Project: #406 Towards Privacy-Preserving Networked Autonomous Mobility: Analysis, Tools Development, and Real-World Evaluation Progress Report - Reporting Period Ending: Sept. 30, 2023 Principal Investigator: Ding Zhao Status: Completed Start Date: July 1, 2022 End Date: June 30, 2023 Research Type: Advanced Grant Type: Research Advanced Grant Program: FAST Act - Mobility National (2016 - 2022) Grant Cycle: 2022 Mobility21 UTC Progress Report (Last Updated: Oct. 18, 2023, 6:47 a.m.) % Project Completed to Date: None % Grant Award Expended: None % Match Expended & Document: None USDOT Requirements Accomplishments Goals: The major goal of this project is to study the privacy issues in autonomous vehicles and robots and to provide insights into private information protection for the owners and users. Despite the privacy-preserving mechanism investigation and study shown in the first report, we studied the privacy leakage to highlight the necessity of privacy-preserving mechanisms. The goal of this stage of work is to reveal potential the private data leakage during the training process. Specifically, intelligent vehicles and robots need large-scale datasets to achieve significant performance, and the deployed algorithms can be improved by finetuning the model on the data collected during usage. Our goal is to investigate the privacy leakage in this process. Accomplishment: We proposed the gradient inversion attack method which can reconstruct the training data from the gradient used to update the model of reinforcement learning (RL) algorithms. To investigate the private data leakage during the training process after the vehicle or robot deployment, we assume a federated learning framework, which allows multiple local users to own local machines and use their private data to calculate gradients on the local machines. This framework aims to preserve privacy by avoiding any share of the private data but only transiting the gradients. These gradients are then used to update to model on the central server. We show that the private training data is at risk of data leakage due to the attack on gradients. Although gradient inversion attack has been studied for supervised learning in the image classification task, RL algorithms remain unexplored for this topic. As RL algorithms are widely used for autonomous vehicles and robots, we focused on this privacy-leakage problem and proposed gradient inversion attack pipelines for both value-based and policy-gradient-based deep RL algorithms and they can also be applied to model-based RL algorithms. These pipelines can reconstruct the multimodal state, action, and supervision signal, such as the target value, reward, or advantage value, from the gradient. Specifically, we proposed and implemented multi-stage optimization for multi-modal state data. We proposed and implemented an objective-function-agnostic method to calculate the reconstructed gradient, which allowed our pipelines to be applied across various complex RL algorithms. We tested the proposed gradient inversion attacker in 2 tasks and 3 RL algorithms. For the visual navigation task, we successfully reconstructed RGB images and depth images from gradients in both the AI2THOR simulator and the real-world dataset SUN RGB-D. For the self-driving task, we successfully reconstructed RGB images, Lidar images, and bird-eye-view images for both the Carla simulator. We also reconstructed the discrete action used by the value-based RL algorithm Deep Q-Learning Network and policy-gradient-based RL algorithm REINFORCE, and the continuous action used by the soft-actor-critic RL algorithm. Despite we conducted the experiments on initialized networks, the network structure contained commonly-used layers, including linear, convolution, batch norm, various activation layers, and skip connection. Therefore, our result reveals the risk of private data leakage for realistic network structures. We evaluated the reconstruction results with multiple metrics, including PSNR and SSIM for image reconstruction, IoU for goal bounding box reconstruction, and percentage error for supervision signal reconstruction. The results exhibited high accuracy, indicating a high risk of private data leakage from the gradients. In summary, we proposed the first work of gradient inversion attack on RL algorithms and the results indicate that we should highlight the privacy risk in robotic and self-driving tasks. Impacts We have published one of the first comprehensive surveys on autonomous vehicles. We have released the survey on arxiv. We have hosted a competition at CVPR on the protection of privacy for autonomous vehicles. Other We proposed a universal framework for gradient inversion and implemented a package that can apply gradient inversion attacks for both supervised learning and RL algorithms. The code is open-sourced and can be found (https://github.com/miao3210/inversion-attacker). We summarized a primary version of this work in a paper Your Room is not Private: Gradient Inversion Attack on Reinforcement Learning. The complete version including the gradient inversion attack on larger networks and trained networks and the results of real-world datasets will be summarized in another paper. More code with details will be released. Outcomes New Partners n/a Issues No changes