Junxiao Wang,Song Guo,Xin Xie,Heng Qi

DOI: https://doi.org/10.1109/infocom48880.2022.9796841

2022-01-01

Abstract:Federated Learning (FL) is susceptible to gradient leakage attacks, as recent studies show the feasibility of obtaining private training data on clients from publicly shared gradients. Existing work solves this problem by incorporating a series of privacy protection mechanisms, such as homomorphic encryption and local differential privacy to prevent data leakage. However, these solutions either incur significant communication and computation costs, or significant training accuracy loss. In this paper, we show that the sensitivity of gradient changes w.r.t. training data is an essential measure of information leakage risk. Based on this observation, we present a novel defense, whose intuition is perturbing gradients to match information leakage risk such that the defense overhead is lightweight while privacy protection is adequate. Our another key observation is that global correlations of gradients could compensate for this perturbation. Based on such compensation, training can achieve guaranteed accuracy. We conduct experiments on MNIST, Fashion-MNIST and CIFAR-10 for defending against two gradient leakage attacks. Without sacrificing accuracy, the results demonstrate that our lightweight defense can decrease the PSNR and SSIM between the reconstructed images and raw images by up to more than 60% for both two attacks, compared with baseline defensive methods.

Mingyuan Fan,Yang Liu,Cen Chen,Chengyu Wang,Minghui Qiu,Wenmeng Zhou

DOI: https://doi.org/10.1145/3616855.3635758

2024-01-01

Abstract:Federated learning is a privacy-focused learning paradigm, which trains a global model with gradients uploaded from multiple participants, circumventing explicit exposure of private data. However, previous research of gradient leakage attacks suggests that gradients alone are sufficient to reconstruct private data, rendering the privacy protection mechanism of federated learning unreliable. Existing defenses commonly craft transformed gradients based on ground-truth gradients to obfuscate the attacks, but often are less capable of maintaining good model performance together with satisfactory privacy protection. In this paper, we propose a novel yet effective defense framework named guarding against gradient leakage (Guardian) that produces transformed gradients by jointly optimizing two theoretically-derived metrics associated with gradients for performance maintenance and privacy protection. In this way, the transformed gradients produced via Guardian can achieve minimal privacy leakage in theory with the given performance maintenance level. Moreover, we design an ingenious initialization strategy for faster generation of transformed gradients to enhance the practicality of Guardian in real-world applications, while demonstrating theoretical convergence of Guardian to the performance of the global model. Extensive experiments on various tasks show that, without sacrificing much accuracy, Guardian can effectively defend state-of-the-art gradient leakage attacks, compared with the slight effects of baseline defense approaches.

Yuezhou Wu,Yan Kang,Jiahuan Luo,Yuanqin He,Qiang Yang

DOI: https://doi.org/10.24963/ijcai.2022/324

2024-07-07

Abstract:Federated learning (FL) aims to protect data privacy by enabling clients to build machine learning models collaboratively without sharing their private data. Recent works demonstrate that information exchanged during FL is subject to gradient-based privacy attacks, and consequently, a variety of privacy-preserving methods have been adopted to thwart such attacks. However, these defensive methods either introduce orders of magnitude more computational and communication overheads (e.g., with homomorphic encryption) or incur substantial model performance losses in terms of prediction accuracy (e.g., with differential privacy). In this work, we propose $\textsc{FedCG}$, a novel federated learning method that leverages conditional generative adversarial networks to achieve high-level privacy protection while still maintaining competitive model performance. $\textsc{FedCG}$ decomposes each client's local network into a private extractor and a public classifier and keeps the extractor local to protect privacy. Instead of exposing extractors, $\textsc{FedCG}$ shares clients' generators with the server for aggregating clients' shared knowledge, aiming to enhance the performance of each client's local networks. Extensive experiments demonstrate that $\textsc{FedCG}$ can achieve competitive model performance compared with FL baselines, and privacy analysis shows that $\textsc{FedCG}$ has a high-level privacy-preserving capability. Code is available at <a class="link-external link-https" href="https://github.com/yankang18/FedCG" rel="external noopener nofollow">this https URL</a>

