Yichuan Shi,Olivera Kotevska,Viktor Reshniak,Abhishek Singh,Ramesh Raskar

2024-05-17

Abstract:Federated Learning (FL) has emerged as a leading paradigm for decentralized, privacy preserving machine learning training. However, recent research on gradient inversion attacks (GIAs) have shown that gradient updates in FL can leak information on private training samples. While existing surveys on GIAs have focused on the honest-but-curious server threat model, there is a dearth of research categorizing attacks under the realistic and far more privacy-infringing cases of malicious servers and clients. In this paper, we present a survey and novel taxonomy of GIAs that emphasize FL threat models, particularly that of malicious servers and clients. We first formally define GIAs and contrast conventional attacks with the malicious attacker. We then summarize existing honest-but-curious attack strategies, corresponding defenses, and evaluation metrics. Critically, we dive into attacks with malicious servers and clients to highlight how they break existing FL defenses, focusing specifically on reconstruction methods, target model architectures, target data, and evaluation metrics. Lastly, we discuss open problems and future research directions.

Cryptography and Security,Artificial Intelligence

Haomiao Yang,Mengyu Ge,Dongyun Xue,Hongwei Li,Kunlan Xiang,Rongxing Lu

DOI: https://doi.org/10.1109/MNET.001.2300140

IF: 10.294

2024-03-01

IEEE Network

Abstract:Federated learning (FL) is a distributed deep learning framework that has become increasingly popular in recent years. Essentially, FL supports numerous participants and the parameter server to co-train a deep learning model through shared gradients without revealing the private training data. Recent studies, however, have shown that a potential adversary (either the parameter server or participants) can recover private training data from the shared gradients, and such behavior is called gradient leakage attacks (GLAs). In this study, we first present an overview of FL systems and outline the GLA philosophy. We classify the existing GLAs into two paradigms: optimizationbased and analytics-based attacks. In particular, the optimization-based approach defines the attack process as an optimization problem, whereas the analytics-based approach defines the attack as a problem of solving multiple linear equations. We present a comprehensive review of the state-of-the-art GLA algorithms followed by a detailed comparison. Based on the observations of the shortcomings of the existing optimization-based and analytics-based methods, we devise a new generation-based GLA paradigm. We demonstrate the superiority of the proposed GLA in terms of data reconstruction performance and efficiency, thus posing a greater potential threat to federated learning protocols. Finally, we pinpoint a variety of promising future directions for GLA.

Computer Science

K. Chugh,V. Sakhuja,A. Agarwal,V. Jha,K. Joshi,B. Datta,A. Gupta,K. Gupta

DOI: https://doi.org/10.1093/NDT/8.8.690

Abstract:Sixty-three patients, (52 males and 11 females) from 28 kindreds of hereditary nephritis (Alport's syndrome) were identified over a 14-year period from 1977 to 1991. Group I included 51 patients with (a) positive family history of haematuria with or without chronic renal failure, (b) characteristic GBM changes on electron-microscopy, (c) characteristic ocular signs, and (d) high-frequency sensorineural deafness. Group II included 12 patients with a negative family history. All of them had evidence of renal disease with characteristic ocular signs and deafness and four had characteristic GBM changes on electron-microscopy. The main clinical features were haematuria in 96.8%, deafness in 82.5%, and diminished visual acuity in 66.7% of affected subjects. Hypertension was present in 71.4% patients. Pure tone audiometry revealed high-frequency sensorineural deafness in 96.8%. Ocular examination showed bilateral anterior lenticonus in 37.8%, retinal flecks in 22.2%, cataract in 20%, and keratoconus in 6.7% patients. Proteinuria (> 2.0 g/24 h) was detected in 31.8%. Sixteen (57.1%) of the 28 index patients (all males) were diagnosed for the first time when they presented with end-stage renal disease. Serum creatinine in the overall group ranged from 0.9 to 18.7 mg/dl(7.81 +/- 5.37 mg/dl). Adequate renal tissue was obtained by biopsy in 14 patients. Light-microscopy revealed focal segmental glomerulosclerosis in five, mesangial proliferation in four, chronic interstitial nephritis in three, and mesangiocapillary and crescentic glomerulonephritis in one each. Electron-microscopy showed characteristic changes in the GBM in seven specimens.(ABSTRACT TRUNCATED AT 250 WORDS)

