Engineering Applications of Artificial Intelligence 130 (2024) 107689

Contents lists available at ScienceDirect

Engineering Applications of Artificial Intelligence

journal homepage: www.elsevier.com/locate/engappai

A Differential Privacy protection-based federated deep learning framework

to fog-embedded architectures
Norma Gutiérrez, Beatriz Otero 1 , ∗, Eva Rodríguez 1 , Gladys Utrera 1 , Sergi Mus 1 , Ramon Canal 1
Computer Architecture Department, Universitat Politècnica de Catalunya (UPC), c/Jordi Girona 1-3 Mòduls C6-D6 Campus Nord, Barcelona 08034, Spain

ARTICLE INFO ABSTRACT

Keywords: Nowadays, companies collect massive quantities of data to enhance their operations, often at the expense of
Deep learning sharing user sensible information. This data is widely used to train Deep Learning (DL) neural networks to
Fog computing model, classify, or recognize complex data. These activities enable companies to offer an array of services to
Internet of Things
users, such as precise advertising and optimal location services. This study explores potential solutions for
Privacy
preserving privacy while utilizing DL applications.
Sensitive information
To address the privacy issue, we develop a privacy-preserving framework specifically designed for fog
computing environments. Unlike traditional cloud computing architectures, fog embedded architectures only
share a small portion of user data with a nearby fog node, ensuring that the majority of sensitive data
remains secure. Within these fog nodes, we incorporate two additional algorithms, namely Generalization
and Threshold, to enhance the privacy-preserving capabilities of the framework.
The first algorithm, Generalization, introduces a validation dataset within the fog nodes which not only
increases the accuracy of the fog-embedded framework but also ensures that user data is preserved. The second
algorithm, Threshold, is responsible for protecting user data samples and reducing the amount of information
sent to the server. By combining these two algorithms, we are able to provide an additional layer of protection
for user privacy while still maintaining the accuracy of the model.
We conduct an evaluation to test its effectiveness using two separate datasets. In addition, we analyze
them through a Feed Forward Neural Network (FFNN) and compare the results with a traditional centralized
architecture to validate the effectiveness of the proposed framework.
The results of our evaluation demonstrate that the proposed privacy-preserving framework, when combined
with the Generalization and Threshold algorithms, can preserve up to 38.44% of user data. Additionally, we
were able to extend the framework to multiple fog nodes without compromising the network’s accuracy, as
we only observed a 0.1% decrease in accuracy when using the proposed architecture.
This study emphasizes the importance of preserving user information while using DL applications and
provides a solution that trains the desired network without violating user privacy, hence preserving their
anonymity. Overall, the study highlights the potential of Federated Deep Learning to improve the accuracy
and privacy of DL applications in fog computing environments.

1. Introduction Internet to develop publicity campaigns or to define the client profiles.

The Internet of Things (IoT) is progressing at an enormous pace,
comprising billions of connected smart devices that exchange user
information. IoT smart applications have become part of our daily
activities improving our quality of life. The significant increase of
IoT devices and the success of IoT applications and services have
contributed to the rapid growth in the amount of exchanged user data.
Confidential data is used and distributed by companies throughout the
The extraction and manipulation of large amounts of data by companies
have posed significant privacy concerns, which are further exacerbated
by the use of off-site cloud servers. A cloud server is a virtual or physical
environment that performs application processing and storage. Fur-
thermore, cloud servers are used as a training environment to process
data through Deep Learning (DL) techniques. The training of the DL
Neural Networks (NNs) is done by a centralized architecture where
the preservation of data privacy is scarce. Additionally, the resources

∗ Corresponding author.
E-mail addresses: [email protected] (N. Gutiérrez), [email protected] (B. Otero), [email protected] (E. Rodríguez), [email protected]
(G. Utrera), [email protected] (S. Mus), [email protected] (R. Canal).
1
These authors contributed equally to this work.

