Abstract:Perturbation-based mechanisms, such as differential privacy, mitigate gradient leakage attacks by introducing noise into the gradients, thereby preventing attackers from reconstructing clients' private data from the leaked gradients. However, can gradient perturbation protection mechanisms truly defend against all gradient leakage attacks? In this paper, we present the first attempt to break the shield of gradient perturbation protection in Federated Learning for the extraction of private information. We focus on common noise distributions, specifically Gaussian and Laplace, and apply our approach to DNN and CNN models. We introduce Mjolnir, a perturbation-resilient gradient leakage attack that is capable of removing perturbations from gradients without requiring additional access to the original model structure or external data. Specifically, we leverage the inherent diffusion properties of gradient perturbation protection to develop a novel diffusion-based gradient denoising model for Mjolnir. By constructing a surrogate client model that captures the structure of perturbed gradients, we obtain crucial gradient data for training the diffusion model. We further utilize the insight that monitoring disturbance levels during the reverse diffusion process can enhance gradient denoising capabilities, allowing Mjolnir to generate gradients that closely approximate the original, unperturbed versions through adaptive sampling steps. Extensive experiments demonstrate that Mjolnir effectively recovers the protected gradients and exposes the Federated Learning process to the threat of gradient leakage, achieving superior performance in gradient denoising and private data recovery.

What problem does this paper attempt to address?

The problem that this paper attempts to solve is how to break through the gradient leakage defense mechanism based on perturbation protection in Federated Learning (FL). Specifically, the authors focus on how to recover the original gradient by removing the noise in the gradient during the federated learning process, and then leak the private data of the client. Federated learning is a distributed machine - learning paradigm that allows multiple parties to collaborate in training a model without directly transmitting the original training data. To protect privacy, noise is usually added to the shared gradient (for example, using differential privacy techniques). However, whether these protection measures can completely prevent gradient leakage attacks remains an open question. The method proposed in the paper is named Mjölnir. It takes advantage of the characteristics of the Diffusion Model and can remove noise from the protected gradient without requiring additional access to the original model structure or external data. The core idea of Mjölnir is to regard the gradient perturbation protection mechanism as a diffusion process and recover the original gradient through the reverse diffusion process. Experimental results show that Mjölnir can effectively recover the protected gradient under various common noise distributions (such as Gaussian and Laplace noise), and performs well in gradient denoising and private data recovery. ### Main contributions of the paper: 1. **Reveal the natural diffusion process in the gradient perturbation protection mechanism**: The authors find that the gradient perturbation protection mechanism is essentially similar to a diffusion process and introduce an adaptive parameter \( M \) to dynamically adjust the diffusion step size according to the degree of perturbation. 2. **Propose Mjölnir**: This is the first practical gradient diffusion attack strategy that can recover the perturbed gradient without relying on the original model structure and third - party data, thus breaking the bottleneck of existing gradient leakage attacks under gradient perturbation protection. 3. **Demonstrate the vulnerability of the gradient perturbation protection mechanism under the Mjölnir adaptive diffusion denoising process**: Experimental results show that Mjölnir achieves the best gradient denoising quality and privacy leakage ability on commonly used image datasets. ### Method overview: 1. **Obtain the protected gradient**: The attacker obtains data by intercepting the shared perturbed gradient \( \nabla W' \) in the federated learning process. 2. **Construct a surrogate model**: Construct a surrogate model according to the stolen perturbed gradient to generate gradient data with the same structure as the target attack model. 3. **Train the gradient diffusion model**: Process the gradient data generated by the surrogate model to train a gradient diffusion model to remove the noise in the gradient. 4. **Recover the original gradient**: Input the stolen perturbed gradient into the trained gradient diffusion model to generate the recovered gradient \( \nabla W_R \), which can then be used for further gradient attacks to obtain private information. ### Experimental results: - **Privacy leakage ability**: Mjölnir and its variant models are significantly superior to traditional gradient leakage attack methods in terms of private image leakage, with the average PSNR value of the recovered image increased by approximately 209%. - **Gradient denoising ability**: Under the FL - DP framework, Mjölnir shows excellent gradient denoising ability, with an average cosine similarity exceeding 0.992 and a PSNR reaching 37.68, which is more than 27% higher than non - diffusion methods. ### Conclusion: Mjölnir successfully breaks through the existing gradient perturbation protection mechanism by taking advantage of the characteristics of the diffusion model, demonstrating the challenges of protecting privacy in federated learning. This research not only reveals the shortcomings of current privacy protection technologies but also provides new ideas for future privacy protection research.

Mjolnir: Breaking the Shield of Perturbation-Protected Gradients via Adaptive Diffusion

Defense Against Gradient Leakage Attacks via Learning to Obscure Data

Gradient Leakage Defense with Key-Lock Module for Federated Learning

Gradient Inversion of Federated Diffusion Models

Gradients Stand-in for Defending Deep Leakage in Federated Learning

Unlearnable Examples for Diffusion Models: Protect Data from Unauthorized Exploitation

Is Diffusion Model Safe? Severe Data Leakage via Gradient-Guided Diffusion Model

Shield Against Gradient Leakage Attacks: Adaptive Privacy-Preserving Federated Learning

FL-AGN: A Privacy-Enhanced Federated Learning Method Based on Adaptive Gaussian Noise for Resisting Gradient Inference Attacks

Refiner: Data Refining against Gradient Leakage Attacks in Federated Learning

Gradient leakage attacks in federated learning

Evaluating Gradient Inversion Attacks and Defenses in Federated Learning

FedDef: Defense Against Gradient Leakage in Federated Learning-Based Network Intrusion Detection Systems

Concealing Sensitive Samples against Gradient Leakage in Federated Learning

Recover User's Private Training Image Data by Gradient in Federated Learning

Gradient Obfuscation Gives a False Sense of Security in Federated Learning

Random Gradient Masking as a Defensive Measure to Deep Leakage in Federated Learning

Gradient-based Defense Methods for Data Leakage in Vertical Federated Learning

A Fine-Grained Differentially Private Federated Learning Against Leakage from Gradients

Gain Without Pain: Offsetting DP-Injected Noises Stealthily in Cross-Device Federated Learning

Optimal Defenses Against Gradient Reconstruction Attacks