Bowen Li,Hanlin Gu,Ruoxin Chen,Jie Li,Chentao Wu,Na Ruan,Xueming Si,Lixin Fan

DOI: https://doi.org/10.48550/arxiv.2306.07883

2023-01-01

Abstract: Federated Learning (FL) has emerged as a promising approach for collaborative model training without sharing private data. However, privacy concerns regarding information exchanged during FL have received significant research attention. Gradient Inversion Attacks (GIAs) have been proposed to reconstruct the private data retained by local clients from the exchanged gradients. While recovering private data, the data dimensions and the model complexity increase, which thwart data reconstruction by GIAs. Existing methods adopt prior knowledge about private data to overcome those challenges. In this paper, we first observe that GIAs with gradients from a single iteration fail to reconstruct private data due to insufficient dimensions of leaked gradients, complex model architectures, and invalid gradient information. We investigate a Temporal Gradient Inversion Attack with a Robust Optimization framework, called TGIAs-RO, which recovers private data without any prior knowledge by leveraging multiple temporal gradients. To eliminate the negative impacts of outliers, e.g., invalid gradients for collaborative optimization, robust statistics are proposed. Theoretical guarantees on the recovery performance and robustness of TGIAs-RO against invalid gradients are also provided. Extensive empirical results on MNIST, CIFAR10, ImageNet and Reuters 21578 datasets show that the proposed TGIAs-RO with 10 temporal gradients improves reconstruction performance compared to state-of-the-art methods, even for large batch sizes (up to 128), complex models like ResNet18, and large datasets like ImageNet (224*224 pixels). Furthermore, the proposed attack method inspires further exploration of privacy-preserving methods in the context of FL.

Haotian Liang,Youqi Li,Chuan Zhang,Ximeng Liu,Liehuang Zhu

DOI: https://doi.org/10.1109/tifs.2023.3302161

IF: 7.231

2023-01-01

IEEE Transactions on Information Forensics and Security

Abstract:Federated learning (FL) has achieved state-of-the-art performance in distributed learning tasks with privacy requirements. However, it has been discovered that FL is vulnerable to adversarial attacks. The typical gradient inversion attacks primarily focus on attempting to obtain the client's private input in a white-box manner, where the adversary is assumed to be either the client or the server. However, if both the clients and the server are honest and fully trusted, is the FL secure? In this paper, we propose a novel method called External Gradient Inversion Attack (EGIA) in the grey-box settings. Specifically, we concentrate on the point that public-shared gradients in FL are always transmitted through the intermediary nodes, which has been widely ignored. On this basis, we demonstrate that an external adversary can reconstruct the private input using gradients even if both the clients and the server are honest and fully trusted. We also provide a comprehensive theoretical analysis of the black-box attack scenario in which the adversary has only the gradients. We perform extensive experiments on multiple real-world datasets to test the effectiveness of EGIA. The outcomes of our experiments validate that the EGIA method is highly effective.

Jin Qian,Kaimin Wei,Yongdong Wu,Jilian Zhang,Jipeng Chen,Huan Bao

2024-05-06

Abstract:Federated learning (FL) has emerged as a privacy-preserving machine learning approach where multiple parties share gradient information rather than original user data. Recent work has demonstrated that gradient inversion attacks can exploit the gradients of FL to recreate the original user data, posing significant privacy risks. However, these attacks make strong assumptions about the attacker, such as altering the model structure or parameters, gaining batch normalization statistics, or acquiring prior knowledge of the original training set, etc. Consequently, these attacks are not possible in real-world scenarios. To end it, we propose a novel Gradient Inversion attack based on Style Migration Network (GI-SMN), which breaks through the strong assumptions made by previous gradient inversion attacks. The optimization space is reduced by the refinement of the latent code and the use of regular terms to facilitate gradient matching. GI-SMN enables the reconstruction of user data with high similarity in batches. Experimental results have demonstrated that GI-SMN outperforms state-of-the-art gradient inversion attacks in both visual effect and similarity metrics. Additionally, it also can overcome gradient pruning and differential privacy defenses.

