User-level privacy preservation for federated machine learning

What is claimed is: 1 . A computer-implemented method, comprising: performing a plurality of training rounds of a federated machine learning system, wherein a training round of the plurality of training rounds comprises: receiving, at a portion of a plurality of clients of the federated machine learning system, a federated learning model from an aggregation server of the federated machine learning system, the federated learning model comprising one or more training updates from a previous training round of the plurality of training rounds; performing at respective clients of the portion of the plurality of clients: training the received machine learning model using a dataset private to the respective client to generate one or more parameter updates; applying a respective gradient to individual ones of the one or more parameter updates, the respective gradient determined by modifying an average gradient, computed based at least in part on at least a portion of the private dataset, by a noise value scaled to provide a local differential privacy guarantee for the respective client; and sending the one or more parameter updates to the aggregation server; collecting, at the aggregation server, the respective parameter updates from the portion of the plurality of clients; and revising the federated learning model according to an aggregation of the respective received parameter updates of the portion of the plurality of clients. 2 . The computer-implemented method of claim 1 , wherein the average gradient is clipped by a global threshold, and wherein the noise value is determined according to a gaussian distribution. 3 . The computer-implemented method of claim 1 , wherein the applying of the respective noise values to the individual ones of the one or more parameter updates comprises: clipping the individual ones of the one or more parameter updates by a global threshold; and modifying the individual ones of the one or more parameter updates by a noise value determined according to a gaussian distribution. 4 . The computer-implemented method of claim 1 , wherein the applying of the respective noise values to the individual ones of the one or more parameter updates comprises determining a noise value proportional to: a privacy loss bound received from the aggregation server; or a privacy loss bound determined the respective client. 5 . The computer-implemented method of claim 1 , wherein applying the respective noise values to individual ones of the one or more parameter updates provides differential privacy for the private dataset of the respective client. 6 . The computer-implemented method of claim 1 , wherein the receiving, performing, training, applying, sending, collecting and revising are performed for a single training round of a plurality of training rounds of the federated machine learning system, and wherein individual ones of the plurality of training rounds use different portions of the plurality of clients. 7 . The computer-implemented method of claim 1 , wherein training the received machine learning model comprises using a mini-batch of the dataset private to the respective client to generate the one or more parameter updates. 8 . A system, comprising: a plurality of clients of a federated machine learning system respectively comprising at least a processor and memory, wherein individual clients of at least a portion of the plurality of clients are configured to perform a plurality of training rounds of the federated machine learning system, wherein to perform a training round of the plurality of training rounds the plurality of clients are individually configured to: receive a federated learning model from an aggregation server of the federated machine learning system, the federated learning model comprising one or more training updates from a previous training round of the plurality of training rounds; train the received machine learning model using a private dataset to generate one or more parameter updates; and apply a respective gradient to individual ones of the one or more parameter updates, the respective gradient determined by modifying an average gradient, computed based at least in part on at least a portion of the private dataset, by a noise value scaled to provide a local differential privacy guarantee for the respective client; and send the one or more parameter updates to the aggregation server; the aggregation server of the federated machine learning system, wherein for individual training rounds of the plurality of training rounds the aggregation server is configured to: collect the respective parameter updates from the individual clients of the portion of the plurality of clients; and revise the federated learning model according to an aggregation of the respective received parameter updates. 9 . The system of claim 8 , wherein the average gradient is clipped by a global threshold, and wherein the noise value is determined according to a gaussian distribution. 10 . The system of claim 8 , wherein to apply the respective noise values to the individual ones of the one or more parameter updates, the individual clients of the portion of the plurality of clients are configured to: clip the individual ones of the one or more parameter updates by a global threshold; and modify the individual ones of the one or more parameter updates by a noise value determined according to a gaussian distribution. 11 . The system of claim 8 , wherein to apply the respective noise values to the individual ones of the one or more parameter updates, the individual clients of the portion of the plurality of clients are configured to: determine a noise value proportional to a global threshold received from the aggregation server, the global threshold bounding sensitivity of the federated learning model to the one or more parameter updates. 12 . The system of claim 8 , wherein the respective noise values are applied to individual ones of the one or more parameter updates to provide differential privacy for the private dataset of the respective client. 13 . The system of claim 8 , wherein the receiving, performing, training, applying, sending, collecting and revising are performed for a single training round of a plurality of training rounds of the federated machine learning system, and wherein the federated machine learning system is configured to use different portions of the plurality of clients for respective rounds of the plurality of training rounds. 14 . The system of claim 8 , wherein to train the received machine learning model the portion of the individual clients of the plurality of clients are configured to train the received machine learning model using a mini-batch of the dataset private to the respective client to generate the one or more parameter updates. 15 . One or more non-transitory computer-accessible storage media storing program instructions that when executed on or across one or more computing devices cause the one or more computing devices to perform: executing a plurality of training rounds of a federated machine learning system, wherein a training round of the plurality of training rounds comprises: receiving, at a client of a plurality of clients of a federated machine learning system, a federated learning model from an aggregation server of the federated machine learning system, the federated learning model comprising one or more training updates from a previous training round of the plurality of training rounds; and performing at the client: training the received machine learning model using a dataset private to the respective client t