https://doi.org/10.1016/j.engappai.2023.107689
Received 10 February 2023; Received in revised form 14 July 2023; Accepted 7 December 2023
Available online 13 December 2023
0952-1976/© 2023 The Authors. Published by Elsevier Ltd. This is an open access article under the CC BY-NC-ND license (http://creativecommons.org/licenses/by-
nc-nd/4.0/).
N. Gutiérrez et al.
in centralized applications are limited, having an adverse effect on
performance.
The main concern in cloud training environments is the uploading of
user confidential data to a server, posing a significant challenge to data
privacy. To tackle this issue, research efforts on DL-privacy preservation
focus three main directions: collaborative DL, Differential Privacy, and
training on encrypted data. In collaborative DL participants only share
a subset of their data. More specifically, in Federated Learning (FL)
only the hyperparameters are shared with the server. However, privacy
remains an issue due to the fixed data in the final parameters of the
model. To overcome this issue, Differential Privacy adds perturbations
to the original data. However, it reduces the accuracy of DL mod-
els, resulting in a challenging trade-off between validation accuracy
and noise ratio. Finally, research works that train on encrypted data
achieve acceptable levels of accuracy, however, they still face problems
regarding efficiency.
In this paper, we propose a differential privacy protection frame-
work based on federated deep learning, which uses the fog node
concept to preserve user sensitive information. Our work introduces
two privacy-preserving algorithms: the Generalization Algorithm and
the Threshold Algorithm. The Generalization Algorithm introduces a
validation dataset in the fog nodes, increasing the fog-embedded frame-
work accuracy while preserving user private data. On the other hand,
the Threshold Algorithm protects user data samples, and reduces fur-
ther the exposure of sensitive data. Both algorithms are applied once
the network is trained and before data is validated in the cloud server.
An advantage of using a fog-embedded framework with the pro-
posed algorithms is that it is suitable for diverse real-world situations.
For instance, in a professional environment, the fog-embedded frame-
work can be applied to a private network, using internal routers as
fog nodes. The different WiFi devices act as IoT end nodes and the
external server as a cloud application. Furthermore, in domestic sit-
uations, can be implemented using Bluetooth-connected devices. In
this particular case, the framework utilizes Bluetooth devices as IoT
end nodes, smartphones as fog nodes, and the internet connection of
the smartphones as a cloud server. Hence, the proposed framework
demonstrates applicability across various scenarios, ensuring content
privacy in the utilization of DL mechanisms.
Moreover, to test the proposed framework, this article works with
two datasets; the Adult dataset and the Banking dataset (Dua and Graff,
2017), containing economic data about users.
The proposed privacy protection framework can be used by any
system or framework that provides AI based services or applications
making use sensitive or personal data, covering a wide range of en-
vironments as smart cities, eHealth, smart industries or autonomous
vehicles. The privacy protection framework initially has been tested
using the Adult and Banking datasets but it could be fed by any other
dataset depending on the environment considered.
In conclusion, the main contributions of this article are the follow-
ing:
1. Implementation of a protection-based federated deep learning
framework, which consists of a fog-embedded architecture that
helps preserving the user sensitive information.
2. Proposal and evaluation of two privacy algorithms, the Thresh-
old and Generalization Algorithms, which help the model reach
maximum accuracy and preserve one step further the user pri-
vacy.
3. Evaluation of the system with two different datasets, Adult and
Banking, that include user raw data. This includes a compari-
son to a standard centralized framework and an integrated fog
framework without the proposed algorithms.
The remainder of the paper is organized as follows: Section 2 de-
scribes the related work. Section 3 describes the proposed framework,
system configurations and algorithms. Section 3 describes the dataset,
the preprocessing and the FFNNs. Section 4 presents the experiments
and analysis. Finally, Section 5 concludes the paper.
2
Engineering Applications of Artificial Intelligence 130 (2024) 107689
2. Related work
The vulnerability of distributed data storage in fog computing com-
pared to cloud computing is being currently studied and there are a
wide variety of proposals to overcome this issue. Recently, in Gu et al.
(2023), the authors propose a secure auditing scheme that protects data
owners’ privacy and controls auditors’ identities. The scheme utilizes
attribute-based access control and distributed collaborative verification
between fog servers. The authors claim that their scheme is secure and
efficient based on theoretical analysis and experimental evaluation.
However, DL techniques provide the ability to handle large volumes
of data, detect complex patterns, adapt to changing environments, and
automate auditing processes. These capabilities are crucial for effective
and efficient security auditing, making them highly valuable in modern
computing scenarios.
Moreover, in the 5G era, DL techniques are widely used to learn
without human supervision with vast amounts of data. DL approaches
are improved with powerful infrastructures, such as cloud environ-
ments combined with distributed strategies. However, in most cases,
this success is at the expense of user privacy since they share their data
with other applications.
Training DL models allows malicious attackers to discover rela-
tionships between the data and eases the theft of the user sensitive
information. Moreover, DL methods are used to process large quantities
of data, and are demonstrated to have a better performance than
Machine Learning (ML) techniques. Consequently, preserving the user
privacy has become an essential topic in the information security field.
Differential Privacy presented by Boulemtafes et al. (2020) attempts
to reduce this threat. This excellent paradigm avoid adversaries gather
data from a selected record. Nonetheless, just a handful of works
propose a privacy-preserving distributed approach, as presented in this
paper.
One the first works in this area, in Shokri and Shmatikov (2015),
where they propose a distributed training technique to preserve user
privacy based on selective stochastic gradient descent (SGD). The
strength of their solution resides in the DL optimization algorithms and
their ability to be parallelized and executed asynchronously. Further-
more, their approach enables users to share a small subset of the model
key parameters. Their work also guarantees the user confidentiality for
different DL models, Multilayer Perceptron (MLP) and Convolutional
Neural Network (CNN), while maintaining accuracy levels. Even by
sharing only 10% of their data, they achieve almost the same accuracy
regarding the centralized privacy-violating model approach. Further-
more, the datasets used for the experiments were MNIST (LeCun and
Cortes, 2010) and SVHN (Netzer et al., 2011) datasets, typically used
in image classification.
In Phong et al. (2017), the authors improve Shokri’s work by avoid-
ing data leakage to the server and the use of homomorphic encryption
to enhance system security without compromising the accuracy. Ma
et al. (2022) improves the homomorphic encryption scheme to prevent
privacy leakage. The main innovation of their framework is that they
encrypt model updates via an aggregated public key. The framework is
tested using a human activity dataset (Martínez-Villaseñor et al., 2019).
It achieves an accuracy of 94.28%.
A similar approach has been undertaken in fog-embedded environ-
ments. In Lyu et al. (2019) it is defined a Fog embedded privacy-
preserving DL framework (FPPDL) that reduces computation and com-
munication costs. The framework uses a two-level protection mecha-
nism. First, Random Projection (RP) is executed by disrupting original
data but preserving its specific statistical characteristics. Secondly, the
network is trained in the fog nodes applying Differential Privacy SGD.
The framework was tested using the MNIST and SVHN achieving an
accuracy of 93.31% and 84.27% respectively.
The previous work uses the same framework as in the proposed
system. Nevertheless, different privacy techniques are used in the sug-
gested system, such as the Generalization and Threshold algorithms
N. Gutiérrez et al.
Table 1
Related privacy protection works in IoT-Fog networks.
Reference Architecture Protection model
Shokri and Shmatikov (2015) Distributed DL Distributed
training
Phong et al. (2017) Distributed DL Homomorphic
encryption
Lyu et al. (2019) Distributed DL – The proposed privacy-preserving framework for DL applications in
Boulemtafes et al. (2020) – Differential Privacy
Gong et al. (2020) – Differential Privacy
Ma et al. (2022) Federated DL Homomorphic
encryption
Moqurrab et al. (2022) Distributed DL – server, which is the root of the design. Then, the middle components
Abdel-Basset et al. (2022) Federated DL Private identifiers
Utomo et al. (2022) Federated DL AI Fairness checking
methods
proposed in the next section, as well as datasets that do contain sensible
information.
Fog-enabled deep learning models are used in the healthcare do-
main to preserve user data privacy. Moqurrab et al. (2022) base its
model on a CNN with bidirectional-LSTM. This model provides a flex-
ible privacy protection via user-defined privacy thresholds, however
it fails on semantic privacy protection (same as differential privacy).
Federated Deep Learning (FDL) also is used to improve data privacy