Machine Learning

Jiaheng Wei,Yanjun Zhang,Leo Yu Zhang,Chao Chen,Shirui Pan,Kok-Leong Ong,Jun Zhang,Yang Xiang

DOI: https://doi.org/10.48550/arXiv.2309.07415

2023-09-14

Cryptography and Security

Abstract:Federated Learning (FL) enables distributed participants (e.g., mobile devices) to train a global model without sharing data directly to a central server. Recent studies have revealed that FL is vulnerable to gradient inversion attack (GIA), which aims to reconstruct the original training samples and poses high risk against the privacy of clients in FL. However, most existing GIAs necessitate control over the server and rely on strong prior knowledge including batch normalization and data distribution information. In this work, we propose Client-side poisoning Gradient Inversion (CGI), which is a novel attack method that can be launched from clients. For the first time, we show the feasibility of a client-side adversary with limited knowledge being able to recover the training samples from the aggregated global model. We take a distinct approach in which the adversary utilizes a malicious model that amplifies the loss of a specific targeted class of interest. When honest clients employ the poisoned global model, the gradients of samples belonging to the targeted class are magnified, making them the dominant factor in the aggregated update. This enables the adversary to effectively reconstruct the private input belonging to other clients using the aggregated update. In addition, our CGI also features its ability to remain stealthy against Byzantine-robust aggregation rules (AGRs). By optimizing malicious updates and blending benign updates with a malicious replacement vector, our method remains undetected by these defense mechanisms. To evaluate the performance of CGI, we conduct experiments on various benchmark datasets, considering representative Byzantine-robust AGRs, and exploring diverse FL settings with different levels of adversary knowledge about the data. Our results demonstrate that CGI consistently and successfully extracts training input in all tested scenarios.

Pengxin Guo,Shuang Zeng,Wenhao Chen,Xiaodan Zhang,Weihong Ren,Yuyin Zhou,Liangqiong Qu

2024-12-10

Abstract:Federated Learning (FL) aims to protect data privacy by enabling clients to collectively train machine learning models without sharing their raw data. However, recent studies demonstrate that information exchanged during FL is subject to Gradient Inversion Attacks (GIA) and, consequently, a variety of privacy-preserving methods have been integrated into FL to thwart such attacks, such as Secure Multi-party Computing (SMC), Homomorphic Encryption (HE), and Differential Privacy (DP). Despite their ability to protect data privacy, these approaches inherently involve substantial privacy-utility trade-offs. By revisiting the key to privacy exposure in FL under GIA, which lies in the frequent sharing of model gradients that contain private data, we take a new perspective by designing a novel privacy preserve FL framework that effectively ``breaks the direct connection'' between the shared parameters and the local private data to defend against GIA. Specifically, we propose a Hypernetwork Federated Learning (HyperFL) framework that utilizes hypernetworks to generate the parameters of the local model and only the hypernetwork parameters are uploaded to the server for aggregation. Theoretical analyses demonstrate the convergence rate of the proposed HyperFL, while extensive experimental results show the privacy-preserving capability and comparable performance of HyperFL. Code is available at <a class="link-external link-https" href="https://github.com/Pengxin-Guo/HyperFL" rel="external noopener nofollow">this https URL</a>.

