Privacy Preserving Federated RSRP Estimation for Future Mobile Networks

Leveraging location information for machine learning applications in mobile networks is challenging due to the distributed nature of the data and privacy concerns. Federated Learning (FL) helps to tackle these issues and is a big step towards enabling privacy-aware distributed model training; however still prone to sophisticated privacy attacks such as membership inference. In this paper, we implement an FL approach to estimate Reference Signal Received Power (RSRP) values using geographical location information of the user equipment. We propose a privacy-preserving mechanism using differential privacy to protect against privacy attacks and demonstrate the impacts and the privacy-utility trade-off via privacy accounting measures.


I. INTRODUCTION
With the advent of beyond 5G and 6G, next-generation wireless systems are expected to connect everything with enhanced coverage, capacity, energy efficiency, latency for different application-oriented use-cases. Such challenging requirements could be achieved via utilizing advance wireless techniques or intelligent data-driven methodologies.
Existing approaches like network densification, optimal resource allocation, and massive and distributed Multi-Input Multi-Output (MIMO) systems help reaching these requirements. However, for instance, network densification requires frequent carrier and cell measurements to enable interference mitigation and coordination schemes due to high interference resulting from densifying the network. Such intense measurements should be performed by the User Equipment (UE) on the primary, secondary, and any potential target cells on different frequency bands and spatially distributed network sites. Although UE measurement reports are important to guarantee service continuity, frequent Reference Signal Received Power (RSRP) measurements, e.g., in every 40 ms, produce large signaling overhead and increase power consumption.
The application of data-driven intelligent techniques on wireless systems is considered as a potential solution to the problem of high overhead, energy consumption, interference mitigation, resource allocation. Integrating the intelligence to monitor and predict the network status enables network automation and improves UE experience by learning from history and promoting proactive real-time network decisions [1]. Machine Learning (ML) algorithms can be utilized for RSRP prediction, which reduces the signaling overhead, enables proactive network actions, and increases computation efficiency. RSRP prediction with relevant features, e.g., UE contextual information, further enhances beam management and mobility robustness.
Despite the increasing popularity of ML, centralized processing of a big volume of data increases both computation complexity at network sites and privacy concerns for many UEs against data leakage. However, local datasets are valuable assets to increase learning accuracy. In order to benefit from a large dataset that captures independent and heterogeneous scenarios without transferring it, while avoiding centralized exhausting computation, distributed learning mechanisms drew considerable attention recently. Federated learning (FL) [2], [3], [4] is one of such distributed learning schemes addressing privacy concerns by performing coordinated learning on clients without revealing their local dataset to a central entity. FL provides a privacy-aware topology since the client's data is never shared with the server instead, only model updates are exchanged, which do not contain any personally identifiable information, and the size of exchanged updates is less than the raw data. Although these are considered significant privacy enhancements compared to the centralized training scenarios, where clients need to send raw data to the server, it is still possible to launch privacy attacks. Recent advances show that sophisticated privacy attacks such as membership inference, model inference, and model extraction attacks can still exploit the model updates [5]. Differential Privacy (DP), which is a privacy-enhancing technology, is used to prevent such attacks.
In this paper, the geographical location of UEs is utilized as a feature to predict RSRP. Since location sharing with network sites is not preferable due to privacy concerns, differentially private FL is employed to realize the privacypreserving prediction. We defined each capable UE as a client; thus, each UE can help the system by mapping its location to RSRP via updating model parameters. Targeting not only 5G networks but also beyond 5G and 6G networks, this study: • Utilizes UEs' location information in the context of FL to predict RSRP (obtained from a realistic testbed experiment) to enhance beam management and mobility robustness. • Brings a privacy-preserving approach with DP against possible privacy attacks on the above proposed framework. • Provides comprehensive experiment results including, but not limited to, privacy versus utility trade-off and performance metrics. The organization of this paper is described below. In Section 2, we present a background on FL, its privacy concerns, and DP. We explain the proposed solution for RSRP prediction and how it can be performed using differentially private FL in Section 3. Details about our implementation and evaluations are discussed in Section 4. We discuss state of the art in Section 5, and we conclude the study in Section 6.

