mechanism is differentially private when the existence or
non-existence of any particular data point of a single individual or another drastically affects the output distribution
in a manner that is impossible to discern. Formally, a randomized algorithm M satisfies E−¿ differential privacy
if, for any pair of adjacent datasets , D and D ' that differ in only one individual data and for any subset of
outputs S the following condition holds:

Pr [ M ( D ) ϵ S ] ≤ e ϵ × Pr ⁡[ M ( D' ) ϵ S]
Where ε =0 is the privacy parameter, controlling the level of privacy protection. Smaller values of ε correspond to
stronger privacy guarantees, with ε =0 representing perfect privacy.
Differential Privacy guarantees that no observer—no matter how omniscient, nefarious, or resourceful—
could use the mechanism's output to tell whether any particular piece of data had been included in its input. In so
doing, the substantial property against privacy attacks—reconstruction attacks and membership inference attacks—
gives a plausible deniability of data belonging to any individual.
3.2 Mechanisms for Achieving Differential Privacy
Differential privacy is a powerful conceptual approach for protecting privacy-sensitive information within
statistical databases and machine learning models. The idea at the core of differential privacy is that an adversary
should not be able to distinguish whether a particular data point is in a dataset based on what it observes from a
randomized response. The basic building points of differential privacy are that it introduces randomized processes
into data analysis in a manner that makes it hard for adversaries to learn about individual contributions or other
sensitive information. Mathematically, a mechanism is ε-differentially private if the probability that the mechanism
outputs any one answer given a particular dataset is at most e^ε times the probability that the mechanism outputs the
same answer on a dataset differing only by whether or not an individual's data is present[13]. The parameter ε
describes how much privacy is given, and smaller values mean more privacy guarantees left. Furthermore,
parameter δ describes situations where strict probability bounds cannot be accurately be determined due to privacy-
preserving processes. Gaussian mechanisms are often used to inject Gaussian noise into numeric data to preserve
differential privacy.

Figure 2: AI data privacy Architecture

To provide (ϵ,δ)-differential privacy, the scale of noise σ should satisfy some criteria, for example, such
that σ ≥ c ∆ s /∈, where c ≥ √ 2 ln ⁡¿ ¿ for ∈ (0, 1), for ∈ (0, 1),. In this formula, (∆s) is the sensitivity of the
corresponding function, measured as the maximum difference between the outputs of neighboring datasets. By
adding Gaussian noise with the said parameters, the mechanism results in differential privacy at the global level,
ensuring that individual data points remain safe, while contributing valid results from analyzing the dataset.In the
more practical application, differential privacy techniques are actually coming into play in all kinds of areas, ranging
from healthcare to finance and telecom[24]. For example, in healthcare, there is a demand for a rigorous and flexible
approach to ensuring patient privacy and model robustness when jointly training models on EHR data from different
hospitals and clinics. With the help of federated learning and differential privacy, healthcare institutions can
collaboratively generate model insights from EHR data across different hospitals and clinics to develop predictive
models for disease diagnoses and personalized treatments in a privacy-preserving manner.
In the context of telecommunications, federated learning enables mobile network operators to optimize
network performance and quality of service estimation using data from millions of connected devices. By training
models on distributed data sources, federated learning is able to avoid centralizing data while minimizing the cost of
data transfer, delay, and privacy risks, thereby making the network more effective for users. Not only that, but
federated learning applied in the field of IoT also makes edge devices such as sensors and wearables capable of
performing learning and creating local settings without depending on any central servers, which also increases data
privacy and efficiency.In general, differential privacy techniques give a powerful means of preserving privacy
within data-driven applications in many domains. This intermingling of randomness in the process of data analysis,
along with the careful management of privacy parameters, is what leads to powerful guarantees on privacy,
impressively allowing for meaningful analysis of the data and training of models. As privacy concerns are growing,
using differential privacy techniques will most likely be on the rise, thereby leading to new privacy-preserving
applications and helping to keep the data-driven world under control.
From perturbation techniques to mechanisms that rely on queries, numerous mechanisms exist to achieve
differential Privacy in practice. One of the most well-known is the Laplace mechanism, which adds carefully
calibrated noise to the query output so that the result is differentially private [10]. ϵ , δ -differential privacy approach
is a more solid principle to be used in machine learning securely. In the framework of the distinguishing parameter,
represents the distinguishability bound information on neighboring datasets, where ϵ >0 . Furthermore, δ stands for
the condition when by virtue of any privacy-preserving procedure you cannot calculate bounds for the probabilities
of two neighboring datasets by e ϵ .

Formally, a randomized mechanism M : A condition known as (ϵ , δ)-DP is met by X → R , when all measurable

sets S ⊆ R with respective adjacent databases D i , D ' i ϵ X ,contemplate the following relationship.

[ ]
Pr [ M ( Di ) ϵ s ] ≤e Pr M ( D i ) ∈ S + δ . A Gaussian method described in [20] can be used to numerical data in
ϵ '

order to ensure ∈ , δ -DP. In accordance with [21], we provide the subsequent DP method by including artificial

Gaussian noises. As the noise distribution must be N (0 ,σ 2) in (∈ , δ)-DP, where N stands for Gaussian

distribution, c ≥ √ 2 ln ⁡¿ ¿ for ∈ (0, 1), the noise scale σ ≥ c ∆ s /∈ is chosen that preserves the DP nature For a
reason, n stands for a noise sample of an addictive number for a particular point of data, ∆ sis a sensitivity of a

| |
corresponding function, i. ∆ s=max D i , D ' i∨ s ( D i )−s ( D i ) ∨¿ , and s is a real-valued function.
'

3.3 Applications and Adoption

Differential privacy is also an important tool used in various sectors, including healthcare, finance, social
research, and transportation, to enable the safe sharing of data and collaborative analysis while preserving the
privacy of individuals. In health, for instance, the VarOpen framework allows electronic health records to be shared
safely across healthcare units without affecting the privacy of the patients [4]. By using differential privacy methods,
the VarOpen framework meets compliance requirements, such as the Health Insurance Portability and
Accountability Act (HIPAA); that is to say, privacy guarantees in data release are quantified without leaking
sensitive information of patients.
Likewise, differential privacy within the domain of finance allows sharing information between banks and
other financial institutions in the form of summary data without revealing customers' sensitive information [15].
This is of immense importance, especially in areas for analytics and risk assessment, where the availability of such
data in aggregate form could provide superior help in risk models and fraud detection schemes[29]. Knowing that
sensitive financial information is protected from privacy leakages, differential privacy encourages collaboration,
through sharing insights and knowledge among stakeholders for the improvement of decision-making processes and
security in general within the financial sector.
 Similarly, in social research, differentially private techniques ensure that individuals' privacy is maintained
when allowing researchers to carry out aggregate data trend and pattern analysis. Sensible noise is added to the
output of a query or other means based on calibration in different ways that shield information about individuals
while still allowing for meaningful analysis at the group level. This method ensures that findings are both valid and
trustworthy without compromising the rights to privacy of individuals.