against GAN attacks. Abdel-Basset et al. (2022) devise a framework
where fog nodes train the FDL model ensuring that contributors do not
have access to data form other contributors by using private identifiers
to protect class probabilities. The framework is evaluated for image
classification using CNNs, demonstrating the effectiveness.
On the dataset side, Ligett et al. (2017) and Karapiperis and Verykios
(2015) use datasets that contain sensitive information, such as clinical
records or financial status. Their studies reveal an accuracy loss in their
regression analysis, as the main limitation of differential privacy-based
solutions is sensitive data management. Consequently, in Gong et al.
(2019) and Gong et al. (2020), the authors overcome this problem
proposing the PrivR framework. This framework implements a differ-
ential privacy regression model based on relevance. Their technique
consists of a polynomial transformation of the objective function.
Furthermore, it disrupts the coefficients by adding less noise in more
relevant coefficients and vice versa. The solution was tested using
the Adult, and Banking datasets (Dua and Graff, 2017) obtaining an
accuracy of 85% and 89%. Finally, the authors conclude that the PrivR
framework effectively prevents the leakage of data retaining the utility
of the model. Table 1 summarizes the related work highlighting the
architecture of the solution and the protection model.
In contrast to the previous work, this proposal evaluates a dis-
tributed framework. In our proposal, we test these same datasets in
a distributed framework, a fog-embedded framework. Also, their tech-
niques do not preserve user data; instead, they help weigh the most
relevant characteristics in the datasets. Finally, these articles do not
use DL to predict the datasets outputs, whereas this work does.
In short, the main difference of the proposed solution regarding
previous Federated DL solutions (Ma et al., 2022), (Abdel-Basset et al.,
2022) and (Utomo et al., 2022) is the usage of the Generalization and
Threshold algorithms that enhance the privacy-preserving capabilities
of the framework while maintaining the neuronal network accuracy.
Moreover, we perform a comparative analysis of the centralized and
federated models by implementing both systems and testing them using
the Adult and Banking datasets.
3. Framework
This article proposes several techniques to preserve user privacy
using a fog-embedded framework.
By combining Federated DL with the fog-embedded framework
proposed, the privacy of user data can be further secured. Specifically,
3
Engineering Applications of Artificial Intelligence 130 (2024) 107689
the fog nodes can act as the intermediaries between the end-devices
and the central server, ensuring that the data never leaves the private
internal system. The fog nodes can also perform the aggregation of
the model updates, ensuring that only the encoded model updates are
transmitted to the central server. Fig. 1 shows the privacy diagram of
the fog-embedded framework.
fog computing environments is designed with three layers: cloud server,
fog nodes, and end-nodes.
Furthermore, it consists of a tree-like structure with a generic cloud
are the fog nodes, and finally we find the numerous end devices, which
represent different IoT devices or users. These end devices are specific
components that contain all the sensitive data that must be preserved.
In the proposed framework, the fog nodes act as a firewall, protect-
ing user privacy by training all the information in the fog nodes and
uploading later only an encoded portion of the results to the server.
Moreover, the main interest of this architecture is that each end-
device has a fog node assigned, which confines a private internal
system. In this private network, only the components inside it can
access the unprocessed information and gradients.
The operation of the architecture is defined by several steps. Before
proceeding with the description of the steps illustrated in Fig. 1, it is
important to establish the following definitions:
• 𝑅𝐷𝑥 is user raw data, where 𝑥 stands for the user id.
• 𝑃 𝐷𝑥 is the preprocessed user data.
• 𝐺𝐷 is the Gradient Dataset used in Section 3.1.
• [𝛥𝑊𝑥 ] are the gradient weights for each user.
• 𝑀𝑤 is the global model.
• 𝑤 are the different layer weights.
• [𝛥𝑊 𝑀] stands for the gradient weights after applying the weig-
hted mean in the Generalization Algorithm.
• [𝛥𝑊 ] are the resulting gradient weights of the Threshold Shuffler
Algorithm.
First a portion of each user data, mapped with an IoT device, is
sent to the fog node so that the global model can be trained. This data
corresponds to the first and second steps in Fig. 1. The global model
resides in the cloud server. This model contains the weights that will
be updated by the fog nodes. The fog node downloads the last version
of the global model from the cloud server and it trains it with the end-
nodes dataset. This can be appreciated in the third and fourth steps of
Fig. 1.
Each time a fog node trains the model with the given data sepa-
rately, two privacy techniques are applied. The first technique is the
Generalization Algorithm, which is explained in Section 3.1, plus the
Threshold Algorithm described in Section 3.2. The training in conjunc-
tion with the aforementioned algorithms are represented in steps 5, 6
and 7 of Fig. 1. The new gradient weights received from the algorithms
and training of the model are sent continuously to the cloud server in
step 8. Subsequently, the cloud server updates the global model weights
and tests them in steps 9 and 10.
After the global model is updated and uploaded to the cloud server,
the new weights are re-sent to the next fog node. The same process is
repeated from step 3. The final goal is to ensure that in each iteration,
the model is further improved and that every fog node trains with the
latest version of the global model.
Hence, the fog-embedded framework is designed to preserve user
privacy since the IoT end nodes do not reveal their raw data, nor raw
gradients to the cloud server.
In this way, Fig. 1 shows in detail the operation of the fog-embedded
framework proposed in this work describing the sequence of steps to
preserve user privacy for computing environments.
N. Gutiérrez et al.
Fig. 1. Fog-embedded framework.
3.1. Generalization algorithm
The primary purpose of our Generalization algorithm is to acquire
a better accuracy under the fog-embedded framework. Due to the
distributed nature of the data across the different fog nodes, each fog
node trains with only a portion of the total dataset, hence decreasing
the accuracy. This method proposes a solution to the accuracy problem.
The pseudocode listed in Fig. 2 describes the proposed Generaliza-
tion algorithm. First, a portion of the data received by the IoT devices
is saved to a new dataset, called Generalization dataset. Then, the
Generalization dataset is used to validate the model. The validation
process generates a grade for each model weight and then it applies
the weighted mean to the result. Subsequently, a new gradient weight
is computed.
We can observe that the algorithm shows the update process of
the fog nodes model with the updated weights on line 6. Then, the
model is evaluated by extracting a grade from each weight using the
Generalization dataset on line 7. In the last step, the weighted mean is
computed on line 9 of the algorithm. This algorithm corresponds to step
6 in Fig. 1, showing why the input and output values match. Last, Fig. 3
shows a simplified flow of the high-level process of the Generalization
algorithm.
3.2. Threshold shuffler algorithm
The Threshold Shuffler Algorithm is an improved technique to up-
date the NN weights, preserving user privacy. The method is presented
through a pseudocode listing in Fig. 4.
4
Engineering Applications of Artificial Intelligence 130 (2024) 107689
The goal of this technique is to return a gradient of a random weight
between a selected threshold, thereby ensuring that raw information is
never sent to the server.
First, as seen in lines 4 and 5, the maximum and minimum values
of the interval are calculated (𝑙𝛥𝑓 𝑖𝑛𝑎𝑙 and 𝑙𝛥𝑖𝑛𝑖𝑡𝑖𝑎𝑙 respectively). This com-
putation returns a 10% higher and lowers values than the previously
computed weight.
After the threshold is set, a cryptographically secure random num-
ber is selected between the threshold limits and returned to the fog
node. By incorporating this technique, the user privacy is further pro-
tected as the returned number is unpredictable which makes it unlikely
to know the exact initial weights.
This algorithm is the continuation of the Generalization Algorithm
and corresponds to step 7 in Fig. 1, and again, the input and output
values match. Finally, Fig. 5 shows a simplified flow of the high-level
process of the Threshold Shuffler algorithm.
The framework was also tested using alternative algorithms, namely
the mean and median of all node weights in addition to the randomized
solution. However, the mean and median algorithms were not able to
provide the same level of privacy protection as the Threshold Shuffler
Algorithm. This is why the proposed Threshold Shuffler Algorithm was
ultimately selected and implemented.
To compare the proposal, we built up a centralized architecture.
The centralized architecture consists of a traditional and standard DL
architecture using cloud computing. As shown in Fig. 6, the architecture
has two parts; the cloud server and the users or IoT devices. The devices
contain the raw data that is later used for training the model, while
the cloud server comprises the model and the validation data. First,
the clients connect to the server and upload raw data to the server,
as seen in step 1 of Fig. 6. Later, the cloud server preprocesses the
N. Gutiérrez et al. Engineering Applications of Artificial Intelligence 130 (2024) 107689