Machine Learning,Cryptography and Security

Lele Zheng,Yang Cao,Renhe Jiang,Kenjiro Taura,Yulong Shen,Sheng Li,Masatoshi Yoshikawa

2024-07-15

Abstract:Spatiotemporal federated learning has recently raised intensive studies due to its ability to train valuable models with only shared gradients in various location-based services. On the other hand, recent studies have shown that shared gradients may be subject to gradient inversion attacks (GIA) on images or texts. However, so far there has not been any systematic study of the gradient inversion attacks in spatiotemporal federated learning. In this paper, we explore the gradient attack problem in spatiotemporal federated learning from attack and defense perspectives. To understand privacy risks in spatiotemporal federated learning, we first propose Spatiotemporal Gradient Inversion Attack (ST-GIA), a gradient attack algorithm tailored to spatiotemporal data that successfully reconstructs the original location from gradients. Furthermore, we design an adaptive defense strategy to mitigate gradient inversion attacks in spatiotemporal federated learning. By dynamically adjusting the perturbation levels, we can offer tailored protection for varying rounds of training data, thereby achieving a better trade-off between privacy and utility than current state-of-the-art methods. Through intensive experimental analysis on three real-world datasets, we reveal that the proposed defense strategy can well preserve the utility of spatiotemporal federated learning with effective security protection.

Cryptography and Security

Haimei Gong,Liangjun Jiang,Xiaoyang Liu,Yuanqi Wang,Omary Gastro,Lei Wang,Ke Zhang,Zhen Guo

DOI: https://doi.org/10.1007/s10462-023-10550-z

IF: 9.588

2023-07-23

Artificial Intelligence Review

Abstract:Federated Learning (FL) improves the privacy of local training data by exchanging model updates (e.g., local gradients or updated parameters). Gradients and weights of the model have been presumed to be safe for delivery. Nevertheless, some studies have shown that gradient leakage attacks can reconstruct the input images at the pixel level, which belong to deep leakage. In addition, well understanding gradient leakage attacks are beneficial to model inversion attacks. Furthermore, gradient leakage attacks can be performed in a covert way, which does not hamper the training performance. It is significant to study gradient leakage attacks deeply. In this paper, a systematic literature review on gradient leakage attacks and privacy protection strategies. Through carefully screening, existing works about gradient leakage attacks can be categorized into three groups: (i) bias attacks, (ii) optimization-based attacks, and (iii) linear equation solver attacks. We propose one privacy attack system, i.e., single-sample reconstruction attack system (SSRAS). Furthermore, rank analysis index (RA-I) can be introduced to provide an overall estimate of the security of the neural network. In addition, we propose an Improved R-GAP Algorithm, this improved algorithm can carry out image reconstruction regardless of whether the label can be determined. Finally, experimental results show the superiority of the attack system over some other state-of-the-art attack algorithms.

computer science, artificial intelligence

Can Liu,Jin Wang,and Yipeng Zhou,Yachao Yuan,Quanzheng Sheng,Kejie Lu

2024-07-31

Abstract:Federated learning (FL) empowers privacypreservation in model training by only exposing users' model gradients. Yet, FL users are susceptible to gradient inversion attacks (GIAs) which can reconstruct ground-truth training data such as images based on model gradients. However, reconstructing high-resolution images by existing GIAs faces two challenges: inferior accuracy and slow-convergence, especially when duplicating labels exist in the training batch. To address these challenges, we present an Accurate and Fast-convergent Gradient Inversion attack algorithm, called AFGI, with two components: Label Recovery Block (LRB) which can accurately restore duplicating labels of private images based on exposed gradients; VME Regularization Term, which includes the total variance of reconstructed images, the discrepancy between three-channel means and edges, between values from exposed gradients and reconstructed images, respectively. The AFGI can be regarded as a white-box attack strategy to reconstruct images by leveraging labels recovered by LRB. In particular, AFGI is efficient that accurately reconstruct ground-truth images when users' training batch size is up to 48. Our experimental results manifest that AFGI can diminish 85% time costs while achieving superb inversion quality in the ImageNet dataset. At last, our study unveils the shortcomings of FL in privacy-preservation, prompting the development of more advanced countermeasure strategies.