Where differential privacy is therefore applied, will contribute to improving traffic management, planning
infrastructure, and offering public transport. By aggregating and analyzing data from multiple sources of mobility,
such as GPS-enabled devices and transportation networks, differential privacy makes it possible for transportation
authorities to obtain valuable insights into travel patterns, levels of congestion, and user preferences. The insights
may bear more effective and efficient transportation systems and infrastructure projects commensurate with the
needs of the public, without compromising the privacy of people.
The fact that differential privacy techniques have been identified and standardized for adoption in various
sectors now validates its significance in balancing insight-based requirements with the rights of privacy of
individuals. By providing a robust sharing and analysis framework, preserving privacy provisions, differential
privacy not only leads to leveraging data but also prevents flaws in confidentiality[30]. As data proves instrumental
in driving innovation and the process of decision-making, the responsible mode of privacy preservation will be more
and Differential privacy is one of the pillars in social research to protect sensitive datasets and, at the same time, to
manage disclosers in order to allow data analysis without eliminating the privacy rights of individuals [20].
Differential privacy by quantifying the risk of re-identification of statistical databases is a concept to be
used for privacy-preserving data analysis, so that researchers can derive useful information from valuable data while
decreasing the risk of privacy breach. Therefore, this approach enhances the need for privacy consideration in
research works, building trust in the ethical conduct of research practices in data-driven communities. Another area
where differential privacy finds its way in practice is transportation and traffic analysis, allowing providers to
protect mobility data and GPS traces for people's privacy[31]. Utilizing differential privacy in mobility analytics
stacked over location-based services will enable transportation providers to enhance their knowledge concerning
travel patterns, congestion levels, and other user demands efficiently and at the same time ensuring the privacy of
people
Differential privacy strengthens the tools for info protection to ensure consumer privacy and boost info security in
such areas as finance and telecommunications.
In telecommunications, differential privacy enables the optimization of network performance and quality of
service estimation while allowing service providers to offer stronger connectivity and user experiences [22]. By
making use of differentially private analysis of data obtained from millions of connected devices, valuable network
performance insights and latency information can be derived, along with user behavior, for telecom companies while
protecting the privacy rights of the individuals. This is going to streamline the system, not just in terms of efficiency
and reliability but also in terms of following a responsible way of data management and customer privacy
protection.The proliferation of differential privacy in various fields establishes the significance of the acceptable
balance between the innovative use of data-driven information and the protection of the privacy rights of data
subjects. Differential privacy offers a solid framework to work in for privacy-respecting data analysis and popular
research, making considerable use of data in a manner that upholds ethical standards and requirements in the ways
of operation. With data being increasingly important for innovation and decision-making processes, the responsible
use of privacy-enhancing technologies, therefore, becomes very important to maintain or sustain trust, transparency,
as well as good ethical behavior in data-driven circles.
The changing landscape of privacy regulations, especially given the entry of GDPR in Europe and CCPA in
the United States, has only made differential privacy solutions more important [23]. Such laws have imposed quite
stringent requirements on organizations in terms of collecting, processing, and protecting personal data, driving the
application of privacy-enhancing techniques like differential privacy.With the increase in demand for differential
privacy techniques, researchers and industry professionals are constantly working towards overcoming the
challenges in adopting differential privacy[21]. This has been coupled with making algorithms and optimization
more efficient to reduce computational overhead without affecting privacy guarantees detrimentally [24]. Moreover,
there is an increased focus on developing user-friendly tools and frameworks that empower organizations to easily
implement and integrate differential privacy in their solutions and processes.
collaborative work between academia, industry, and regulatory bodies is driving the adoption of differential
privacy in practice, with the promulgation of explanatory documents, standards, and best practices for successful
and efficient implementation of privacy-preserving solutions. To induce collaboration and knowledge sharing, these
programs work to drive the implementation and adoption of privacy-enhancing technologies so that organizations
can be well aware of navigating through the complex interplay of privacy regulations effectively in a data-powered
world for innovation and growth with data.While differential privacy adoption clearly presents challenges, one
cannot underemphasize the importance of it in safeguarding the privacy of data and ensuring adherence to regulatory
compliance[17]. As the awareness of privacy risks grows amidst such stringent regulations, the demand for
differential privacy techniques is expected to increase. By addressing these challenges and fostering collaboration,
the rise in investments in R&D, advancing research and development efforts, the adoption of differential privacy can
help organizations move through this privacy landscape to build a user base with trust in an ever-growing data-
driven world.

3.4 Enhancing Privacy Protection: Federated Learning with Differential Privacy

Global differential privacy refers to a privacy-preserving framework that ensures the protection of sensitive
data across a global dataset or network of data sources. This approach involves adding carefully calibrated noise to
query outputs or model parameters to prevent the disclosure of individual-level information while still allowing for
meaningful analysis of aggregate data trends. By applying global differential privacy, organizations can maintain
data privacy and confidentiality while enabling collaborative data analysis and knowledge sharing across distributed
datasets or networked systems.In contrast, federated learning is another contemporary security approach that focuses
on decentralized model training across multiple devices or data sources without the need to centralize sensitive data.
Instead of aggregating data in a central server, federated learning allows model training to occur locally on
individual devices, with only model updates being communicated to a central server[25]. This approach minimizes
data exposure and ensures data privacy while still enabling model training on distributed datasets.

Comparing the effectiveness of global differential privacy and federated learning, both approaches offer
robust privacy protection mechanisms for data analysis and model training. However, they differ in their
implementation and focus areas. While global differential privacy provides strong guarantees of privacy protection
across a global dataset or network, federated learning excels in decentralized model training scenarios, where data
privacy is paramount.To address the challenges of privacy protection in federated learning, a novel framework
known as "noising before model aggregation federated learning" has been proposed. This framework integrates the
principles of differential privacy into federated learning by incorporating noisy perturbations at both the client and
server sides during model aggregation. By introducing noise before model aggregation, this approach ensures that
individual-level data remains private while still allowing for effective model training and collaboration across
distributed data sources.
3.6 Global Differential Privacy
Global differential privacy adds carefully calibrated noise to query outputs or model parameters to ensure
the protection of sensitive data throughout a collection of networked data sources. It prevents the leakage of
individual information while allowing meaningful studies of the aggregated trends in data. In the setting of federated
learning, global differential privacy ensures data privacy while conducting model training on distributed devices or
data sources.Several building blocks ensure global differential privacy. An illustrative example is when applying a
clipping strategy to limit the scale of local updating parameters from different clients[11]. These updating
parameters are to ensure that the sensitivity of the local training process for each client is kept low, which will, in
turn lower the influence of any particular client on the privacy of the entire system. The maximum sensitivity of
individual clients is taken to obtain a bound on the global sensitivity of the uplink channels used to transmit local
training parameters to the central server. The fundamental property is that noise scaled according to the chosen
privacy parameter defends global differential privacy across all clients in the system.
At the central server, all local training parameters from each of the clients are aggregated to create global
model parameters. At every level of aggregation, the influence of each contribution is considered in a way that, in
the end, privacy is not leaked. This will take into account the sensitivity of every single client's contribution and may
also add a noise mechanism prior to the step of aggregation to even strengthen the privacy protection[8]. Closing
with this point, global differential privacy is a solid guideline for the preservation of data privacy in settings
including federated learning. mechanisms with values such as clipping, adding noise, and sensitivity, global
differential privacy will ensure that every sensitive piece of information will maintain its protection throughout the
training process, thus allowing for data analysis in collaboration and knowledge sharing throughout distributed lines
while upholding privacy rights. In this case, we provide a global (ϵ , δ) prerequisite for channels that are downlink
and uplink. From an uplink standpoint, we can guarantee that ||wi||≤ C by employing a clipping strategy, where wi
represents training parameters from the i-th client without interruption and C is a clipping threshold for bounding w i
. We define the local training procedure for the i-th client by assuming that the batch size in the local training is
equal to the number of training samples.
Di
sU ≜ wi =arg ⁡min F i ( w , Di )
w
¿ ¿

D
where D i is the i -th client's database and D i , j is the j -th sample in D i. Thus, the sensitivity of sU i can be

expressed as

Δ s U =max‖s U −s U ‖
'
Di Di Di
'
Di , D i
|Di|
1
¿ max ∥ ∑ ❑arg min Fi( w , Di, j)
D i ,D 'i |Di| j=1 w
|D 'i|
−1 2C
' ∑
❑ arg min F i ( w , D'i , j ) ∥= ,
|Di| j =1 w |D i|

where D′i,j is the j-th sample in D′i, and D′i,j is the next dataset to Di that has the same size but differs by just
one sample. Based on the aforementioned outcome, an uplink channel's global sensitivity may be determined by

Δ s U ≜ max { Δ s DU } , ∀ i
i

It is preferable for all clients to utilize enough local datasets for training in order to attain a minimal global
2C
sensitivity. In order to determine Δ s U = ., we first establish the minimum size of the local datasets by m. In
m
order to guarantee (ϵ , δ)- differential privacy for every client in the uplink during a single exposure, we establish

the noise scale as σ U =cΔ s U /ϵ , which is the standard deviation of the additive Gaussian noise. Given L exposures

of local parameters, the linear relationship between ϵ and σ U in the Gaussian mechanism requires us to assign

σ U =cLΔ sU /ϵ .
The aggregation process for D i , viewed from the downlink perspective, is represented as
Di
s D ≜ w= p1 w1 +…+ pi w i+ …+ pN w N ,

where w represents the aggregated server parameters to be broadcast to the clients and 1 ≤ i ≤ N.