Fig. 2. Pseudocode listing for the Generalization algorithm.

Fig. 3. Flow for the Generalization algorithm.

Fig. 4. Pseudocode listing for the Threshold Shuffler algorithm.

Fig. 5. Flow for the Threshold Shuffler algorithm.

5
N. Gutiérrez et al.
Fig. 6. Centralized architecture.
raw data in step 2 of the same figure. Next, the cloud server trains,
updates, and validates the model in steps 3, 4 and 5. Overall, as Fig. 6
shows, the architecture does not preserve user privacy. The raw data
is information without any filter or preprocessing added, that contains
all the user’s private information. The cloud environment is a privacy-
violating model due to the raw data being directly uploaded to the
server.
In conclusion, the system introduces a fog-embedded architecture
that includes two algorithms to help preserve the user sensitive data
while maintaining the neuronal network accuracy. It uses the fog nodes
as a firewall and only a selected amount of non-traceable data is sent
to the cloud server.
4. Performance evaluation
In this section, we first describe the system implementation. After,
we describe and analyze the datasets. Then, we perform a sensitivity
analysis to determine the hyperparameters that define the optimal
neural network. Finally, the section concludes with the results and
discussion.
4.1. System implementation and configuration
The implementation of the top-down system for distributed learning
using fog computing and Python can be summarized into the following
steps:
1. Receive configuration file: The system starts by receiving a
configuration file that contains information about the dataset,
Neural Network configuration, number of nodes, algorithms to
be used by the main node, number of devices, and number of
epochs. The value of all these hyperparameters are shown in
Table 6.
2. Create devices and nodes: Using the configuration, the system
creates the required number of devices and nodes. These values
are shown in Tables 4 and 5.
6
Engineering Applications of Artificial Intelligence 130 (2024) 107689
3. Assign processes or threads: Each created device and node is
then assigned to an independent process or thread to ensure that
they operate independently and concurrently.
4. Distribute dataset and assign Neural Networks: Each device
receives a portion of the dataset and a Neural Network to train
on. The devices are also connected to their associated nodes.
5. Training and communication: Devices train their respective
Neural Networks. Upon completion, they send the training in-
formation to their associated fog nodes. The fog nodes then
compute the specified algorithms using the information received.
6. Centralized controller: A central controller is in place to gather,
store, and analyze the information from all the fog nodes. This
enables the research team to evaluate the performance of the
system and make improvements as needed.
The test was run on a 1.6 GHz Intel Core i5 with 8 GB of memory
and an Intel UHD Graphics 617 1536 MB, using Tensorflow version
2.0.0 with Python 3.7.4 version and the Numpy library. We used the
virtual machine STANDARD_D14_V2. We employed a callback function
to register all the statistical metrics of each execution. This enabled us
to easily compare each model and store all the data in a log folder.
The implementation of such a system enables the fog computing
paradigm to be evaluated for distributed learning, resulting in reduced
latency, improved data privacy, and better scalability compared to tra-
ditional cloud-based solutions. This approach can also aid in handling
large-scale datasets and optimizing communication and computational
resources.
4.2. Dataset description
To evaluate the effectiveness of the proposed fog-embedded frame-
work, a series of experiments were conducted using two datasets
containing user financial information, namely the Adult and Bank-
ing datasets (Dua and Graff, 2017). In this way, we demonstrate
the versatility of the framework and algorithms. Plus, we highlight
its potential for application in different contexts beyond the specific
scenarios tested.
N. Gutiérrez et al. Engineering Applications of Artificial Intelligence 130 (2024) 107689

Table 2 Table 4
Individual parameter treatment for Adult dataset. Number of samples in each device and fog node for the Adult dataset.
Normalization One-hot Deleted Framework Samples per fog node Samples per
IoT device
age workclass fnlwgt
education-num occupation education Centralized architecture – 43,958
capital-gain marital-status Three nodes 14,652 7326
capital-loss relationship Five nodes 8790 4395
hours-per-week race Seven nodes 6278 3139
native county Validation data – 4884
sex