Computer Vision and Pattern Recognition

Wenqi Wei,Ling Liu,Margaret Loper,Ka-Ho Chow,Mehmet Emre Gursoy,Stacey Truex,Yanzhao Wu

DOI: https://doi.org/10.48550/arXiv.2004.10397

2020-04-23

Abstract:Federated learning (FL) is an emerging distributed machine learning framework for collaborative model training with a network of clients (edge devices). FL offers default client privacy by allowing clients to keep their sensitive data on local devices and to only share local training parameter updates with the federated server. However, recent studies have shown that even sharing local parameter updates from a client to the federated server may be susceptible to gradient leakage attacks and intrude the client privacy regarding its training data. In this paper, we present a principled framework for evaluating and comparing different forms of client privacy leakage attacks. We first provide formal and experimental analysis to show how adversaries can reconstruct the private local training data by simply analyzing the shared parameter update from local training (e.g., local gradient or weight update vector). We then analyze how different hyperparameter configurations in federated learning and different settings of the attack algorithm may impact on both attack effectiveness and attack cost. Our framework also measures, evaluates, and analyzes the effectiveness of client privacy leakage attacks under different gradient compression ratios when using communication efficient FL protocols. Our experiments also include some preliminary mitigation strategies to highlight the importance of providing a systematic attack evaluation framework towards an in-depth understanding of the various forms of client privacy leakage threats in federated learning and developing theoretical foundations for attack mitigation.

Machine Learning,Cryptography and Security

Junjie Shan,Ziqi Zhao,Jialin Lu,Rui Zhang,Siu Ming Yiu,Ka-Ho Chow

2024-11-22

Abstract:Foundation models that bridge vision and language have made significant progress, inspiring numerous life-enriching applications. However, their potential for misuse to introduce new threats remains largely unexplored. This paper reveals that vision-language models (VLMs) can be exploited to overcome longstanding limitations in gradient inversion attacks (GIAs) within federated learning (FL), where an FL server reconstructs private data samples from gradients shared by victim clients. Current GIAs face challenges in reconstructing high-resolution images, especially when the victim has a large local data batch. While focusing reconstruction on valuable samples rather than the entire batch is promising, existing methods lack the flexibility to allow attackers to specify their target data. In this paper, we introduce Geminio, the first approach to transform GIAs into semantically meaningful, targeted attacks. Geminio enables a brand new privacy attack experience: attackers can describe, in natural language, the types of data they consider valuable, and Geminio will prioritize reconstruction to focus on those high-value samples. This is achieved by leveraging a pretrained VLM to guide the optimization of a malicious global model that, when shared with and optimized by a victim, retains only gradients of samples that match the attacker-specified query. Extensive experiments demonstrate Geminio's effectiveness in pinpointing and reconstructing targeted samples, with high success rates across complex datasets under FL and large batch sizes and showing resilience against existing defenses.

Machine Learning,Artificial Intelligence,Cryptography and Security

Yangsibo Huang,Samyak Gupta,Zhao Song,Kai Li,Sanjeev Arora

DOI: https://doi.org/10.48550/arXiv.2112.00059

2021-12-01

Abstract:Gradient inversion attack (or input recovery from gradient) is an emerging threat to the security and privacy preservation of Federated learning, whereby malicious eavesdroppers or participants in the protocol can recover (partially) the clients' private data. This paper evaluates existing attacks and defenses. We find that some attacks make strong assumptions about the setup. Relaxing such assumptions can substantially weaken these attacks. We then evaluate the benefits of three proposed defense mechanisms against gradient inversion attacks. We show the trade-offs of privacy leakage and data utility of these defense methods, and find that combining them in an appropriate manner makes the attack less effective, even under the original strong assumptions. We also estimate the computation cost of end-to-end recovery of a single image under each evaluated defense. Our findings suggest that the state-of-the-art attacks can currently be defended against with minor data utility loss, as summarized in a list of potential strategies. Our code is available at: <a class="link-external link-https" href="https://github.com/Princeton-SysML/GradAttack" rel="external noopener nofollow">this https URL</a>.