Machine Learning

Yuxuan Wan,Han Xu,Xiaorui Liu,Jie Ren,Wenqi Fan,Jiliang Tang

DOI: https://doi.org/10.48550/arXiv.2206.00769

2022-06-02

Abstract:Federated learning is considered as an effective privacy-preserving learning mechanism that separates the client's data and model training process. However, federated learning is still under the risk of privacy leakage because of the existence of attackers who deliberately conduct gradient leakage attacks to reconstruct the client data. Recently, popular strategies such as gradient perturbation methods and input encryption methods have been proposed to defend against gradient leakage attacks. Nevertheless, these defenses can either greatly sacrifice the model performance, or be evaded by more advanced attacks. In this paper, we propose a new defense method to protect the privacy of clients' data by learning to obscure data. Our defense method can generate synthetic samples that are totally distinct from the original samples, but they can also maximally preserve their predictive features and guarantee the model performance. Furthermore, our defense strategy makes the gradient leakage attack and its variants extremely difficult to reconstruct the client data. Through extensive experiments, we show that our proposed defense method obtains better privacy protection while preserving high accuracy compared with state-of-the-art methods.

Machine Learning,Cryptography and Security

Wenqi Wei,Ling Liu,Jingya Zhou,Ka-Ho Chow,Yanzhao Wu

DOI: https://doi.org/10.1109/tpds.2023.3273490

IF: 5.3

2023-01-01

IEEE Transactions on Parallel and Distributed Systems

Abstract:This paper presents a holistic approach to gradient leakage resilient distributed Stochastic Gradient Descent (SGD). First, we analyze two types of strategies for privacy-enhanced federated learning: (i) gradient pruning with random selection or low-rank filtering and (ii) gradient perturbation with additive random noise or differential privacy noise. We analyze the inherent limitations of these approaches and their underlying impact on privacy guarantee, model accuracy, and attack resilience. Next, we present a gradient leakage resilient approach to securing distributed SGD in federated learning, with differential privacy controlled noise as the tool. Unlike conventional methods with the per-client federated noise injection and fixed noise parameter strategy, our approach keeps track of the trend of per-example gradient updates. It makes adaptive noise injection closely aligned throughout the federated model training. Finally, we provide an empirical privacy analysis on the privacy guarantee, model utility, and attack resilience of the proposed approach. Extensive evaluation using five benchmark datasets demonstrates that our gradient leakage resilient approach can outperform the state-of-the-art methods with competitive accuracy performance, strong differential privacy guarantee, and high resilience against gradient leakage attacks.

H. Yi,H. Ren,C. Hu,Y. Li,J. Deng,X. Xie

2024-10-11

Abstract:Federated Learning (FL) has become a cornerstone of privacy protection, shifting the paradigm towards localizing sensitive data while only sending model gradients to a central server. This strategy is designed to reinforce privacy protections and minimize the vulnerabilities inherent in centralized data storage systems. Despite its innovative approach, recent empirical studies have highlighted potential weaknesses in FL, notably regarding the exchange of gradients. In response, this study introduces a novel, efficacious method aimed at safeguarding against gradient leakage, namely, ``AdaDefense". Following the idea that model convergence can be achieved by using different types of optimization methods, we suggest using a local stand-in rather than the actual local gradient for global gradient aggregation on the central server. This proposed approach not only effectively prevents gradient leakage, but also ensures that the overall performance of the model remains largely unaffected. Delving into the theoretical dimensions, we explore how gradients may inadvertently leak private information and present a theoretical framework supporting the efficacy of our proposed method. Extensive empirical tests, supported by popular benchmark experiments, validate that our approach maintains model integrity and is robust against gradient leakage, marking an important step in our pursuit of safe and efficient FL.

Machine Learning,Computer Vision and Pattern Recognition

Jiahui Hu,Zhibo Wang,Yongsheng Shen,Bohan Lin,Peng Sun,Xiaoyi Pang,Jian Liu,Kui Ren

DOI: https://doi.org/10.1109/tnet.2023.3317870

2024-01-01

Abstract:Federated learning (FL) requires frequent uploading and updating of model parameters, which is naturally vulnerable to gradient leakage attacks (GLAs) that reconstruct private training data through gradients. Although some works incorporate differential privacy (DP) into FL to mitigate such privacy issues, their performance is not satisfactory since they did not notice that GLA incurs heterogeneous risks of privacy leakage (RoPL) with respect to gradients from different communication rounds and clients. In this paper, we propose an Adaptive Privacy-Preserving Federated Learning (Adp-PPFL) framework to achieve satisfactory privacy protection against GLA, while ensuring good performance in terms of model accuracy and convergence speed. Specifically, a leakage risk-aware privacy decomposition mechanism is proposed to provide adaptive privacy protection to different communication rounds and clients by dynamically allocating the privacy budget according to the quantified RoPL. In particular, we exploratively design a round-level and a client-level RoPL quantification method to measure the possible risks of GLA breaking privacy from gradients in different communication rounds and clients respectively, which only employ the limited information in general FL settings. Furthermore, to improve the FL model training performance (i.e., convergence speed and global model accuracy), we propose an adaptive privacy-preserving local training mechanism that dynamically clips the gradients and decays the noises added to the clipped gradients during the local training process. Extensive experiments show that our framework outperforms the existing differentially private FL schemes on model accuracy, convergence, and attack resistance.