The sensitivity for Difollowing the aggregation procedure

Di 2 C pi
Δ sD = . in the federated learning training process is provided by Lemma 1 (Sensitivity after the
m
Aggregation procedure).
Algorithm 1: Noise Before Aggregation Federated Learning

Figure a shows how global parameters look like across various iterations T in a federated learning process. Every
line in the plot shows how a given feature of the global parameter vectors changes with every iteration of the
federated learning algorithm up to the maximum allowable number of times of aggregations. Iterations t are
represented on the horizontal axis, and the values of the global parameters for every feature on the vertical axis. It
also helps to show, in general, how the aggregated parameters across both models vary over time and, in particular
in this case, how they are updated iteratively by collaboratively updating multi-client models in federated learning.
This kind of plot helps monitor the convergence or divergence of the federated learning algorithm. All plots show
how parameters are adjusted and refined iteration by iteration without raw data being shared centrally resulting in
better performance of the model.
 (0 )
Data: T , w , μ , ϵ and δ
Initialization: t=1 and w(0) (0)
i =w , ∀ i
while t ≤ T do
Local training process:
while C i ∈ { C1 , C2 , … ,C N } do
(t )
Update the local parameters wi as
(t )
w i =arg ⁡min Fi ( w i ) +
wi
( μ
2
‖ (t −1) 2
wi−w ‖ )
Clip the local parameters
(t )
w =w /max 1,
i
C
(t )
i ( ‖w(ti )‖
)
Add noise and upload parameters
~ (t) (t )
wi =w i + ni
(t )

Model aggregating process:

(t )
Update the global parameters w as
N
w =∑ ❑ pi ~
(t ) (t)
wi
i=1
The server broadcasts global noised parameters
~
w(t) =w(t )+ n(tD)
Local testing process:
while C i ∈ { C1 , C2 , … ,C N } do
Test the aggregating parameters ~ w(t ) using local
dataset
t ← t+1
~(T )
Result: W
 Figure 3:Feature iterations
The Thompson Sampling Algorithm was termed in the name of Bayesian statistician William R.
Thompson, and it solves the problem of decision-making under uncertainty, especially in scenarios like the multi-
armed bandit. This algorithm estimates Bayesian probability theory, which is based on historical data and learns the
decision-maker's behavior. It thus captures the probability distribution of the expected rewards of each action or
hand based on available data[9]. The algorithm balances exploration—collection of information by trying different
arms—with exploitation—using the information available to maximize rewards—since lots of information means
little time for exploitation, and vice versa.At each decision point, Thompson's sampling decides on a value chosen
from arms' distributions by random sampling and then chooses the arm with the highest sampled outcome. This
probabilistic approach helps the algorithm obtain information adaptively about different arms while favoring
exploitation of arms that have shown higher expected rewards in the past. Since it updates the probability
distribution after each decision, the use of Thompson Sampling in effecting new information is thus a promising
way to guarantee adaptivity.

Thompson Sampling's benefit is to balance exploration and exploitation effectively, permitting it to learn
and adapt new information over time. With the application of Bayesian inference properties, it ensures that the
algorithm remains flexible to devise optimal strategies even under changing environments. This adaptability is
critical for real-world applications where conditions might change unpredictably. It ensures the algorithm continues
performing optimally, irrespective of the circumstances at hand. Thompson Sampling provides an excellent way to
make decisions under uncertainty, especially under a situation with multiple competing options and little
information on the rewards. By nature, it involves methods of probabilistic techniques and Bayesian strategies
concurrently to provide a strong framework for adaptive learning and availing adaptive decisions, thus making it an
interesting tool in various domains for auto-learning, such as reinforcement, online advertisements, and
recommendations.

Algorithm 2: Thompson Sampling

Require: parameters for the item feature vector distributions Θ=¿ {( v 1 ,Ψ 1 ) , … … , ( v N Ψ N ) } ,σ 0 , λ p

Initialization: A ⇐ λ p I
b⇐o
for t=1 , 2, 3 , … . ,T do
−1
Estimate μut = A b
−1 2
Estimate Σ u , t= A σ 0
Sample ~ pu , t from N ( pu , t ∣ μu ,t Σ u , t )
~
Sample qi from N ( q i ∣ v i ,ψ i ) for {i ∈{1 , 2 , … , N }}
Select the arm ⁡i ¿ (t )=argmax ~pT ~ q u i
i
Receive the reward r u ,i (t ) ¿

Update A ⇐ A + ~q i (t ) ~
T
qi (t )
¿ ¿

Update b ⇐ b+ r ~
q
¿ ¿
u ,i (t ) i (t)
End for

3.2 Federated Learning

Federated learning is a decentralized approach in which the machine learning model is trained on various
distributed devices or data sources without the individual private data of the devices leaving the devices. This
conceptual framework keeps sensitive data local to its source, yielding a novel approach to privacy for data
aggregation in a centralized space. Indeed, the methods of federated learning pertain to the aggregation of model
updates and not raw data, thus largely minimizing any risk of data exposure or unauthorized access[10].One of the
important features of federated learning is ensuring data privacy while enabling collaborative model training on
various data sources across the network. Since the training of the models is distributed and involves only the
exchange of model updates, the chance to send data in raw form is very low, thus reducing the chance for intrusion
on privacy. Furthermore, organizations can capitalize on the pooled intelligence of their data assets without the risks
of exposure associated with their transfer.

There are some limitations of federated learning. First, the challenge is in designing effective
communication protocols and aggregation mechanisms ensuring efficient traversal of model training across the
distributed devices. Further, federated learning may also call for massive computational resources and the necessary
infrastructure to support decentralized model training in case an organization has limited resources. At the same
time, federated learning has proven to be very promising in health, finance, and telecommunications. In health, for
example, federated learning allows models to be collaboratively trained across multiple hospitals or healthcare
facilities without data leaving those facilities, allowing the development of more accurate and robust predictive
models for disease diagnosis and treatment planning. Similarly in finance, federated learning allows financial
institutions to be trained for fraud detection across banking networks while protecting customer's transaction data.

Figure 4:A Federated Learning training model with surreptitious adversaries that can intercept parameters
trained from the server and clients.

In wireless telecommunications, for instance, federated learning has been shown to boost the performance
and efficiency of wireless communication networks by leveraging data available at distributed devices to tune
different network parameters through resource allocation strategies. These examples underscore the flexibility and
applicability of federated learning across different domains and the fact that, with some careful thought, privacy
concerns may be assuaged while finding ways of permitting collaborative model training and knowledge
sharing.federated learning allows the decentralized training of machine learning models while ensuring the privacy
and security of data[14]. Although federated learning has come with some drawbacks, it also has been promising
enough in many fields to allow data holders collectively to benefit from the intelligence of their data while
protecting the privacy of individuals. Continuing research and development in this area remain crucial to refining
and optimizing federated learning approaches to ensure their relevance and efficacy in practice within an
increasingly data-driven world.