Table 3
Individual parameter treatment for Banking dataset.
Normalization One-hot Deleted
age job contact
balance marital day
pdays education duration
previous default campaign
housing
loan
month
poutcome
The Adult dataset consists of 48,842 information samples. Each
record has 14 features: age, workclass, fnlwgt, education, education-num,
marital-status, occupation, relationship, race, sex, capital-gain, capital-loss,
hours-per-week, and native county. Also, the dataset contains a response,
income. The Adult NN purpose is to separate the input data into high
income (more than 50K/year) or small income (smaller or equal than
50K/year).
The Banking dataset consists of 45,211 information samples. Each
record has 21 features: age, job, marital, education, default, housing,
loan, contact, day, month, duration, campaign, pdays, previous, poutcome,
emp.var.rate, cons.price.idx, cons.conf.idx, euribor3 m, nr.employed and y.
The Banking NN purpose is to predict whether a client can subscribe a
term deposit.
When choosing a dataset, some considerations were taken into
account. First, since the framework is a privacy-preserving architecture,
the dataset has to contain information about different individuals. In
the case of the Adult and Banking datasets, they contain sensitive
information samples which are going to be preserved. Therefore, our
goal is to safeguard user privacy by applying our fog-embedded system
to the dataset. Each dataset has received a unique preprocessing in
accordance with their characteristics.
4.3. Preprocessing
The treatment and preprocessing of the data samples is performed
in the end nodes (i.e. end devices). Since both datasets are very similar,
a unique but akin preprocessing has been applied. For each data type
of the parameter (e.g. number, multiple-choice), we apply a different
approach.
In the case where the dataset parameter is a numerical value, the
number is normalized to obtain a binary value. On the other hand, if the
parameter is a multiple-choice field, it is processed through the one-hot
encoding to ensure it is properly processed by the model.
The one-hot encoding consists of creating a column for each existing
different possible value of the parameter and then marking with a 1
the column where the register belongs to. To optimize the network
performance, some parameters were deemed unnecessary and thus
removed from the dataset.
Tables 2 and 3 show the treatment of each parameter individually
for both Adult and Banking datasets.
Once these processes are finished, the new dataset is saved into two
different serialized files, one for training and another for validation. To
create the testing dataset, 4884 samples from the Adult dataset and
Table 5
Number of samples in each device and fog node for the Banking dataset.
Framework Samples per Samples per
fog node IoT device
Centralized architecture – 40,690
Three nodes 13,562 6781
Five nodes 8138 4069
Seven nodes 5812 2906
Validation data – 4521
4521 samples from the Banking dataset, were selected which corre-
spond to 10% of all data. Having only 10% of the data for validation
assures that this dataset does not exceed the size of the samples each
fog node receives. The remaining data samples were saved as training
data.
To determine the number of samples allocated to each fog node,
the number of devices per fog node must be taken into consideration.
In our experiments, each fog node consists of two devices, therefore,
the total data of all devices is divided and allocated to each fog node
accordingly.
The system was tested with three, five and seven fog nodes. The
reason for changing the number of fog nodes is that our goal is to
maintain a similar accuracy independently from the number of nodes in
the network. The distribution of data among the devices and fog nodes
is represented in both Tables 4 and 5.
Looking at the Table 5, we can observe that the centralized architec-
ture contains all the data samples from all the end nodes, and it trains
the network with more points than any other fog node. On the other
side, the fog nodes have less information to train the network, and the
more distributed the nodes are, the fewer data the users will have to
pass to the fog node.
4.4. Description models
A NN works by ascribing different weights to the samples in each
layer. This process is repeated a selected number of epochs, so the
weights are shaped correctly. Several design parameters must be con-
sidered to achieve good performance without over or underfitting,
which is essential to assure a good accuracy and implementation of the
network. To avoid over and underfitting, the NN has been carefully
designed.
Firstly, we conducted a thorough analysis of the dataset, taking into
account its size. Both datasets have a similar number of data samples
since the Adult dataset has 48,842 and the Banking dataset has 45,211.
Furthermore, both datasets have a similar number of parameters, and,
as stated in the previous section, they are very similar to each other.
In this type of datasets the most frequent and best performing types of
models, are the fully-connected NNs, as stated in Brilliant.org (2020).
Fig. 7 presents an example of a FFNN, which is a fully-connected
neural network, applied to the Adult dataset. Each circle represents a
unit and each column a layer. As it can be observed, the NN has an
input layer, three hidden layers and an output layer.
Next, the model hyperparameters must be computed. First, each
layer is equipped with an activation function and a specific number of
units. An activation function defines the node output. There is a large
list of activation functions. In the proposed network, the hidden layers

7
N. Gutiérrez et al.
Fig. 7. Example of a FFNN structure in the Adult dataset.
have a Rectified Linear Unit (ReLU) activation function. The reason
behind having a ReLU activation function is that it does not saturate
or stop to shape the samples weights. This process is vital to avoid
overfitting. As for the output layers, the used activation function is
Sigmoid.
Second, the number of units in each layer is ascertained through an
extensive hyperparameter tuning process, which will be explained in
more detail in the following section. Considering that fog nodes process
a smaller portion of data compared to the centralized architecture, it
is essential to employ a smaller model to circumvent overfitting. The
optimal network for the fog-embedded framework is identified after
conducting a series of experiments, wherein the number of layers and
units are modulated.
These experiments entail training multiple neural networks with
diverse data subsets derived from both the Adult and Banking datasets.
The initial experiments encompass broad exploration of the numbers
of layers and neurons, encompassing extensive testing ranges for each
network. The optimal configuration of the values of the hyperparam-
eters that define the neural network (layers, epochs, etc.) is explained
in detail in the next section.
The neural network is defined by several key elements, including
the optimizer, the loss function, and the number of epochs. The loss
function serves as a mathematical measure of the error in the predic-
tions made by the model, with the aim of minimizing this error and
optimizing the predictions.
In this study, the Mean Square Error (MSE) was selected as the loss
function. In addition to the loss function, an optimizer is required to
shape and refine the model weights. The Adam (TensorFlow, 2020)
optimizer was chosen due to its high performance in a limited number
of epochs. The number of epochs for the fog node to train the model was
determined as a final step. Considering the limited number of samples
and the need to achieve stable model results without overtraining the
network, we decided to set the number of epochs to 15.
4.5. Sensitivity analysis
The model selection in this study was conducted using the Keras
Hyperband tool, a state-of-the-art optimization technique for hyperpa-
rameter tuning (see API (2020)).
Hyperband is a novel approach for efficient hyperparameter opti-
mization that employs adaptive resource allocation and early stopping
8
Engineering Applications of Artificial Intelligence 130 (2024) 107689
strategies to explore the search space more effectively. This method en-
ables the rapid identification of high-performing models with a reduced
computational cost. More details of the algorithm for hyperparameter
optimization can be found in Li et al. (2018).
To assess the sensitivity of the proposed model to different hyper-
parameter configurations, the following parameters were systematically
varied during the model selection process:
1. Number of Layers: Recognizing that the number of layers in-
fluences the model abstraction capacity and that the available
samples within each device are limited, the study focused on
testing small networks with one to four layers. The experimental
results showed a significant improvement in the NN performance
when using a three-layer architecture.
2. Learning rate: The model sensitivity to various learning rates,
ranging from 0.001 to 0.1, was investigated. The outcomes re-
vealed an increase in performance as the learning rate increased
up to a certain threshold, beyond which performance declined.
The optimal learning rate was determined to be 0.01.
3. Number of epochs: The sensitivity analysis also considered the
impact of different epoch numbers, ranging from 5 to 50. The
model performance increased with a growing number of epochs
until a certain point, at which the performance plateaued. The
optimal number of epochs was identified as 15, attributable to
the limited number of samples each device receives.
4. Batch size: The model sensitivity to varying batch sizes, from
8 to 128, was also examined. The performance was found to
improve with an increasing batch size up to a certain limit, after
which it plateaued. The optimal batch size was established to be
between 16 (for layer 2) and 32 neurons (for layers 1 and 3).
Table 6 summarizes the ranges used to perform the experimentation
of the different configurations of the hyperparameters to determine the
most optimal neural network. The values of the hyperparameters for
optimal configuration are shown in bold.
Upon completion of these experiments, we found that the ideal
number of layers is three, with the number of neurons in each layer
oscillating between 32 and 16. The resulting model structure, achieved
through this rigorous tuning process is presented in the following
listing:
N. Gutiérrez et al. Engineering Applications of Artificial Intelligence 130 (2024) 107689