Cryptography and Security,Machine Learning

H. Yi,H. Ren,C. Hu,Y. Li,J. Deng,X. Xie

2024-10-11

Abstract:Federated Learning (FL) has become a cornerstone of privacy protection, shifting the paradigm towards localizing sensitive data while only sending model gradients to a central server. This strategy is designed to reinforce privacy protections and minimize the vulnerabilities inherent in centralized data storage systems. Despite its innovative approach, recent empirical studies have highlighted potential weaknesses in FL, notably regarding the exchange of gradients. In response, this study introduces a novel, efficacious method aimed at safeguarding against gradient leakage, namely, ``AdaDefense". Following the idea that model convergence can be achieved by using different types of optimization methods, we suggest using a local stand-in rather than the actual local gradient for global gradient aggregation on the central server. This proposed approach not only effectively prevents gradient leakage, but also ensures that the overall performance of the model remains largely unaffected. Delving into the theoretical dimensions, we explore how gradients may inadvertently leak private information and present a theoretical framework supporting the efficacy of our proposed method. Extensive empirical tests, supported by popular benchmark experiments, validate that our approach maintains model integrity and is robust against gradient leakage, marking an important step in our pursuit of safe and efficient FL.

Machine Learning,Computer Vision and Pattern Recognition

Hanchi Ren,Jingjing Deng,Xianghua Xie,Xiaoke Ma,Jianfeng Ma

DOI: https://doi.org/10.48550/arXiv.2305.04095

2023-05-07

Abstract:Federated Learning (FL) is a widely adopted privacy-preserving machine learning approach where private data remains local, enabling secure computations and the exchange of local model gradients between local clients and third-party parameter servers. However, recent findings reveal that privacy may be compromised and sensitive information potentially recovered from shared gradients. In this study, we offer detailed analysis and a novel perspective on understanding the gradient leakage problem. These theoretical works lead to a new gradient leakage defense technique that secures arbitrary model architectures using a private key-lock module. Only the locked gradient is transmitted to the parameter server for global model aggregation. Our proposed learning method is resistant to gradient leakage attacks, and the key-lock module is designed and trained to ensure that, without the private information of the key-lock module: a) reconstructing private training data from the shared gradient is infeasible; and b) the global model's inference performance is significantly compromised. We discuss the theoretical underpinnings of why gradients can leak private information and provide theoretical proof of our method's effectiveness. We conducted extensive empirical evaluations with a total of forty-four models on several popular benchmarks, demonstrating the robustness of our proposed approach in both maintaining model performance and defending against gradient leakage attacks.

Machine Learning,Artificial Intelligence,Computer Vision and Pattern Recognition

Daniel Scheliga,Patrick Mäder,Marco Seeland

2024-12-05

Abstract:Gradient Inversion (GI) attacks are a ubiquitous threat in Federated Learning (FL) as they exploit gradient leakage to reconstruct supposedly private training data. Common defense mechanisms such as Differential Privacy (DP) or stochastic Privacy Modules (PMs) introduce randomness during gradient computation to prevent such attacks. However, we pose that if an attacker effectively mimics a client's stochastic gradient computation, the attacker can circumvent the defense and reconstruct clients' private training data. This paper introduces several targeted GI attacks that leverage this principle to bypass common defense mechanisms. As a result, we demonstrate that no individual defense provides sufficient privacy protection. To address this issue, we propose to combine multiple defenses. We conduct an extensive ablation study to evaluate the influence of various combinations of defenses on privacy protection and model utility. We observe that only the combination of DP and a stochastic PM was sufficient to decrease the Attack Success Rate (ASR) from 100% to 0%, thus preserving privacy. Moreover, we found that this combination of defenses consistently achieves the best trade-off between privacy and model utility.