A. Federated Learning
FL was proposed by [3] and is one kind of distributed learning utilized for the minimization of data transfer, joint optimization, and privacy purposes, and its performance depends on the variety of implementations. Depending on the distribution of samples and features among the clients, training can be done via horizontal or vertical splits over samples or features. Horizontal FL is applicable when the clients share the same feature space but differ in sample space, whereas vertical FL is appropriate when the clients have overlaps in the sample space. When clients have small overlaps in both sample and feature space, federated transfer learning is more suitable.
From an optimization point of view, Federated Stochastic Gradient Descent (FedSGD) and Federated Averaging (FedAvg) are the most used methods. In FedSGD, each client sends every Stochastic Gradient Descent (SGD) update to the server, while in FedAvg, each client performs some number of iterations (called epoch) over a local mini-batch then sends the updated model to the server. In our study, we follow horizontal FL case and FedAvg as it is more communication efficient. Hence, in each iteration, the clients (UEs) do training on their local batch, send the resulted model back to the server located in a centralized network site (e.g., hereafter we call the centralized network site as gNB, but this work is not limited to 5G, as it could be adopted in 6G network), via uplinks signals. It follows that the server aggregates models by averaging the corresponding weights, then shares the aggregated model with the clients (UEs) in the downlink.
Due to the nature of its operation, FL exhibits considerable advantages for the mobile network, described as follows: • Exchange learnings among clients (UEs): The individual learning of each UE is shared among each other when building the global model. This sharing of learning could be global sharing among all UEs (e.g., when no clustering is employed before aggregating), or it could be a cluster-based sharing of learning (e.g., when clustering for a specific type of service or UE, is deployed before aggregating [6]). • Privacy: Since training is performed locally, FL preserves UE information privacy. The original operation of FL does not require the UE to send its private information (e.g., UE location) to gNB, or reveal its identity. Instead, it learns from aggregated information produced by multiple UEs.
• Efficient network footprint by reducing the amount of signaling required at gNB by UEs, due to the need of sending on the gradient of the model's weights.

B. Privacy Concerns
FL is a big step towards enabling privacy-aware model training, as it aims joint model training by only sharing the necessary parameters and not client data. On the other hand, recent studies demonstrate sophisticated privacy attacks by exploiting the observed gradients or using the collected inference results. Privacy attacks to FL such as membership inference [7], attribute property inference [8], deep leakage [9] , and model extraction [10] may be posed by a malicious client or the server trying to infer sensitive information during training or inference phase. The adversarial goal of privacy attacks is to gain more information about the training data and the ML model parameters. The attacker may try to determine whether a specific client's data was included in the training dataset, called membership inference, or try to infer certain properties of other clients' training data, which is not explicitly shared, called property inference. In model extraction attacks, attacker uses a prediction interface as an oracle to obtain the structure of the model by inspecting the probabilities returned from each class. Deep leakage attacks attempt to infer both training input and labels, which is more dangerous since the raw training data can be extracted [9].
From the solution perspective, existing methodologies including DP, Homomorphic Encryption (HE), and Secure Multi-Party Computation (SMPC) are investigated in the literature. However, for large-scale FL scenarios and crossdevice settings, HE and SMPC may not be the best options as they introduce additional computation and communication overhead. DP satisfies the constraints at the cost of reducing accuracy which is controllable based on the privacy budget.

C. Differential Privacy
DP provides a mathematically provable guarantee of privacy protection based on the available privacy budget, which is the limit on the amount of difference that an individual's participation can generate. Hence, DP prevents distinguishing whether or not the individual's data is included in the training. Definition: A randomized function is ε-differentially private if for any subset of the output S in the range of , and for all data sets and differing in a single entry [11]: The given formulation is called (ε, δ)-differential privacy where δ is the relaxation parameter. ε is the control parameter for privacy level, denoting privacy budget. δ limits the probability that the privacy guarantee will not hold; in other words, the probability of information accidentally being leaked. The best practice is to set δ to be less than the inverse of the data size. In the context of FL, D1 and D2 datasets correspond to client -in our case UE-training datasets. Adjacent datasets are those where D2 can be formed from D1 by adding or removing all the training samples associated with a single client. This approach is called user-level privacy [12].
There are two different DP implementations in the FL setting, called Central DP and Local DP. The difference comes from the trust relation. In Central DP, noise is added in and controlled by the server which aggregates the updates, so clients trust the server. Local DP allows the client to control and add noise for cases the server is not trusted by the clients. Although Local DP allows the individual client to set different local privacy guarantees and removes the trusted server assumption, it reduces the model accuracy. In our case, we use Central DP where the noise is controlled by the gNB.
Privacy accounting is essential in DP as it is the control mechanism for the privacy versus accuracy trade-off. The mechanism to control and track privacy uses the moments accountant method [13]. It assures that the defined privacy budget given with the via (ε, δ) parameters stays within the allowed limit. In FL, privacy accounting for multiple iterations can be done using the composability feature of DP to compute and accumulate the privacy cost at each round of training.