Table 6
Hyperparameter ranges used for experimentation.
Hyperparameter Configurations
Layers 1, 2, 3, 4
Learning rates 0.001, 0.005, 0.01, 0.05, 0.1
Epochs 5, 10, 15, 20, 25, 30, 35, 40, 45, 50
Batch size 8, 16, 32, 64, 128

Table 7
Summary of the value of the parameters used to perform the experiments.
Parameter Value
Number fog nodes 3,5,7
Number devices per node 2
Samples to train the model 43,958 (Adult), 40,690 (Banking)
Samples to validate the model 4884 (Adult), 4521 (Banking)
Layers 3
Learning rate 0.01
Epochs 15
Batch size 16 (for layer 2), 32 (for layers 1 and 3)
model.Sequential([
model.Dense(32, ReLU),
model.Dense(16, ReLU),
model.Dense(32, ReLU),
model.Dense(1, Sigmoid)
])
Finally, the sensitivity analysis revealed that the proposed model
performance is influenced by the changes in its input parameters and
conditions. By determining the optimal parameter values through this
analysis, the model performance can be optimized to ensure robustness
under varying conditions.
4.6. Experiments
In this section, we will discuss the experiments and results obtained
for the architectures, models, and algorithms described in the previous
sections. Table 7 summarizes the values of all the parameters selected
to determine the neural network configuration, the required number
of devices and nodes and the samples to training and validation of the
neural network model.
In this regard, to test the system accuracy, the fog-embedded ar-
chitecture is tested with three, five and seven fog nodes for each
dataset. Testing the framework in different scenarios allows the system
to generalize and evaluate the proposed architecture. The same exper-
iments were conducted in the centralized architecture for comparison.
Therefore, for each experiment, 50 executions were carried out to
ensure result stability. And later, to evaluate them, we conducted the
mean of each result. All the results obtained are shown and discussed
in the following section.
Then, to implement the code to execute the experiments, depen-
dency injection was used to assure that the components are treated
separately. Each device and fog node is individually considered, such
as Hudli and Hudli (2013) depicted. Consequently, the architecture is
scalable, flexible and with fewer intern dependencies.
On the other hand, the evaluation of the framework both at the level
of data privacy and at the level of accuracy of the model is verified in
two-fold. First, the mutual information between gradients is calculated
to test the preservation of user privacy. The mutual information aims
to identify the percentage of hidden information that results from
applying the described framework with both algorithms.
Second, we show the metrics that evaluate the models obtained for
the datasets considered, and compare them with those obtained for the
centralized architecture. The metrics analyzed were the accuracy, the
loss and the Area under the Curve (AUC). These metrics are usually
used for classification problems. The accuracy was chosen as the main
Fig. 8. Mutual Information algorithm functioning and application.
studied metric since it perfectly depicts the binary classification per-
formance. The loss was also computed to avoid overfitting, while the
AUC provides an aggregate measure of performance across all possible
classification thresholds. Details on the definition and meaning of these
metrics can be found at Hossin and Sulaiman (2015).
Below, we show the results obtained for each of the metrics con-
sidered, both to evaluate the privacy of the data and to evaluate the
results of the model.
4.6.1. Mutual information
Mutual information is a measure of the amount of information
shared between two random variables, indicating the degree of depen-
dence between them. In our case, mutual information will determine
the percentage of hidden information that results from applying the
algorithms described in the previous sections to the experiments carried
out.
We used the Normalized Mutual Information to scale the results
between 0.0 (no mutual information) and 1.0 (perfect correlation)
(more details in Sun et al. (2019)).
To test the increase in the user data protection, we compare the
initial gradients once the fog node has trained the network, with the
final gradients when the network passes through the algorithms and
returns to the cloud server. The Normalized Mutual Information can be
)
calculated as follows: 𝐼(𝑋, 𝑌 ) = 𝐻(𝑋)−𝐻(𝑋∣𝑌
𝐻(𝑋)
.
In the depicted equation, 𝐻(𝑋) represents the entropy of the system
weights once the model is trained but before applying the algorithms.
𝐻(𝑋 ∣ 𝑌 ) is the conditional entropy that remains in the weight
results when applying the algorithms. In other words, the mutual
information calculates the quantity of information the model weights
share before and after they have been through the algorithms. Fig. 8
represents the entropy and mutual information of the system. The
circle described in the left represents the model entropy of the weights
without algorithms, and in the right circle, the model weights with the
applied algorithms.
Furthermore, if the Normalized Mutual Information is 1.0, both
gradients are the same (i.e. no information is preserved). The goal is
to achieve as little mutual information as possible. In the centralized
architecture and in the fog-embedded framework without algorithms
the mutual information can be computed as 𝐼(𝑋, 𝑋) = 𝐻(𝑋) 𝐻(𝑋)
= 1.0.
In those cases, 𝐻(𝑋 ∣ 𝑌 ) does not compute since the scenario where
the algorithms are applied (𝑌 ) is not performed. In these cases, the
Mutual Information will be maximum (1.0) since no preservation is
applied to the network gradients. The difference between the central-
ized framework and the fog-embedded framework without algorithms
is that the second does not deliver the raw data directly to the cloud
server, whereas the first does. To calculate the Mutual Information,
we go through the following steps: First, once the network is trained,
the gradient values are saved. Furthermore, the system also saves the
gradient values once the algorithms are applied. From both results the