Shiwei Lu,Ruihu Li,Wenbin Liu

DOI: https://doi.org/10.1007/s11704-023-2283-x

IF: 2.6688

2024-01-23

Frontiers of Computer Science

Abstract:Federated learning (FL) has emerged to break data-silo and protect clients' privacy in the field of artificial intelligence. However, deep leakage from gradient (DLG) attack can fully reconstruct clients' data from the submitted gradient, which threatens the fundamental privacy of FL. Although cryptology and differential privacy prevent privacy leakage from gradient, they bring negative effect on communication overhead or model performance. Moreover, the original distribution of local gradient has been changed in these schemes, which makes it difficult to defend against adversarial attack. In this paper, we propose a novel federated learning framework with model decomposition, aggregation and assembling (FedDAA), along with a training algorithm, to train federated model, where local gradient is decomposed into multiple blocks and sent to different proxy servers to complete aggregation. To bring better privacy protection performance to FedDAA, an indicator is designed based on image structural similarity to measure privacy leakage under DLG attack and an optimization method is given to protect privacy with the least proxy servers. In addition, we give defense schemes against adversarial attack in FedDAA and design an algorithm to verify the correctness of aggregated results. Experimental results demonstrate that FedDAA can reduce the structural similarity between the reconstructed image and the original image to 0.014 and remain model convergence accuracy as 0.952, thus having the best privacy protection performance and model training effect. More importantly, defense schemes against adversarial attack are compatible with privacy protection in FedDAA and the defense effects are not weaker than those in the traditional FL. Moreover, verification algorithm of aggregation results brings about negligible overhead to FedDAA.

computer science, information systems, theory & methods, software engineering

Haimei Gong,Liangjun Jiang,Xiaoyang Liu,Yuanqi Wang,Omary Gastro,Lei Wang,Ke Zhang,Zhen Guo

DOI: https://doi.org/10.1007/s10462-023-10550-z

IF: 9.588

2023-07-23

Artificial Intelligence Review

Abstract:Federated Learning (FL) improves the privacy of local training data by exchanging model updates (e.g., local gradients or updated parameters). Gradients and weights of the model have been presumed to be safe for delivery. Nevertheless, some studies have shown that gradient leakage attacks can reconstruct the input images at the pixel level, which belong to deep leakage. In addition, well understanding gradient leakage attacks are beneficial to model inversion attacks. Furthermore, gradient leakage attacks can be performed in a covert way, which does not hamper the training performance. It is significant to study gradient leakage attacks deeply. In this paper, a systematic literature review on gradient leakage attacks and privacy protection strategies. Through carefully screening, existing works about gradient leakage attacks can be categorized into three groups: (i) bias attacks, (ii) optimization-based attacks, and (iii) linear equation solver attacks. We propose one privacy attack system, i.e., single-sample reconstruction attack system (SSRAS). Furthermore, rank analysis index (RA-I) can be introduced to provide an overall estimate of the security of the neural network. In addition, we propose an Improved R-GAP Algorithm, this improved algorithm can carry out image reconstruction regardless of whether the label can be determined. Finally, experimental results show the superiority of the attack system over some other state-of-the-art attack algorithms.

computer science, artificial intelligence

Wenhan Chang,Tianqing Zhu

DOI: https://doi.org/10.1016/j.cose.2024.103744

IF: 5.105

2024-02-04

Computers & Security

Abstract:Research on federated learning has continued to develop over the past few years. Many federated learning algorithms and frameworks have been developed to ensure model accuracy and protect client data privacy, which has been extensively beneficial for the development of artificial intelligence security technology. However, it is possible to recover private training data from publicly shared gradients, which is referred to as a data leakage attack. In this paper, we propose two feasible defense methods, based on gradient sparsification and pseudo-gradient, to defend against the state-of-the-art attack methods and achieve maximum protection of the private data of all federated learning participants. Both methods use cosine similarity to measure the angular difference between the gradients updated by the clients during training and the gradients sent back by the server. Taking the cosine similarity as a reference and aiming to protect clients' privacy while maintaining the accuracy of the global model, the clients can choose an appropriate strategy for disguising their uploaded gradient. Through extensive experiments, we demonstrate that both defense methods can protect users' private data while preserving the accuracy of the global model in federated learning.