Table 1: Summary of Notations

M A randomized mechanism for DP
' Adjacent databases
x ,x
ϵ ,δ The parameters related to DP
 Ci The i -th client
Di The database held by the owner C i
D The database held by all the clients
N The cardinality of a set
K Total number of all clients
t The number of chosen clients (1< K < N )
T The index of the t -th aggregation
w The number of aggregation times
F (w) Global loss function parameters
F i (w) Local loss function from the i -th client
μ A presetting constant of the proximal term
wi
(t ) Local uploading parameters of the i -th client
(0) Initial parameters of the global model
w
(t ) Global parameters generated from all local
w
parameters
v
(t ) at the t -th aggregation
¿
w Global parameters generated from K clients'
parameters
~ True optimal model parameters that minimize
W
F (w)

2.2.1 Concept and Principles

Central to the differential privacy definition is indistinguishability: a mechanism is differentially private
when the existence or non-existence of any particular data point of a single individual or another drastically affects
the output distribution in a manner that is impossible to discern. Let's look at a typical FL system, shown in Fig. 1,
that consists of one server and N clients. Hence the D i denotes the local database by the client C i where

i={1, 2 , … … . , N }. The objective is to train a model at the server using data from the N related clients. In order
to minimize a certain loss function, an active client taking part in the local training must identify a vector w of an AI
model. Formally, the weights provided by the N clients are combined by the server as;
N
w=∑ pi w , i
i=1

Where,
w i=¿ The parameter vector trained at i-th client
w=¿ parameter vector after aggregating at server,
N=¿ is the number of clients
p =¿ D ∨ ¿ ¿
i i N
¿ D∨¿ ≥0 with ∑ pi=1 ¿
i=1

And
 N
|D|=∑ ¿ D∨¿¿ is considered the total size of all data samples. One way to express such an optimization issue is
i=1

as
N
w ¿=argmin ∑ pi Fi ( w ) ,
i=1

Where,
F i (.)
2.3.2 The Threat Model
As part of the FL setting, the server is trusted, and there are external adversaries only interested in getting
the confidential client data. Model inversion attack exemplifies the potential threat despite storing individual
datasets (Di) locally on the clients' devices. Though FL is technologically decentralized, the intermediate parameter
(wi) is needed to be communicated to the server during the parameter aggregation phase of the process. This type of
privacy vulnerability can be a gateway for customers' private information. In, researchers showed model inversion
attacks that could extract sensitive data, such as photos, from a facial recognition system.
Individual datasets are still held privately on clients' devices, while the intermediate parameter of the model
has to be transmitted to the server in order to proceed. Third-party adversaries could exploit this transmission to
learn sensitive information pertaining to individual data points, which would compromise the entire system's
privacy. Privacy leakage could also happen with the parameter broadcasting function, considering the sending of
global parameters ((w)) over a downlink channel. A malicious adversary could intercept these transmissions and
analyze the global parameters to infer sensitive information about the underlying data[10].Different privacy
concerns can therefore be tackled by these techniques. For protecting transmissions of intermediate parameters
between clients and the server, secure protocols for communication like encryption and secure multiparty
computation can be used. By performing encryption of the data before sending and decrypting it after its receipt by
the authorized parties, the risk of interception and eavesdropping can be reduced. Fl frameworks can also borrow
further privacy protection from the addition of differential privacy mechanisms, which in this case will add noise in
the process of aggregation.
This ensures that the output from the aggregated model remains statistically indistinguishable, even if
adversaries have auxiliary information. By doing so, it will reduce the amount of information that can be inferred
from aggregated model parameters. Aggregation techniques like secure aggregation have to be applied to multiple
model updates, but from the privacy-preserved perspective, model updates are aggregated from multiple clients
without showing individual contributions. Secure aggregation allows learning clients to contribute to the latest
global model using their local model updates without sharing the details of each update component. The key aspect
in this context consists of the measuring actions: using secure communication protocols, mechanisms for differential
privacy, and techniques in secure aggregation for implementing privacy in Federated Learning. Put into practice,
these measures can be used by organizations to reduce the risk of privacy breaches and assure safety in FL systems
where very sensitive data regarding their clients exists. However, equally essential remains the continuous
evaluation and updating of these privacy protections to respond to evolving threats and ensure ongoing compliance
with privacy regulations.
The security of communication channels between clients and the server is a key element in preserving
privacy in the context of FL. In the model where it is assumed that clients can dynamically allocate to different
channels, be it time slots or frequency bands, during each uploading time, the distinction between uplink, which is
more secure, and downlink broadcasting channels, which are more prone to interception, is taken into account.In the
proposed FL scenario, the clients are assumed to be allocated to various communication channels, such as time slots
or frequency bands, where uplink channels are more secure than downlink broadcasting channels[18]. Uplink
channels are the communication channels where a client transmits its update or parameters to the server. In any case,
during these communications, the Internet grants channels that are way more secure than the downlink broadcasting
channels. To make the case more secure, it is assumed that only a maximum of (L) exposed parameters from each
client are uploaded in the uplink channels during each uploading time. Here, (L) denotes the maximum number of
parameters that can be exposed to the potential interception during the transmission.
In security-related terms, there are the so-called uplink channels — the client communicates, or, in this
case, uploads its parameters or updates, to the server — more securely. To provide more security, it is assumed that
there are maximum (T) exposed parameters that are aggregated in the downlink, where (T) is the number of
aggregation times from beginning to.To minimize the risk of privacy breaches and interception, additional security
measures in the uplink and downlink channels can be implemented. For instance, on the uplink channels, the use of
encryption and secure communication protocols can help protect the transmission of parameters, while on the server
side, techniques such as secure aggregation may be applied in aggregating parameters before distributing them over
a series of downlink channels. Such measures enhance the security of the communication channel in FL systems and
immensely minimize the breach of privacy, because mainly the breach occurs due to sniffers and eavesdroppers.
2.3.3 Advantages and Limitations
Federated learning has a prime benefit: it is very important in protecting privacy and is most suitable for
sectors with very strict regulations on data like healthcare, finance, and telecommunications. The principal concept
of federated learning is to keep the data on the device and only share updates on the model to prevent leakage and
unauthorized access. It is a decentralized way of training models, as it ensures that sensitive data stays isolated
within devices or data sources, so the risk of privacy incursions is mitigated. This limits dangerous privacy breaches
and keeps one in line with the law, as required by regulators.
Industries like healthcare and finance that have paramount levels of data privacy have a strong solution
with federated learning for training models on distributed data without centralization. Usually, the traditional
approaches taken to centralized data aggregation result in the creation of data silos and legal frictions, with
organizations struggling over the intricacies of sharing sensitive data across disparate systems[22]. It is a way of
performing training models at data sources directly; hence, it eliminates the need for any copied data to be
transferred or shared again between entities. This does not only speed up the process of modeling but also keeps that
sensitive data in control of the exact owners, minimizing risks of data breaches and in compliance with regulatory
frameworks such as HIPAA and GDPR.
 However, federated learning also brings its challenges, among which lies the issue of the parallelization of
computations among edge devices. In federated learning systems, model training occurs on the decentralized devices
or edge servers, which have heterogeneous computation capabilities and resource constraints. Properly achieving
effective parallelism across these distributed devices is key to enabling fast and scalable model training across them.
This challenge entails the development of robust communication protocols and aggregation mechanisms that can
reconcile the heterogeneity of data sources and computational resources in federated learning environments.
Federated learning offers a compelling solution for preserving privacy and conducting model training on
distributed data sources, particularly in industries with stringent data protection regulations. In spite of the current
challenges in efficient parallelism and scalability, ongoing research and development efforts may advance the
capabilities of federated learning and unlock its potential for a wide range of applications in privacy-sensitive
domains.Some of the major advantages of federated learning are in maintaining privacy, allowing model training on
data that is distributed across sources, and, nevertheless, attaining fair and representative models in heterogeneous
environments. However, it also brings in new challenges, including communication overhead, scalability limits, and
the need for models that are fair and representative—more so with heterogeneous environments.
Privacy is the major advantage cited for federated learning: keeping data local and just sharing model
updates not only reduces the risk of data leaks but also ensures compliance with legal processes. In addition,
federated learning removes the necessity of centralized data aggregation, reducing the possibility of data silos and
the friction associated with legal processes and sharing sensitive data across systems. This learning presents some
major challenges, especially those of communication overhead between the central server and all connected
devices[25]. As a major burden for federated learning architectures, the exchange of model updates between the
devices and the central server introduces latencies and capacity constraints, especially in massive-scale applications
where device populations are large or model updates are frequent. This overhead involved in communication can
easily compromise the efficiency and scalability of federated learning, proving to be a major limitation in effecting it
in realistic use.
The maintenance of fairness and representativeness in federated learning models across heterogeneous
environments—across heterogeneous data distribution and device characteristics. The biases that are a result of non-
uniform data contributions or datasets that are not representative cause variations in models' effectiveness, even to
the level of poor generalization. Powerful data sampling techniques and model aggregation methods, as well as
methods that adapt learning rates to ensure that federated learning models accurately represent the underlying data
and provide users with unbiased predictions need to be developed to overcome these challenges.While federated
learning significantly motivates the privacy preservation of all models being trained in a distributed environment, it
has its own set of challenges, all of which are enablers in their own right[16]. Solutions to reduce communication
overhead, guarantee model fairness, and serve distinctive data distributions will make federated learning a practical,
powerful paradigm for distributed, collaborative, and privacy-conscious machine learning applicable different
application domains. The research and development going on continually will enable these kinds of challenges to be
overcome and enhance the capability of federated learning for real-world applications.
2.3.4 Use Cases and Applications
Federated learning is very promising in many domains, such as healthcare, banking, telecommunications,
and the Internet of Things. In the field of healthcare, federated learning has, among other things, allowed
organizations to collaboratively model the training of machine learning over electronic health records, sourced from
different hospitals and clinics, while preserving patient privacy[23]. Leveraging federated learning, healthcare
organizations can extract knowledge to build highly accurate predictive models for disease diagnosis, personalized
treatment, and drug discovery that would be infeasible from any individual source of data without violating patient
privilege. This approach not only helps in improving the quality of healthcare services but also ensures compliance
with stringent data privacy regulations.
federated learning provides much benefit to banking. Through federated learning, financial institutions can
engage in collaborative fraud detection assessments and credit risk rating in a manner that maintains privacy over
individual client data. Leveraging federated learning will enable banks to train machine-learning models using
transactions dispersed among various financial institutions, ensuring data privacy for all customers, improving
fraud-detection capabilities, and providing detailed reports for better compliance with regulatory requirements. To
collaboratively fight fraud and assess credit risk among themselves while keeping customer data private, federated
learning allows financial institutions to do so.