9
N. Gutiérrez et al.
Fig. 9. Results obtained for the Adult dataset experiments taking into account accuracy, loss and AUC metrics.
Table 8
Results of the Mutual Information experiments.
Framework Mutual information
Centralized model 1.0
Nodes in Adult 0.6735
Nodes in Banking 0.6156
Normalized Mutual Information is calculated following the equation
depicted in this section.
All calculations are performed for both Adult and Banking datasets
and we observed that the Mutual Information between nodes is very
similar. That is the reason we decided to perform the mean of all results
obtained to all experiments. Table 8 shows the results and outcomes.
As we can see in Table 8, the Mutual Information decreases in the
fog-embedded framework with the applied algorithms. Additionally,
Table 8 shows a clear decrease in the shared information with and with-
out information. On the one hand, with the Adult dataset the system
using the algorithms shares 32.65% less information. Likewise, with the
Banking dataset the system using the algorithms shares 38.44% less
information. Consequently, the results demonstrate a preservation of
the user’s information while maintaining the accuracy in the NNs when
applying the proposed algorithms in the fog-embedded framework.
4.6.2. Performance preservation
The previous section proves that the Mutual Information helps to
protect the user’s information, and it is crucial to assure accuracy and
loss stability in the new environment. In this section, we show the
results of the same experiments but now considering the metrics that
determine neural network (model) performance.
Fig. 9 shows the mean of the results in each experiment. First, the
centralized model has an average of 83.9% of accuracy, 0.341 loss
and 0.85 AUC. These results do not present overfitting since the loss
decreases at each epoch, and the accuracy remains stable between
training and validation. The system performs similarly in the columns
from Fig. 9, obtained in the cloud server, for three fog nodes, five fog
nodes and seven fog nodes.
It is important to note that the decrease in accuracy between
fog nodes is below 1% and the increase in loss can be considered
insignificant. This indicates that the proposed framework is able to
achieve consistent results regardless of the number of fog nodes used.
10
Engineering Applications of Artificial Intelligence 130 (2024) 107689
Additionally, the fact that the loss does not increase by more than 0.3
ensures that there is no overfitting nor underfitting. Finally, although
the values of the AUC metric increase slightly, the model found is better
for the fog architecture when compared to the centralized architecture
model.
Additionally, the same results have been obtained for the Banking
dataset as we can see in Fig. 10. In this case, we obtain similar results as
for the Adult dataset. Therefore, we achieve an accuracy of 97% for this
dataset, a loss of 0.151 and AUC of 0.55 in the centralized architecture.
The increase in loss and AUC in the fog node experiments is negligible,
and the accuracy remains constant, even if we consider the centralized
model.
Having both datasets perform similarly allows us to generalize the
results and stipulate that the system can be extended to other collected
data in similar environments. Additionally, both datasets use the same
network allowing transfer learning between them, such as proposed in
Zhuang et al. (2021). Transfer learning aims to reuse a NN model from
one task and be utilized as a starting point of another. By using transfer
learning, the system leverages one model for one specific data and uses
it for another in a similar scheme. In real-life scenarios, large quantities
of data from multiple schemes can be extracted and analyzed, allowing
companies to process and share valuable data without the necessity of
revealing user’s sensitive information.
Overall, the evaluation performed shows that the proposed system
can maintain accuracy throughout the different number of fog nodes,
allowing companies to use DL techniques in their data, reducing the
shared information significantly in a cloud environment. Furthermore,
the system works just as good as the centralized architecture. Moreover,
the loss increase is minimal and indicated that no overfitting is taking
place.
5. Conclusions
This work proposes an efficient way to enhance our DL knowledge
and continue to train networks but preserve user sensitive information.
To do so, a fog-embedded framework was introduced, which is a three-
level framework with two new algorithms inside. The fog nodes train
and apply encryption algorithms to update the weights before the final
information is sent to the cloud server. Each fog node creates a secure
local network where the data samples reside.
The fog nodes act as a privacy-preserving filter between the user
devices and the cloud server. The weights are shuffled and randomized
N. Gutiérrez et al.
Fig. 10. Results obtained for the Banking dataset experiments taking into account accuracy, loss and AUC metrics.
among the fog nodes, which makes it difficult to reconstruct the origi-
nal user data from the updated weights. In this way, the user’s privacy
is preserved while still allowing for model updating and improvement.
The algorithms are run in the fog nodes to assure accuracy stability,
no overfitting and the desired preservation of the information. Fur-
thermore, we tested the system with different fog nodes to generalize
our results and conducted each experiment 50 times. The Normalized
Mutual Information was calculated in the system, comparing it with
the centralized architecture and got 32.65% and 38.44% less shared
information between the IoT devices and the cloud servers. Finally, the
accuracy results revealed a less than 1% decrease in accuracy and a
negligible reduction in loss.
The results showed a favorable detection enabling the system to
preserve the user’s privacy. The decrease of the accuracy is negligible,
and the system can be quickly introduced in companies without raising
accuracy concerns and helping to preserve the user’s sensitive informa-
tion. These results mean that the system allows companies to internally
train their data without sharing information in a cloud environment;
meanwhile, other security techniques such as the proposed algorithms
are executed to assure further information preservation.
One potential limitation of the system is the need of having large
quantities of data to train the network. Additionally, the scalability of
the usage of transfer learning for multiple datasets may be constrained
and difficult to extend.
In terms of future work, we believe that expanding the amount of
data with similar characteristics can improve the model performance.
This expansion of data would allow for a more comprehensive study
of the capabilities and potential of transfer learning. Additionally, the
system could be tested in an industrial setup that generates new data,
which would provide further insights into the model ability to handle
novel and unique data.
In conclusion, the article proposes a system that helps to preserve
the user privacy while maintaining the neuronal network accuracy in
a distributed fog architecture.
CRediT authorship contribution statement
Norma Gutiérrez: Software, Investigation, Data curation, Writ-
ing – original draft. Beatriz Otero: Conceptualization, Methodology,
Resources, Validation, Writing, Supervision. Eva Rodríguez: Conceptu-
alization, Validation, Methodology, Writing – review & editing. Gladys
11
Engineering Applications of Artificial Intelligence 130 (2024) 107689
Utrera: Resources, Visualization, Writing – review & editing. Sergi
Mus: Investigation, Software. Ramon Canal: Supervision, Methodol-
ogy, Writing – review & editing.
Declaration of competing interest
The authors declare that they have no known competing financial
interests or personal relationships that could have appeared to influ-
ence the work reported in this paper.All authors declare that they have
no conflicts of interest.
Data availability
We have reference the datasets used in this article.
Acknowledgments
This work is partially supported by the Spanish Ministry of Science
and Innovation, Spain under contracts PID2021-124463OB-IOO and
PID2019-107255GB-C22; by the Generalitat de Catalunya, Spain under
grant 2021SGR00326; and by the DRAC (IU16-011591), the HORIZON
Vitamin-V, Spain(101093062), the HORIZON-AG PHOENI2X, Spain
(101070586) and the HORIZON HORSE, Spain (101096342) projects.
References
Abdel-Basset, M., Hawash, H., Moustafa, N., Razzak, I., Abd Elfattah, M., 2022. Privacy-
preserved learning from non-iid data in fog-assisted IoT: A federated learning
approach. Digit. Commun. Netw.
API, K., 2020. Keras API reference. URL: https://keras.io/api/keras_tuner/.
Boulemtafes, A., Derhab, A., Challal, Y., 2020. A review of privacy-preserving
techniques for deep learning. Neurocomputing 384, 21–45, URL: http://www.
sciencedirect.com/science/article/pii/S0925231219316431.
Brilliant.org, 2020. Feedforward neural networks. URL: https://brilliant.org/wiki/
feedforward-neural-networks/.
Dua, D., Graff, C., 2017. UCI Machine Learning Repository. University of California,
School of Information and Computer Sciences, Irvine, URL: http://archive.ics.uci.
edu/ml.
Gong, M., Pan, K., Xie, Y., 2019. Differential privacy preservation in regression
analysis based on relevance. Knowl.-Based Syst. 173, 140–149. http://dx.doi.
org/10.1016/j.knosys.2019.02.028, URL: http://www.sciencedirect.com/science/
article/pii/S0950705119300899.
Gong, M., Pan, K., Xie, Y., Qin, A., Tang, Z., 2020. Preserving differential privacy
in deep neural networks with relevance-based adaptive noise imposition. Neural
Netw. 125, 131–141. http://dx.doi.org/10.1016/j.neunet.2020.02.001, URL: http:
//www.sciencedirect.com/science/article/pii/S0893608020300460.
N. Gutiérrez et al. Engineering Applications of Artificial Intelligence 130 (2024) 107689