computer science, information systems

Kai Yue,Richeng Jin,Chau-Wai Wong,Dror Baron,Huaiyu Dai

DOI: https://doi.org/10.48550/arXiv.2206.04055

2022-10-14

Abstract:Federated learning has been proposed as a privacy-preserving machine learning framework that enables multiple clients to collaborate without sharing raw data. However, client privacy protection is not guaranteed by design in this framework. Prior work has shown that the gradient sharing strategies in federated learning can be vulnerable to data reconstruction attacks. In practice, though, clients may not transmit raw gradients considering the high communication cost or due to privacy enhancement requirements. Empirical studies have demonstrated that gradient obfuscation, including intentional obfuscation via gradient noise injection and unintentional obfuscation via gradient compression, can provide more privacy protection against reconstruction attacks. In this work, we present a new data reconstruction attack framework targeting the image classification task in federated learning. We show that commonly adopted gradient postprocessing procedures, such as gradient quantization, gradient sparsification, and gradient perturbation, may give a false sense of security in federated learning. Contrary to prior studies, we argue that privacy enhancement should not be treated as a byproduct of gradient compression. Additionally, we design a new method under the proposed framework to reconstruct the image at the semantic level. We quantify the semantic privacy leakage and compare with conventional based on image similarity scores. Our comparisons challenge the image data leakage evaluation schemes in the literature. The results emphasize the importance of revisiting and redesigning the privacy protection mechanisms for client data in existing federated learning algorithms.

Cryptography and Security,Artificial Intelligence,Distributed, Parallel, and Cluster Computing,Machine Learning

Wenqi Wei,Ling Liu,Yanzhao Wu,Gong Su,Arun Iyengar

DOI: https://doi.org/10.48550/arXiv.2107.01154

2021-07-02

Abstract:Federated learning(FL) is an emerging distributed learning paradigm with default client privacy because clients can keep sensitive data on their devices and only share local training parameter updates with the federated server. However, recent studies reveal that gradient leakages in FL may compromise the privacy of client training data. This paper presents a gradient leakage resilient approach to privacy-preserving federated learning with per training example-based client differential privacy, coined as Fed-CDP. It makes three original contributions. First, we identify three types of client gradient leakage threats in federated learning even with encrypted client-server communications. We articulate when and why the conventional server coordinated differential privacy approach, coined as Fed-SDP, is insufficient to protect the privacy of the training data. Second, we introduce Fed-CDP, the per example-based client differential privacy algorithm, and provide a formal analysis of Fed-CDP with the $(\epsilon, \delta)$ differential privacy guarantee, and a formal comparison between Fed-CDP and Fed-SDP in terms of privacy accounting. Third, we formally analyze the privacy-utility trade-off for providing differential privacy guarantee by Fed-CDP and present a dynamic decay noise-injection policy to further improve the accuracy and resiliency of Fed-CDP. We evaluate and compare Fed-CDP and Fed-CDP(decay) with Fed-SDP in terms of differential privacy guarantee and gradient leakage resilience over five benchmark datasets. The results show that the Fed-CDP approach outperforms conventional Fed-SDP in terms of resilience to client gradient leakages while offering competitive accuracy performance in federated learning.

Machine Learning,Cryptography and Security

Zhifu Huang,Zihao Wei,Jinyang Wang

DOI: https://doi.org/10.1109/access.2024.3431031

IF: 3.9

2024-07-26

IEEE Access

Abstract:As well-known, the paradigm of federated learning (FL) operates on the principle that without centralizing data into a single server, server only trains and updates global models based on the local model from multiple clients. Compared with traditional machine learning, FL enables that data availability and invisibility and preserves the data security. However, in the process of FL, recently gradient inference attack can be launched by malicious attacker to grasp gradient information, and then infer sensitive information by analyzing this gradient information. By analyzing existing schemes for combating gradient inference attacks, it can be seen that the resistance effect is not good. Designing an effective method for resisting gradient inference attacks is a challenge. In this paper, a privacy-enhanced federated learning method is proposed to efficiently defend against gradient inference attacks and improve the accuracy of the training model. In this method, the Gaussian noise has been used to enhance the training model's ability to resist gradient inference attacks, and the Adam gradient descent method has been applied to enhance the accuracy of the training model. Finally, this paper conducted experiments on the CIFAR-10 dataset and MNIST dataset, and the experimental results showed that compared to alternatives, the proposed method has stronger resistance to gradient inference attacks and higher model accuracy.