Machine Learning,Artificial Intelligence,Cryptography and Security

Chuan Zhang,Haotian Liang,Youqi Li,Tong Wu,Liehuang Zhu,Weiting Zhang

DOI: https://doi.org/10.1109/ICPADS56603.2022.00044

2022-01-01

Abstract:Knowing model parameters has been regarded as a vital factor for recovering sensitive information from the gradients in federated learning. But is it safe to use federated learning when the model parameters are unavailable for adversaries, i.e., external adversaries? In this paper, we answer this question by proposing a novel gradient inversion attack. Specifically, we observe a widely ignored fact in federated learning that the participants' gradient data are usually transmitted via the intermediary node. Based on this fact, we show that an external adversary is able to recover the private input from the gradients, even if it does not have the model parameters. Through extensive experiments based on several real-world datasets, we demonstrate that our proposed new attack can recover the input with pixelwise accuracy and feasible efficiency.

Haimei Gong,Liangjun Jiang,Xiaoyang Liu,Yuanqi Wang,Lei Wang,Ke Zhang

DOI: https://doi.org/10.3390/s22197157

IF: 3.9

2022-09-22

Sensors

Abstract:Exchanging gradient is a widely used method in modern multinode machine learning system (e.g., distributed training, Federated Learning). Gradients and weights of model has been presumed to be safe to delivery. However, some studies have shown that gradient inversion technique can reconstruct the input images on the pixel level. In this study, we review the research work of data leakage by gradient inversion technique and categorize existing works into three groups: (i) Bias Attacks, (ii) Optimization-Based Attacks, and (iii) Linear Equation Solver Attacks. According to the characteristics of these algorithms, we propose one privacy attack system, i.e., Single-Sample Reconstruction Attack System (SSRAS). This system can carry out image reconstruction regardless of whether the label can be determined. It can extends gradient inversion attack from a fully connected layer with bias terms to attack a fully connected layer and convolutional neural network with or without bias terms. We also propose Improved R-GAP Alogrithm, which can utlize DLG algorithm to derive ground truth. Furthermore, we introduce Rank Analysis Index (RA-I) to measure the possible of whether the user's raw image data can be reconstructed. This rank analysis derive virtual constraints Vi from weights. Compared with the most representative attack algorithms, this reconstruction attack system can recover a user's private training image with high fidelity and attack success rate. Experimental results also show the superiority of the attack system over some other state-of-the-art attack algorithms.

engineering, electrical & electronic,chemistry, analytical,instruments & instrumentation

Lele Zheng,Yang Cao,Renhe Jiang,Kenjiro Taura,Yulong Shen,Sheng Li,Masatoshi Yoshikawa

2024-10-21

Abstract:Recent works show that sensitive user data can be reconstructed from gradient updates, breaking the key privacy promise of federated learning. While success was demonstrated primarily on image data, these methods do not directly transfer to other domains, such as spatiotemporal data. To understand privacy risks in spatiotemporal federated learning, we first propose Spatiotemporal Gradient Inversion Attack (ST-GIA), a gradient attack algorithm tailored to spatiotemporal data that successfully reconstructs the original location from gradients. Furthermore, the absence of priors in attacks on spatiotemporal data has hindered the accurate reconstruction of real client data. To address this limitation, we propose ST-GIA+, which utilizes an auxiliary language model to guide the search for potential locations, thereby successfully reconstructing the original data from gradients. In addition, we design an adaptive defense strategy to mitigate gradient inversion attacks in spatiotemporal federated learning. By dynamically adjusting the perturbation levels, we can offer tailored protection for varying rounds of training data, thereby achieving a better trade-off between privacy and utility than current state-of-the-art methods. Through intensive experimental analysis on three real-world datasets, we reveal that the proposed defense strategy can well preserve the utility of spatiotemporal federated learning with effective security protection.

Machine Learning,Cryptography and Security