Gu, K., Zhang, W., Wang, X., Li, X., Jia, W., 2023. Dual attribute-based auditing scheme Ma, J., Naas, S.A., Sigg, S., Lyu, X., 2022. Privacy-preserving federated learning based
for fog computing-based data dynamic storage with distributed collaborative on multi-key homomorphic encryption. Int. J. Intell. Syst. 37 (9), 5880–5901.
verification. IEEE Trans. Netw. Serv. Manag. 1. http://dx.doi.org/10.1109/TNSM. Martínez-Villaseñor, L., Ponce, H., Brieva, J., Moya-Albor, E., Núñez-Martínez, J.,
2023.3267235. Peñafort-Asturiano, C., 2019. UP-fall detection dataset: A multimodal approach.
Hossin, M., Sulaiman, M.N., 2015. A review on evaluation metrics for data classification Sensors 19 (9), 1988.
evaluations. Int. J. Data Min. Knowl. Manag. Process 5, 1–11. Moqurrab, S.A., Tariq, N., Anjum, A., Asheralieva, A., Malik, S.U., Malik, H., Pervaiz, H.,
Hudli, S., Hudli, R., 2013. A verification strategy for dependency injec- Gill, S.S., 2022. A deep learning-based privacy-preserving model for smart health-
tion. Lect. Notes Softw. Eng. 71–74. http://dx.doi.org/10.7763/LNSE.2013. care in internet of medical things using fog computing. Wirel. Pers. Commun. 126
V1.16, URL: https://www.researchgate.net/publication/290465955_A_Verification_ (3), 2379–2401.
Strategy_for_Dependency_Injection. Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y., 2011. Reading digits in
Karapiperis, D., Verykios, V.S., 2015. An LSH-based blocking approach with a natural images with unsupervised feature learning. URL: http://ufldl.stanford.edu/
homomorphic matching technique for privacy-preserving record linkage. IEEE housenumbers.
Trans. Knowl. Data Eng. 27 (4), 909–921. http://dx.doi.org/10.1109/TKDE.2014. Phong, L.T., Aono, Y., Hayashi, T., Wang, L., Moriai, S., 2017. Privacy-
2349916. preserving deep learning: revisited and enhanced. In: International
LeCun, Y., Cortes, C., 2010. MNIST handwritten digit database. URL: http://yann.lecun. Conference on Applications and Techniques in Information Security. URL:
com/exdb/mnist/. https://www.semanticscholar.org/paper/Privacy-Preserving-Deep-Learning%3A-
Li, L., Jamieson, K., DeSalvo, G., Rostamizadeh, A., Talwalkar, A., 2018. Hyperband: Revisited-and-Phong-Aono/3db5c5a6c720091e2c9be8bb45b96fe7be313717.
A novel bandit-based approach to hyperparameter optimization. arXiv:1603.06560, Shokri, R., Shmatikov, V., 2015. Privacy-Preserving Deep Learning. Association
URL: https://arxiv.org/abs/1603.06560. for Computing Machinery, pp. 1310–1321. http://dx.doi.org/10.1145/2810103.
Ligett, K., Neel, S., Roth, A., Waggoner, B., Wu, S.Z., 2017. Accuracy first: select- 2813687.
ing a differential privacy level for accuracy constrained ERM. In: Guyon, I., Sun, K., Tian, P., Qi, H., Ma, F., Yang, G., 2019. An improved normalized mutual
Luxburg, U.V., Bengio, S., Wallach, H., Fergus, R., Vishwanathan, S., Garnett, R. information variable selection algorithm for neural network-based soft sensors.
(Eds.), Advances in Neural Information Processing Systems. Vol. 30, Curran MDPI 19 (24), 5368. http://dx.doi.org/10.3390/s19245368, URL: https://www.
Associates, Inc., pp. 2566–2576, URL: https://proceedings.neurips.cc/paper/2017/ ncbi.nlm.nih.gov/pmc/articles/PMC6960561/.
file/86df7dcfd896fcaf2674f757a2463eba-Paper.pdf. TensorFlow, 2020. tf.keras.optimizers.Adam. URL: https://www.tensorflow.org/api_
Lyu, L., Bezdek, J., He, X., Jin, J., 2019. Fog-embedded deep learning for the internet docs/python/tf/keras/optimizers/Adam.
of things. IEEE Trans. Ind. Inform. PP, 1. http://dx.doi.org/10.1109/TII.2019. Utomo, S., John, A., Rouniyar, A., Hsu, H.-C., Hsiung, P.-A., 2022. Federated trust-
2912465. worthy AI architecture for smart cities. In: 2022 IEEE International Smart Cities
Conference. ISC2, pp. 1–7. http://dx.doi.org/10.1109/ISC255366.2022.9922069.
Zhuang, F., Qi, Z., Duan, K., Xi, D., Zhu, Y., Zhu, H., Xiong, H., He, Q., 2021.
A comprehensive survey on transfer learning. Proc. IEEE 109 (1), 43–76. http:
//dx.doi.org/10.1109/JPROC.2020.3004555.

12