A. System Model
Signal quality (either layer-1 Channel State Information-Reference Signal (CSI-RS) or layer-3 "RSRP") prediction is an important feature that can be obtained with the introduction of intelligent and proactive management of the network resources. RSRP measurements is obtained, in the legacy system, via measuring the reference signal in CSI-RS, then it is reported back to the network in a specific configuration. Instead of reporting legacy RSRP, reporting predicted RSRP to the network could be used to proactively 1) perform handover (HO) or allow UE to perform conditional handover, 2) switch beams or carrier for a UE to prevent service interruption. For instance, the UE must report predicted RSRP when the network needs to decide, whereas it could report its own predicted decision if the scenario is like that of conditional HO.
In order for the UE to predict such RSRP, it requires input and output labels to train the UE model (as illustrated better in a later section). The input of the learning model is the UE location. And not any other feature (e.g., time advance (TA)), because running feature importance proves that location is one of the most critical features, plus other features like TA would introduce signaling overhead. The training label is obtained from CSI-RS reference signal.

B. RSRP Prediction via FL
An ML model is created at the gNB and shared with the clients (UEs), in which each UE trains its individual model by mapping geographical location features to RSRP measurements of the serving carrier/cell. Let the data set throughout the network be defined as , , 1, … , , 1, … , where ∈ ℝ d represents the feature space and d is the number of features, denotes the output label per sample , is the UE index out of UEs, and i is the dataset sample. The training algorithm ∶ → , ∈ finds the estimated function, , , for the unknown function, , , that maps the UE location information to RSRP information. contains only geographical location information of the UEs, i.e., latitude and longitude, and consists of the maximum measured RSRP values out of all beams. Then the prediction problem is formulated to establish a relation between the geographical location and the highest RSRP values. The features contain sensitive information, and learning has been performed in a federated framework over the UEs. The global model minimizing the objective function given as, where global objective function is defined as average of local objective functions of each UE such that Herein, local objective functions are defined via global loss function and evaluated at local datasets ' , ( of k-th UE such that !" ) !; , ".
individual model by mapping its location data to RSRP measurements. After local training, each UE sends its trained model parameters to the gNB. gNB aggregates the parameters using FedAvg and sends back the updated model parameters to the UEs, which contains an implicit mapping of all UEs to RSRP, embedded by local training.

C. RSRP Prediction via Differentially Private FL
Differential privacy mechanism perturbs the averaged updates conducted at the gNB using a randomized Gaussian mechanism. The purpose of the randomization process is to hide each UE's contribution within the federated aggregation and thus within the learning procedure.

D. Threat Model
In our study, we consider UEs not being malicious during training activities. UEs obey the FL steps, do not try to inject malformed data to poison the model or alter the protocol. gNB, as the FL server, is considered as trusted data aggregator, i.e., it follows the FL steps and does not attempt to share parameters with anyone. Our framework protects the model against untrusted analysts who can send queries using an inference interface and try to infer sensitive information by collecting model inference results.

A. Simulation Environment
We realized our implementation in the Tensorflow environment. Keras, which is a high-level ML API used to define a Neural Network (NN) in the Tensorflow. Federated computations on decentralized data are performed with Tensorflow Federated (TFF) framework. The corresponding NN is created by using Keras comprised of an input, an output and 3 hidden layers including 10 neurons each. To measure the training loss, Mean Squared Error (MSE) is used.
We integrated DP using Tensorflow Privacy library which enables us to analyze the performance of our implementation by turning on/off DP. Tensorflow privacy library gives the opportunity to set different privacy levels by adjusting privacy hyper-parameters such as noise multiplier, gradient clip-scale and 4. In our setup, we used a fixed clip-scale for all updates. In performance evaluation subsection C, we provide the impact of these parameters. The experimental setup of our implementation is described in Table 1.

B. Dataset
In a real-life environment, we ran a measurement campaign with a realistic base-station and UEs, which was conducted in an urban environment in Stockholm, Sweden. Fig. 2 illustrates the longitude and latitude values, X(m) and Y(m), with respect to a reference coordinate, and the color map indicates the RSRP values in dB scale, obtained at 3.5 GHz carrier on the evaluation area. The collected RSRP measurements over multiple days and locations are gathered in a single gNB node. Dataset generated over a specific region or during a specific period, is assigned a client tag, i.e., k-th client, and is denoted by as in eq. (5), where i is the sample id, D is the number of sequential samples per region or period of and can vary for each UE.

