Towards General Deep Leakage in Federated Learning

Jiahui Geng,Yongli Mou,Feifei Li,Qing Li,Oya Beyan,Stefan Decker,Chunming Rong
DOI: https://doi.org/10.48550/arXiv.2110.09074
2022-01-26
Abstract:Unlike traditional central training, federated learning (FL) improves the performance of the global model by sharing and aggregating local models rather than local data to protect the users' privacy. Although this training approach appears secure, some research has demonstrated that an attacker can still recover private data based on the shared gradient information. This on-the-fly reconstruction attack deserves to be studied in depth because it can occur at any stage of training, whether at the beginning or at the end of model training; no relevant dataset is required and no additional models need to be trained. We break through some unrealistic assumptions and limitations to apply this reconstruction attack in a broader range of scenarios. We propose methods that can reconstruct the training data from shared gradients or weights, corresponding to the FedSGD and FedAvg usage scenarios, respectively. We propose a zero-shot approach to restore labels even if there are duplicate labels in the batch. We study the relationship between the label and image restoration. We find that image restoration fails even if there is only one incorrectly inferred label in the batch; we also find that when batch images have the same label, the corresponding image is restored as a fusion of that class of images. Our approaches are evaluated on classic image benchmarks, including CIFAR-10 and ImageNet. The batch size, image quality, and the adaptability of the label distribution of our approach exceed those of GradInversion, the state-of-the-art.
Machine Learning,Artificial Intelligence
What problem does this paper attempt to address?
The problem that this paper attempts to solve is in Federated Learning (FL), how to recover training data, especially images and labels, from shared gradient or weight information. Although Federated Learning aims to protect user privacy by sharing local models rather than raw data, research shows that attackers can still use shared gradient information to reconstruct private data. Therefore, this research aims to break through the limitations of existing methods and propose more widely applicable data recovery methods, especially in the following aspects: 1. **Handling duplicate labels**: Existing methods cannot handle the situation where there are duplicate labels in batch - processed data, while this paper proposes a method that can handle this situation. 2. **Jointly evaluating the quality of image and label recovery**: Previous studies evaluated image recovery and label recovery tasks independently and did not explore the mutual influence between them. This paper takes into account the correlation between the two simultaneously. 3. **Recovering images from weight differences**: Existing methods are limited when using the FedAvg algorithm with batch size and local rounds greater than 1. This paper attempts to overcome these limitations. ### Specific problem description #### 1. Challenges in data recovery - Existing methods cannot handle the situation where there are duplicate labels in batch - processed data. - Image recovery and label recovery tasks are usually evaluated independently and their mutual influence has not been discussed. - The methods for recovering images from weight differences are very limited, especially under the FedAvg algorithm, where the batch size and local rounds are usually greater than 1. #### 2. Proposed solutions - **Zero - sample batch label recovery**: A zero - sample batch label recovery method that is not restricted by label distribution is proposed. - **Improving image initialization and regularization**: Two regularization terms (cropping and scaling) are introduced to improve the quality of image reconstruction, and a specific image initialization method is recommended. - **Multi - update consistency**: The consistency of multiple updates is utilized to improve the recovery results. - **Recovering data from weights**: A framework is designed to recover data from shared gradients and weights, especially for applications in the FedAvg scenario. - **Image alignment**: Image alignment is performed based on image similarity to eliminate the ambiguity caused by inconsistent order. ### Method overview #### 3.1 Reconstruction function The reconstruction attack is defined as an optimization problem, including gradient - matching loss and auxiliary regularization terms: \[ \hat{x}^*, \hat{y}^*=\arg \min_{\hat{x}, \hat{y}}\left[L_{g m}(\hat{x}, \hat{y}, W, \nabla W)+R_{a u x}(\hat{x})\right] \] #### 3.2 Zero - sample batch label recovery By analyzing the gradient information of the fully - connected layer, a zero - sample batch label recovery method is proposed to solve the problem of duplicate labels. #### 3.3 Auxiliary regularization To ensure that the recovered image pixel values are reasonable, two regularization terms are introduced: \[ R_{c l i p}(\hat{x})=\|\hat{x}-\text { clip }(\hat{x})\|^{2} \] \[ R_{s c a l e}(\hat{x})=\|\hat{x}-\text { scale }(\hat{x})\|^{2} \] #### 3.4 Multi - update consistency By increasing the number of known weight and gradient pairs, the accuracy of the recovery results is improved. #### 3.4 Multi - update consistency By increasing the number of known weight and gradient pairs, the accuracy of the recovery results is improved. #### 3.5 Recovering data from weights For the FedAvg algorithm, a method for recovering data from weight updates is proposed, using the average model difference as a fake gradient. #### 3.6 Image alignment Image alignment is performed based on image similarity to reduce the ambiguity caused by inconsistent order. ### Experimental results The experimental results show that the method proposed in this paper is significantly superior to the existing GradInversion method on the CIFAR - 10 and ImageNet datasets, especially when dealing with duplicate labels and large - batch data.