The learning is also a cutting-edge approach with regard to the training of models across distributed data
sources while maintaining user privacy. Telecom companies can leverage federated learning for enhanced network
optimization, predictive maintenance, and personalized user engagements without compromising user privacy.
Telecom companies can utilize federated learning to optimize network performance and improve service quality by
anomaly detection, failure prediction, and equipment optimization, respectively. By aggregating data from various
network nodes and user devices, telecom service providers can train machine learning models for identifying
network anomalies, predicting equipment failure, and optimizing network performance to improve service quality
and, in turn, customer satisfaction.
Federated learning is promising in the realm of the Internet of Things because it allows collaborative model
training on the data generated by IoT devices while ensuring privacy. In light of the rapid proliferation of IoT
devices in different sectors, federated learning provides a scalable and privacy-preserving method to leverage the
enormous data that these devices generate. Using federated model training over these distributed IoT devices,
organizations can build intelligent applications for smart homes, smart cities, health monitoring, and industrial
automation while ensuring the privacy and security of the user's data. This is especially important, as it prevents data
leakage.
This has emerged as a strong technique for collaborative and privacy-preserving machine learning across
different domains. By facilitating collaborative model training on distributed data while ensuring the privacy of
users, federated learning has significant relevance to health, finance telecommunications, and the Internet of
Things[20]. As federated learning continues to proliferate in the market, organizations are exposed to newer
technology innovation, collaboration, and value creation while ensuring privacy, regulatory compliance, and model
fairness. Continuing research and development efforts have to be realized so that the power of federated learning can
be harnessed and exploited in different application domains.
Federated learning is an emerging framework that completes the optimization of machine learning models
in a distributed fashion, hence holding potential importance for optimization in many industries. One such domain is
telecommunications, where federated learning empowers mobile network operators with the integration of network
performance, forward analysis, and quality of service estimation using data from tens of millions of connected
devices. Federated model training allows deriving insights from a very diverse set of sources and in turn improving
network efficiency, reducing latency, and enhancing user experience by federating model training across various
distributed devices and networks[6].In mobile networks, federated learning empowers edge devices, such as sensors
and wearables, to operate as intelligent devices and perform learning tasks independently without contracting central
servers. An inherently decentralized approach to model training may lower the cost of data transfer and also
alleviate the privacy risks otherwise associated with a centralized data aggregation approach. By keeping data local
and performing the training of the model on the edge devices, it allows sensitive information to remain protected
while enabling collaborative learning and model optimization in a distributed environment.
The learning is very promising for the future of machine learning, addressing users' privacy concerns in an
optimal way to extract knowledge from the data they generate. By design, federated learning enables model training
through collaboration while complying with stringent privacy constraints for distributed entities. This collaborative
paradigm opens new avenues for innovation and development in artificial intelligence, enabling organizations to
leverage the collective intelligence of distributed data sources without compromising privacy or data security[4]. By
using federated learning, they will derive new insights and unlock innovation in almost all industrial domains. in
healthcare, federated learning supports collaborative model training on electronic health records from different
hospitals while keeping patients' data private.
In the banking industry, federated learning enables financial institutions to collaborate on fraud detection
and credit risk assessment without exposing the privacy of every individual's data to others. Among the various
sectors, federated learning ensures that model training is done across the distributed transaction data from the
multiple banks and financial service providers, in turn enhancing fraud detection and maintaining the privacy of the
data, thus ensuring easy regulatory compliance. Federated learning is revolutionizing machine learning for cross-
device and cross-enterprise collaboration without compromising user privacy in this paradigm. This kind of machine
learning method opens up the chance for various entities to work collaboratively to share knowledge around AI
development.