computer science, information systems,telecommunications,engineering, electrical & electronic

Dongyun Xue,Haomiao Yang,Mengyu Ge,Jingwei Li,Guowen Xu,Hongwei Li

DOI: https://doi.org/10.1109/INFOCOM53939.2023.10229091

2023-01-01

Abstract:Federated learning (FL) is a distributed machine learning technology that preserves data privacy. However, it has been shown to be vulnerable to gradient leakage attacks (GLA), which can reconstruct private training data from public gradients with an overwhelming probability. Nevertheless, these attacks either require modification of the FL model (analytics-based) or take a long time to converge (optimization-based) and fail in dealing with highly compressed gradients in practical FL systems. In this paper, we pioneer a generation-based GLA method called FGLA that can reconstruct batches of user data, forgoing the optimization process. Specifically, we design a feature separation technique that extracts the feature of each data in a batch and then generates user data directly. Extensive experiments on multiple image datasets demonstrate that FGLA can reconstruct user images in milliseconds with a batch size of 256 from highly compressed gradients (0.8% compression ratio or higher), thus substantially outperforming state-of-the-art methods.

Dun Zeng,Shiyu Liu,Siqi Liang,Zonghang Li,Hui Wang,Irwin King,Zenglin Xu

DOI: https://doi.org/10.48550/arXiv.2205.13216

2023-02-25

Abstract:Federated learning enables isolated clients to train a shared model collaboratively by aggregating the locally-computed gradient updates. However, privacy information could be leaked from uploaded gradients and be exposed to malicious attackers or an honest-but-curious server. Although the additive homomorphic encryption technique guarantees the security of this process, it brings unacceptable computation and communication burdens to FL participants. To mitigate this cost of secure aggregation and maintain the learning performance, we propose a new framework called Encoded Gradient Aggregation (\emph{EGA}). In detail, EGA first encodes local gradient updates into an encoded domain with injected noises in each client before the aggregation in the server. Then, the encoded gradients aggregation results can be recovered for the global model update via a decoding function. This scheme could prevent the raw gradients of a single client from exposing on the internet and keep them unknown to the server. EGA could provide optimization and communication benefits under different noise levels and defend against gradient leakage. We further provide a theoretical analysis of the approximation error and its impacts on federated optimization. Moreover, EGA is compatible with the most federated optimization algorithms. We conduct intensive experiments to evaluate EGA in real-world federated settings, and the results have demonstrated its efficacy.

Cryptography and Security,Machine Learning

Hongfu Liu,Bin Li,Changlong Gao,Pei Xie,Chenglin Zhao

DOI: https://doi.org/10.1109/tifs.2023.3309095

IF: 7.231

2023-01-01

IEEE Transactions on Information Forensics and Security

Abstract:Federated learning (FL) enables multiple local clients to collaboratively train a global model, which can reduce privacy leakage by sharing model parameters instead of private datasets. However, recent works have revealed that gradient-based data reconstruction attacks, e.g., deep leakage from gradients (DLG), improved DLG (iDLG), and inverting gradients (IG), may still reveal private information by exploiting model parameters from a local client. Current privacy-preserving FL strategies, e.g., differential privacy or gradient compression, can handle such attacks to some extent, but seriously sacrifice their model accuracy. In this work, we propose a novel privacy-preserving FL method, named privacy-encoded FL (PEFL), to combat such data reconstruction attacks without degrading the model performance. The key concept of PEFL is that each large weight matrix of the neural network model is decomposed into multiple cascading sub-matrices, which thus establishes a novel privacy-encoded mechanism by introducing an entangling nonlinear mapping between model gradients and raw data. As such, multiple sub-matrices are directly trained in parallel at the local clients, but only partial sub-matrices are reported to a global server, which suffices to reconstruct the global model whilst increasing the complexity of the coupling between the model parameters and raw data. We provide a detailed analysis of the accuracy, security, and complexity of our method. As shown, it breaks the limit of classical defensive methods, by significantly reducing the risk of data reconstruction attacks yet not degrading the model performance. Compared to classical defenses, the proposed PEFL decreases the peak-signal-to-noise ratio (PSNR) between the reconstructed data and the raw data by ~ 20dB, without sacrificing the test accuracy. As a new paradigm for privacy-preserving FL, our proposed method has great potential in privacy-demanding learning applications.

