What problem does this paper attempt to address?

The problem that this paper attempts to solve is the gradient leakage problem in Federated Learning (FL). Although FL enhances privacy protection by sharing only model gradients rather than raw data, recent research shows that these shared gradients can still be used to reconstruct the original training data, thus leaking sensitive information. To solve this problem, the paper proposes a new method named AdaDefense, which aims to prevent gradient leakage while ensuring that the model performance is not significantly affected. ### Specific description of the problem 1. **Risk of gradient leakage**: - In FL, clients send gradients to the central server for global aggregation after training the model locally. - Although this method avoids directly sharing raw data, research shows that by analyzing these gradients, an attacker can partially or completely reconstruct the original training data, thus leaking privacy. 2. **Limitations of existing defense methods**: - Existing defense methods such as gradient perturbation, data obfuscation or encryption techniques can protect privacy to a certain extent, but usually make compromises between privacy protection and computational efficiency. - These methods often require a large amount of computational resources and may reduce the performance of the model. 3. **Innovations of AdaDefense**: - AdaDefense effectively prevents gradient leakage without changing the model architecture or increasing the additional computational burden by introducing a new gradient substitution mechanism. - Specifically, AdaDefense uses the Adam optimization algorithm to process local gradients to generate gradients stand - in, and then uses these substitute gradients for global aggregation. - This method not only protects privacy but also maintains the performance and convergence speed of the model. ### Overview of the solution - **Gradient substitution mechanism**: AdaDefense generates gradient substitutes by processing the original gradients using the Adam optimization algorithm locally. These gradient substitutes retain the high - level feature representation of the gradients but no longer contain the low - level information that can reconstruct the original data. - **Theoretical analysis**: The paper provides a detailed mathematical analysis to prove the effectiveness of the gradient substitution. Specifically, through formula derivation, the author shows how the gradient substitution effectively prevents an attacker from extracting useful information from the gradients. - **Experimental verification**: Through experiments on multiple benchmark datasets, the paper verifies the effectiveness of AdaDefense in preventing gradient leakage while maintaining the performance and accuracy of the model. ### Formula summary - **Adam optimization algorithm**: \[ m_r=\beta_1 m_{r - 1}+(1-\beta_1)g_r \] \[ v_r=\beta_2 v_{r - 1}+(1-\beta_2)g_r^2 \] \[ \hat{m}_r=\frac{m_r}{1-\beta_1^r} \] \[ \hat{v}_r=\frac{v_r}{1-\beta_2^r} \] \[ \hat{g}_r=\frac{\hat{m}_r}{\sqrt{\hat{v}_r}+\epsilon} \] - **Derivative of gradient substitution**: \[ \frac{\partial\hat{g}_r}{\partial g_r}=\frac{(1-\beta_1)(V +\epsilon)-((1-\beta_2)\beta_1 m_{r - 1}+(1-\beta_2)(1-\beta_1)g_r)}{(1-\beta_1^r)(V+\epsilon)^2} \] where \(V = \sqrt{\hat{v}_r}\) Through these formulas, the paper explains in detail how AdaDefense effectively prevents gradient leakage without affecting the model performance, thereby enhancing the privacy security of the FL system.