Chapter 4: Methodology
4.0 Python Implementation: Federated Learning and Differential Privacy Setup and Environment
An environment for running FL and DP in Python must be put in place which involves the installation of
libraries and system configurations. Commence by creating a python environment with Anaconda Navigator and
install PySyft, a library for privacy-preserving machine learning using PyTorch. Make sure that all participating
nodes have PySyft and PyTorch installed so that the computational processes can be carried out in a synchronized
manner. Develop virtual environments differentiate dependencies to show where error can occur. Deploy a central
server along with the client ends that perform multiple tasks. Provide for an estimated length of cryptic
communication channel among the two by the use of SSL/TLS. Produce cryptographic keys for aggregation to be
done in a secure manner. See to it that all nodes are running Python compatible versions and consistencies of the
dependencies.
4.2 Data Preprocessing
Data preprocessing, a critical part of FL, is further related to handling distributed data among the nodes
while ensuring data privacy and security. Using these privacy-preserving methods based on differential privacy, data
preprocessing is geared toward preparing the data for model training in order to decrease the chances of leaking
sensitive data. To conduct data preprocessing in FL, PySyft on each node machine is used to establish connections
to allow the main server to access different datasets in every local machine. PySyft offers a framework that allows
machine learning processes to preserve privacy in PyTorch and ensures data operations remain secure and private
during the entire preprocessing pipeline.With the setup of PySyft, a series of processing initiatives can be applied to
the data[19]. This involves normalization to have a mean of zero and a standard deviation of one in the features of
the dataset. Normalization ensures that all features contribute equally to the model learning process, which leads to
effectiveness and more efficiency of the learning algorithm. There can also be the application of dimensionality
reduction methods, the very popular being Principal Component Analysis (PCA), which reduces feature dimensions
in a dataset and simultaneously tries to retain as much variance as possible. This helps to convert the model from
high complexity to low and further improve the generalization of the model.
Other than normalization and dimensionality reduction, image augmentation techniques can be applied to
enhance the diversity of the dataset and improve the robustness of the model. Image augmentation techniques
include flipping, rotating, and blurring images to increase the diversity within the dataset in the training process.
Such privacy-preserving techniques may include differential privacy to ensure privacy and security while
performing data preprocessing. Differential privacy adds noise to the data to help in the determination of sensitive
information while enabling the meaningful analysis of that data. It generally pertains to adding Laplace noise or
performing secure aggregation to add noise to the data while maintaining privacy. In more concrete terms, Laplace
noise addition is adding noise drawn from a Laplace distribution to the data while being careful to ensure that
differential privacy guarantees remain intact[13]. Such secure aggregation would involve the aggregation of noisy
data from several nodes while maintaining the individual privacy of the data points. In so doing, these privacy-
preserving techniques during the phase of data preprocessing in FL systems can ensure the protection of sensitive
information during the process of training a model, which further helps maintain not only data privacy but also
abides by different privacy regulations and standards.
4.3 Federated Learning Model
To implement a working Federated Learning system using PySyft and PyTorch, various key components
and techniques can be operational to enable collaborative training without any privacy and security breach of the
data.it's important to recognize neural network architecture that is compatible with the federated learning scheme
available in PySyft. PyTorch offers a very wide collection of neural network architectures, including CNN, RNN,
and DNN, and the implemented neural network can fit into the FL workflow easily. Proper federated optimization
algorithms must be hence selected that are suitable for updating the model parameters throughout FL nodes.
Therefore, algorithms like FedAvg or FedSGD are usually applied in different FL systems while aggregating model
updates with the perspective of data privacy. These models assure that an FL node communicates a user update to
the server, not the raw user datum; hence, data confidentiality is maintained.
It can further be equipped with Secure Multi-Party Computation (SMPC) cryptographic protocols and/or
Homomorphic Encryption (HE) to enable secure model updates. SMPC allows FL nodes to collaborate on model
training without leaking information, while HE allows computation to be performed over the encrypted data to
maintain privacy throughout FL[22].Along with privacy-preserving techniques, FL-dependent loss functions and
metrics can be used to evaluate model outputs over statistical data based on distributed computing methods. In the
design of these loss functions and metrics, one should take into account the decentralized nature of FL in order to
evaluate the model performance properly across all FL nodes.

Figure 5:Secure Multi-Party Computation (SMPC) cryptographic protocols

 There should exist strong communication protocols along with network architectures to implement easy
information sharing and aggregation of models within the FL systems. Elements such as SSL encryption and
distributed communication frameworks can be exploited to ensure that FL nodes interface with the central server
securely and with reliability.The efficiency and robustness of the FL system in real-life situations should be tested
and validated across its domain[15]. This includes its effect on the performance of the FL model on different
datasets and its scalability and computational efficiency. By implementing these features and techniques on the FL
design of PySyft and PyTorch, different FL nodes can jointly train models while upholding privacy and security.
This, in turn, allows organizations to fully utilize distributed data sources for model training without being
concurrent with data privacy or security concerns.
4.4 Differential Privacy Mechanisms
During model training and the inference phase, it is important: (a) to incorporate several privacy protection
measures to effectively secure confidential data, and (b) to include privacy-preserving algorithms, such as DP-SGD
and PATE with PySyft, in the developed customized deep learning solution. Among popular privacy-preserving
algorithms are DP-SGD (Differentially Private Stochastic Gradient Descent) and PATE (Private Aggregation of
Teacher Ensembles), and easiest to work using PySyft. These schemes enforce privacy during model learning
through the introduction of noise or perturbation at the gradient or model output levels.
Setting these algorithms requires one to establish privacy parameters such as ε and δ besides other
parameters that will appropriately control the privacy budget. Smaller values of these parameters mean that stronger
privacy is guaranteed by the algorithm.This allows one to apply differential privacy to phases like gradients,
updates, or outputs within the model so that information about sensitive data is not leaked. This will ensure that the
model is learning from the data without revealing sensitive information about the people whose data was included in
the training data.
The trade-off between anonymization and usefulness has to be analyzed by changing the values of the
privacy parameters and examining the efficiency indexes. It helps find a balance between preserving privacy and
having the model relevant and useful in performing its tasks[11]. Minor adjustments in these parameters make it
reasonable to achieve a satisfactory level of privacy protection without much trade-off in model performance.
Integrating privacy-preserving algorithms and techniques within the model training process by PySyft helps one to
develop a robust and secure deep learning solution that serves the dissemination of sensitive data while driving to
the required performance level.
4.5 Evaluation Metrics
It is important to assess the performance of models trained using federated learning under privacy
guarantees across a number of evaluation metrics. Key to these considerations are precision, recall, and F1-score,
which are the most important metrics for describing the performance of the model within a distributed environment
across multiple nodes. These metrics provide insights into the model's accuracy, completeness, and overall
performance in real-world scenarios.besides this performance set of metrics, it is essential to provide privacy-related
metrics, including ε, δ, or privacy loss, to evaluate the efficacy of the differential privacy features added to the
model. These metrics quantify the degree of privacy protection that the model provides and enable an informative
data-driven decision on privacy-utility trade-offs. Convergent metrics, which include loss curves, validation
accuracy, or time, provide insights into the training of the model under FL. These metrics enable researchers to
monitor the training process, identify any potential issues or bottlenecks, and make necessary adjustments to
improve performance and convergence.
Privacy-utility trade-offs in federated learning while adhering to the principles of differential privacy. By
comparing the performance of models trained under varying privacy levels, researchers can determine the optimal
balance between privacy protection and model utility, ensuring that the deployed models meet both privacy and
performance requirements[8]. Comprehensive evaluation using a combination of performance metrics, privacy-
related metrics, and convergent metrics enables researchers to assess the effectiveness of models trained under
federated learning with differential privacy guarantees. This holistic approach ensures that the deployed models are
not only accurate and reliable but also privacy-preserving and compliant with privacy regulations.
 Chapter 5: Results and Discussion
In this paper, we apply Noise Before Aggregation Federated Learning to real-world federated datasets and
MLP. We focus on the effectiveness of Noise Before Aggregation in different privacy protections denoted by ɫ,
numbers of clients participating or N, maximum rounds of aggregation or T and fraction of clients selected or K in
order to understand its convergence characteristics.In this first epoch, which is just 1/5 of the total number of
training cycles, promising results can be noted for federated learning. The model gives a training loss of 0.3189 with
an impressive accuracy of 90.74%. In validation, it slightly rashes down to 0.1274 with an increased accuracy of
96.70%. All these figures are supportive of federated learning to be a very robust and reliable approach in generating
efficient predictions since the early phases of the training process.In contrast, the differential privacy model does
much worse in the early rounds. It starts out with a considerably larger training loss of 1.4815 and only an accuracy
of 52.07%. When validating, a few more problems are found. In this case, there is a loss of 0.8784 and an accuracy
of 72.83%. These many differences so early on are strongly representative of how differently federated learning and
differential privacy models learn and make predictions.