C. Performance Evaluation
In this section, Mean Absolute Percentage Error (MAPE) and epsilon (ε) have been evaluated to show the impact of c, B, and z during the FL training.
In Fig. 3, it is demonstrated how different c values impact the training evaluation loss in terms of MAPE over FL rounds when noise multiplier, z=1 and batch size, B=100. Less gradient clipping, e.g., c={0.7, 1} results in faster convergence but a higher error with oscillations because not only the noise variance increases but also the gradients' sensitivity to the noise will not be the same in different clients. Nonetheless, if c decreases, the convergence becomes more stable. Therefore, the clip scale is chosen based on stability and convergence rate. Further, the privacy spent from the privacy budget increases during the training as the number of rounds increases, i.e., as MAPE decreases, ε, shown as privacy spent in Fig. 3, increases meaning that privacy decreases. Higher clip-scale values converge faster, i.e., require fewer rounds, thus results in better privacy (lower ε), but clip-scale should have an upper bound for sensitivity aspects. Given the setting in Table 1, for c=0.1, the processing time cost of running the experiment is around 25 minutes. Fig. 4 shows that B affects the clip-scale adjustment. When c is low (more clipping), bigger B can be used for faster convergence, thus less privacy will be spent from the privacy budget. When c is high, e.g., 0.7, bigger B impacts the norm  of gradient vector, so the sensitivity to the noise, and MAPE eventually oscillates. Fig. 5 shows that MAPE increases with increasing noise multiplier. How much accuracy is lost by turning on the DP can be seen by comparing with No DP results given in black dotted line. This shows the trade-off between utility and privacy. To get more privacy, one needs to sacrifice accuracy. If noise multiplier is set as too high, then the training will not converge as in the settings for z≥10. Fig. 6 demonstrates that more privacy is spent as FL training continues with more rounds, and higher z values enhance privacy. However, one needs to consider the convergence while increasing the noise multiplier.
V. RELATED WORK ML technologies are used to predict different 5G metrics. For instance, the authors of [14] proposed a procedure to predict the strongest (highest RSRP) secondary serving cell. In their proposal, gNB does not require further signaling from UE but only uses existing 3GPP signals, i.e., timing advance and primary cell RSRP. Another work related to downloading auto-encoder ML model to enable UE to estimate radio measurements and reduce the signals transmitted over to the network [15]. This auto-encoder is already trained on the network side and downloaded to UEs. Also, the authors of [16] proposed a duo threshold-based classification to enhance reference signal received quality prediction.  FL has been investigated intensively for 5G-beyond applications. A comprehensive review of the application of FL over 6G network is described in [17] and [18]. The authors of [19] proposed an FL scheme to predict the mmWave beamforming vector. In the proposed scheme, the users train the beamforming vector predictor network and share it with the network without sharing their data. Another interesting application of FL to 5G-beyond network is the usage of Gaussian process regression to track Channel State Information (CSI) by UEs [20]. Authors of [21] proposed digital and compressed analog distributed SGD to enable opportunistic scheduling of UEs based on channel conditions.
Preserving privacy and security of FL schemes is of main interest in the 5G and beyond networks. The authors of [22] designed a blockchain-based FL framework to achieve secure and reliable FL considered DP against inference attacks. In vehicular networks, the author of [23] introduced DP into the gradient descent training scheme. In a 5G social Internet-of-Things context, authors of [24] proposed a hybrid of data and content privacy-preserving scheme incorporating Bayesian DP and a new encryption method.
Our work differs from existing literature in multiple aspects. Compared to those works that addressed RSRP prediction, we proposed to use only UE location in a federated learning context. Compared to the existing works that utilized FL to predict CSI for 5G or 6G applications, we proposed the usages of differential privacy in addition to FL to protect the model against inference attacks. We also consider our work to be the first of its kind to use realistic dataset in FL context with privacy-preserving technique.

VI. CONCLUSION
This paper demonstrates a privacy-preserving federated approach for an RSRP prediction framework and focuses on two important aspects: (i) the geographical location of UEs as a feature in an FL framework to predict RSRP (ii) bringing privacy guarantee to FL framework against inference attacks.
The FL training is performed locally on the UEs, using the location information. The local dataset, e.g., UE's location and targeted RSRP measure, are acquired from a real-life environment with realistic base-station and UE over multiple days and different areas. The local updates are aggregated in the gNB without accessing any location information. Our evaluation results showed that our model could successfully predict RSRP values with a 19% loss in terms of MAPE. We enabled DP during the training phase to prevent privacy attacks on the resulting model and presented the impact of DP parameters by turning the DP on/off. RSRP estimation via differentially private FL not only enables location-aware communications and enhances the robustness of the beam management and mobility but also preserves the privacy of the UEs.