Haomiao Yang,Dongyun Xue,Mengyu Ge,Jingwei Li,Guowen Xu,Hongwei Li,Rongxing Lu

DOI: https://doi.org/10.1109/TDSC.2024.3387570

2024-01-01

IEEE Transactions on Dependable and Secure Computing

Abstract:Federated learning (FL) is a distributed machine learning technique that guarantees the privacy of user data. However, FL has been shown to be vulnerable to gradient leakage attacks (GLA), which have the ability to reconstruct private training data from public gradients with high probability. These attacks are either analytic-based, requiring modification of the FL model, or optimization-based, requiring long convergence times and failing to effectively address the challenge of dealing with highly compressed gradients in practical FL systems. This paper presents a pioneering generation-based GLA method called FGLA that can reconstruct batches of user data without the need for the optimization process. We specifically design a feature separation technique that first extracts the features of each sample in a batch and then directly generates the user data. Our extensive experiments on multiple image datasets show that FGLA can reconstruct user images in seconds with a batch size of 256 from highly compressed gradients (0.8% compression ratio or higher), thereby significantly outperforming state-of-the-art methods.

Hanchi Ren,Jingjing Deng,Xianghua Xie,Xiaoke Ma,Jianfeng Ma

DOI: https://doi.org/10.48550/arXiv.2305.04095

2023-05-07

Abstract:Federated Learning (FL) is a widely adopted privacy-preserving machine learning approach where private data remains local, enabling secure computations and the exchange of local model gradients between local clients and third-party parameter servers. However, recent findings reveal that privacy may be compromised and sensitive information potentially recovered from shared gradients. In this study, we offer detailed analysis and a novel perspective on understanding the gradient leakage problem. These theoretical works lead to a new gradient leakage defense technique that secures arbitrary model architectures using a private key-lock module. Only the locked gradient is transmitted to the parameter server for global model aggregation. Our proposed learning method is resistant to gradient leakage attacks, and the key-lock module is designed and trained to ensure that, without the private information of the key-lock module: a) reconstructing private training data from the shared gradient is infeasible; and b) the global model's inference performance is significantly compromised. We discuss the theoretical underpinnings of why gradients can leak private information and provide theoretical proof of our method's effectiveness. We conducted extensive empirical evaluations with a total of forty-four models on several popular benchmarks, demonstrating the robustness of our proposed approach in both maintaining model performance and defending against gradient leakage attacks.

Machine Learning,Artificial Intelligence,Computer Vision and Pattern Recognition

Dayin Zhang,Xiaojun Chen,Jinqiao Shi

DOI: https://doi.org/10.1007/978-3-031-23098-1_11

2022-01-01

Abstract:Federated learning can complete the neural network model training without uploading users' private data. However, the deep leakage from gradients (DLG) and the compensatory reconstruction attack (CRA) can reconstruct the training data according to the gradients uploaded by users. We propose an efficient federated convolutional neural network scheme with differential privacy to solve this problem. By adding Gaussian noise to the fully connected layers of the convolutional neural network, the attacker cannot identify the critical gradients that cause privacy leakage. The cumulative privacy loss is tracked using the analytical moments accountant technique. We conduct extensive experiments on the MNIST and CIFAR10 datasets to evaluate our defense algorithm. After selecting appropriate parameters, the results show that our defense algorithm can defend against DLG and CRA while maintaining a high model accuracy.

Jing Wu,Munawar Hayat,Mingyi Zhou,Mehrtash Harandi

2023-12-14

Abstract:Federated Learning (FL) is a distributed learning paradigm that enhances users privacy by eliminating the need for clients to share raw, private data with the server. Despite the success, recent studies expose the vulnerability of FL to model inversion attacks, where adversaries reconstruct users private data via eavesdropping on the shared gradient information. We hypothesize that a key factor in the success of such attacks is the low entanglement among gradients per data within the batch during stochastic optimization. This creates a vulnerability that an adversary can exploit to reconstruct the sensitive data. Building upon this insight, we present a simple, yet effective defense strategy that obfuscates the gradients of the sensitive data with concealed samples. To achieve this, we propose synthesizing concealed samples to mimic the sensitive data at the gradient level while ensuring their visual dissimilarity from the actual sensitive data. Compared to the previous art, our empirical evaluations suggest that the proposed technique provides the strongest protection while simultaneously maintaining the FL performance.

Machine Learning,Cryptography and Security,Computer Vision and Pattern Recognition