Figure 6 : Grey scale image from MNIST before attack

Results, however, show clear contrast, hence the reason differential privacy models require more
refinement and optimization. These otherwise very positive models indeed hold such great promise but require a lot
of adjustments that will work more in tandem with the robust results seen in federated learning. They may need
other techniques that will allow their strategies to be more effective and efficient in terms of convergence rates, such
as parameter tuning, optimization algorithms, or even other techniques preserving differential privacy.max the
comparative analysis conducted in this paper is very informative about rounds early stages' behaviour of Noise
Before Aggregation Federated Learning and its variant of differential privacy. It serves as a foundation for future
research efforts in building, over and above, privacy-preserving machine learning methods that retain accuracy of
odels alongside the efficiency of convergence in the federated setup.

5.1 Experimental Results

For handwritten digit recognition, we use the commonly used dataset of MNIST consisting of 60,000 training
samples and 10,000 testing samples [12]. Each sample is that of a gray scale image of size 28 × 28 pixels. Our
baseline model adopts the architecture of Multi-Layer Perceptron, MLP, with 256 hidden units in a single hidden
layer. The activation functions are Rectified Linear Units, ReLU. This network has a softmax output layer with 10
classes corresponding to each digit from 0 through 9. This model is to be trained with the cross-entropy loss
function, which in multinational, is most commonly used in neural networks for multi-class classification.
set the learning rate of optimizer to 0.002, which is a generic choice in most neural network problems as this is
proven to give a balanced speed and convergence in training. The values of the parameters like ρ, β, l and B, which
are fundamental to this type of loss function are set based on approximations derived from earlier studies [19].
Checkpoint. In this paper, using the MNIST dataset and the clearly and identically defined architecture of MLP, we
will compare different methodologies of Noise Before Aggregation Federated Learning under different privacy
protection, client participation, and aggregation dynamics. This approach validates our models tested in the standard
common benchmark and opens up its foundation for the more advanced techniques to be probed in the domain of
federated learning and differential privacy within real-world application contexts.

Figure 3: The analysis of training loss utilizing different degrees of protection for 50 clients using
∈=50 , ∈=60∧∈=100 , respectively.
Figure 4: The analysis of training loss utilizing different degrees of protection for 50 clients using
∈=50 , ∈=60∧∈=100 , respectively.

5.2 Analysis of Privacy Protection

The MNIST dataset has been a cornerstone for evaluating handwritten recognition of digits. It contains 60,000
training samples and 10,000 testing samples [12], with each of them a grayscale image of 28×28 pixels. Our
baseline model is an MLP with 256 hidden units in a single layer. In the implementation, activation functions within
this model are Rectified Linear Units (ReLU), where the output layer contains a softmax function with 10 classes in
total, corresponding to 0-9 digits. The model will be trained using a cross-entropy loss function, which is best fit for
this type of multi-class classification in neural networks. Set the learning rate of the optimizer at 0.002, a
compromise between the speed of network training and training convergence. Also, other important parameters in
the loss function that had to be set are ρ, β, l, and B, whose approximate values were taken from the literature [19].
 Figure 7:Grey scale image from MNIST after an attack

These setups ensure that our evaluation has followed established methodologies and benchmarks for digit
recognition using neural networks. Building on MNIST with a well-defined MLP architecture, we benchmark
different methodologies across varied privacy protection levels, varieties of client involvement, and aggregation
dynamics. All of this not only helps ensure models to benchmarks but also helps lay the foundation to play with
advanced techniques in FL and DP on real-world applications. This serves an andenade situation where the privacy
of a machine learning model must be preserved.
Figure 5: The analysis of training loss utilizing different degrees of protection for 50 clients using
∈=50 , ∈=60∧∈=100 , respectively.

Figure 6: The analysis of training loss utilizing different degrees of protection for 50 clients using
∈=50 , ∈=60∧∈=100 , respectively.
Figure 6 depicts the training loss analysis across different privacy protection degrees, ɛ, where ɛ = 50, ɛ =
60 and ɛ = 100 when there are 50 clients. From both Figures 5 and 6, it can be observed that the random scheduling
for K-client performs excellently than all other states concerning convergence. Thus, the proposed NFAGF approach
guarantees convergence in various stages of privacy protection degrees and client participations. This goes to the
indication of the capacity for such an approach to offer both robustness and efficiency in federated learning setups,
which amounts to the indication of the capacity for enhanced real-world applications for privacy-preserving machine
learning.
 6. Conclusion
6.1 Key Findings
The findings of the study demonstrate that federated learning and differential privacy contribute to
improvement of privacy in AI systems as it offers protection of sensitive information. Federated learning permits
establishment of a setting in which the parties train collaboratively in a distributed data environment, thus carrying
on individual data privacy. Differential privacy provides prudent mathematical protections against privacy loss with
the addendum that published AI models output does not leak individual data insights. The use of comparative
analysis shows the strengths and the limits of these methods, establishing their suitability for each case in areas like
health care, finance, and telecommunications. The entities from practical implementations demonstrate that
Federated Learning and Differential Privacy have a feasibility test in a simulated environment, which is quite
promising since those can be useful to resolve privacy concerns in real life applications. Consequently, the paper
thoroughly supports the need for data-obscuring methods in AI models and delivers classes regarding their
effectiveness and the way they enter the market through various domains.
6.2 Contribution to Future Works
The research findings prave that federated learning with differential privacy are two AI system privacy
protection techniques that are the most reliable. Federated learning involves training individual models at the edge
while local data owners such as hospitals, healthcare insurers, and research institutes collaborate to build a model
jointly with collective learning without exposing all individual data. The main advantage of secure anonymity is
rigorous mathematical evidence of the possibility to violate privacy of any individual data object by the release of
output data of AI models. The results of weighing these methods reveal their benefits and drawbacks, pointing to the
wide areas of use, inclusive of health care, finance, and telecommunications. Concrete implementations of the
algorithm demonstrate the scope of feasibility of the models in the simulation environment which in turn can proper
them towards real-world scenarios. As a whole, the research serves to accentuate the necessity for privacy protection
measures in AI systems and offers insights into feasibility and adaptation of the same across various industrial
sector.
 References
[1.] Gupta, Rajesh, Sudeep Tanwar, Fadi Al-Turjman, Prit Italiya, Ali Nauman, and Sung Won Kim. "Smart
contract privacy protection using AI in cyber-physical systems: tools, techniques and challenges." IEEE
access 8 (2020): 24746-24772..
[2.] Murdoch, Blake. "Privacy and artificial intelligence: challenges for protecting health information in a new
era." BMC Medical Ethics 22 (2021): 1-5.
[3.] Kim, Pauline T., and Matthew T. Bodie. "Artificial intelligence and the challenges of workplace
discrimination and privacy." ABAJ Lab. & Emp. L. 35 (2020): 289.
[4.] Rodríguez-Barroso, Nuria, Goran Stipcich, Daniel Jiménez-López, José Antonio Ruiz-Millán, Eugenio
Martínez-Cámara, Gerardo González-Seco, M. Victoria Luzón, Miguel Angel Veganzones, and Francisco
Herrera. "Federated Learning and Differential Privacy: Software tools analysis, the Sherpa. ai FL
framework and methodological guidelines for preserving data privacy." Information Fusion 64 (2020):
270-292.
[5.] Wei, Kang, Jun Li, Ming Ding, Chuan Ma, Howard H. Yang, Farhad Farokhi, Shi Jin, Tony QS Quek, and
H. Vincent Poor. "Federated learning with differential privacy: Algorithms and performance
analysis." IEEE transactions on information forensics and security 15 (2020): 3454-3469.
[6.] El Ouadrhiri, Ahmed, and Ahmed Abdelhadi. "Differential privacy for deep and federated learning: A
survey." IEEE access 10 (2022): 22359-22380.
[7.] Hao, Meng, Hongwei Li, Xizhao Luo, Guowen Xu, Haomiao Yang, and Sen Liu. "Efficient and privacy-
enhanced federated learning for industrial artificial intelligence." IEEE Transactions on Industrial
Informatics 16, no. 10 (2019): 6532-6542.
[8.] Zhu, Tianqing, Dayong Ye, Wei Wang, Wanlei Zhou, and S. Yu Philip. "More than privacy: Applying
differential privacy in key areas of artificial intelligence." IEEE Transactions on Knowledge and Data
Engineering 34, no. 6 (2020): 2824-2843.
[9.] Wu, Xiang, Yongting Zhang, Minyu Shi, Pei Li, Ruirui Li, and Neal N. Xiong. "An adaptive federated
learning scheme with differential privacy preserving." Future Generation Computer Systems 127 (2022):
362-372.
[10.] Jia, Bin, Xiaosong Zhang, Jiewen Liu, Yang Zhang, Ke Huang, and Yongquan Liang.
"Blockchain-enabled federated learning data protection aggregation scheme with differential privacy and
homomorphic encryption in IIoT." IEEE Transactions on Industrial Informatics 18, no. 6 (2021): 4049-
4058.
[11.] Wu, Xiang, Yongting Zhang, Minyu Shi, Pei Li, Ruirui Li, and Neal N. Xiong. "An adaptive
federated learning scheme with differential privacy preserving." Future Generation Computer Systems 127
(2022): 362-372.
[12.] Li, Qinbin, Zeyi Wen, Zhaomin Wu, Sixu Hu, Naibo Wang, Yuan Li, Xu Liu, and Bingsheng He.
"A survey on federated learning systems: Vision, hype and reality for data privacy and protection." IEEE
Transactions on Knowledge and Data Engineering 35, no. 4 (2021): 3347-3366.
[13.] Mothukuri, Viraaji, Reza M. Parizi, Seyedamin Pouriyeh, Yan Huang, Ali Dehghantanha, and
Gautam Srivastava. "A survey on security and privacy of federated learning." Future Generation Computer
Systems 115 (2021): 619-640.
[14.] Hu, Rui, Yuanxiong Guo, Hongning Li, Qingqi Pei, and Yanmin Gong. "Personalized federated
learning with differential privacy." IEEE Internet of Things Journal 7, no. 10 (2020): 9530-9539.
[15.] Zhu, Tianqing, and S. Yu Philip. "Applying differential privacy mechanism in artificial
intelligence." In 2019 IEEE 39th international conference on distributed computing systems (ICDCS), pp.
1601-1609. IEEE, 2019.
[16.] Adnan, Mohammed, Shivam Kalra, Jesse C. Cresswell, Graham W. Taylor, and Hamid R.
Tizhoosh. "Federated learning and differential privacy for medical image analysis." Scientific reports 12,
no. 1 (2022): 1953.
[17.] Truong, Nguyen, Kai Sun, Siyao Wang, Florian Guitton, and YiKe Guo. "Privacy preservation in
federated learning: An insightful survey from the GDPR perspective." Computers & Security 110 (2021):
102402.
[18.] Truex, Stacey, Nathalie Baracaldo, Ali Anwar, Thomas Steinke, Heiko Ludwig, Rui Zhang, and
Yi Zhou. "A hybrid approach to privacy-preserving federated learning." In Proceedings of the 12th ACM
workshop on artificial intelligence and security, pp. 1-11. 2019.
[19.] Zhao, Yang, Jun Zhao, Mengmeng Yang, Teng Wang, Ning Wang, Lingjuan Lyu, Dusit Niyato,
and Kwok-Yan Lam. "Local differential privacy-based federated learning for internet of things." IEEE
Internet of Things Journal 8, no. 11 (2020): 8836-8853.
[20.] Naseri, Mohammad, Jamie Hayes, and Emiliano De Cristofaro. "Local and central differential
privacy for robustness and privacy in federated learning." arXiv preprint arXiv:2009.03561 (2020).
[21.] Ali, Mansoor, Faisal Naeem, Muhammad Tariq, and Georges Kaddoum. "Federated learning for
privacy preservation in smart healthcare systems: A comprehensive survey." IEEE journal of biomedical
and health informatics 27, no. 2 (2022): 778-789.
[22.] Ali, Waqar, Rajesh Kumar, Zhiyi Deng, Yansong Wang, and Jie Shao. "A federated learning
approach for privacy protection in context-aware recommender systems." The Computer Journal 64, no. 7
(2021): 1016-1027.
[23.] Wei, Kang, Jun Li, Ming Ding, Chuan Ma, Howard H. Yang, Farhad Farokhi, Shi Jin, Tony QS
Quek, and H. Vincent Poor. "Federated learning with differential privacy: Algorithms and performance
analysis." IEEE transactions on information forensics and security 15 (2020): 3454-3469.
[24.] Hu, Rui, Yuanxiong Guo, Hongning Li, Qingqi Pei, and Yanmin Gong. "Personalized federated
learning with differential privacy." IEEE Internet of Things Journal 7, no. 10 (2020): 9530-9539.
[25.] Akter, Mahmuda, Nour Moustafa, Timothy Lynar, and Imran Razzak. "Edge intelligence:
Federated learning-based privacy protection framework for smart healthcare systems." IEEE Journal of
Biomedical and Health Informatics 26, no. 12 (2022): 5805-5816.
[26.] Li, Qinbin, Zeyi Wen, Zhaomin Wu, Sixu Hu, Naibo Wang, Yuan Li, Xu Liu, and Bingsheng He.
"A survey on federated learning systems: Vision, hype and reality for data privacy and protection." IEEE
Transactions on Knowledge and Data Engineering 35, no. 4 (2021): 3347-3366.
[27.] Gu, Xin, Fariza Sabrina, Zongwen Fan, and Shaleeza Sohail. "A review of privacy enhancement
methods for federated learning in healthcare systems." International Journal of Environmental Research
and Public Health 20, no. 15 (2023): 6539.
[28.] Brauneck, A., Schmalhorst, L., Kazemi Majdabadi, M. M., Bakhtiari, M., Völker, U., Baumbach,
J., ... & Buchholtz, G. (2023). Federated machine learning, privacy-enhancing technologies, and data
protection laws in medical research: scoping review. Journal of Medical Internet Research, 25, e41588.
[29.] Triastcyn, Aleksei, and Boi Faltings. "Federated learning with bayesian differential privacy."
In 2019 IEEE International Conference on Big Data (Big Data), pp. 2587-2596. IEEE, 2019.
[30.] Zhu, Tianqing, and S. Yu Philip. "Applying differential privacy mechanism in artificial
intelligence." In 2019 IEEE 39th international conference on distributed computing systems (ICDCS), pp.
1601-1609. IEEE, 2019.
[31.] Narmadha, K., and P. Varalakshmi. "Federated Learning in Healthcare: A Privacy Preserving
Approach." In MIE, pp. 194-198. 2022.
[32.] Dodda, Sarath Babu, Srihari Maruthi, Ramswaroop Reddy Yellu, Praveen Thuniki, and
Surendranadha Reddy Byrapu Reddy. "Federated Learning for Privacy-Preserving Collaborative AI:
Exploring federated learning techniques for training AI models collaboratively while preserving data
privacy." Australian Journal of Machine Learning Research & Applications 2, no. 1 (2022): 13-23.