Haimei Gong,Liangjun Jiang,Xiaoyang Liu,Yuanqi Wang,Lei Wang,Ke Zhang

DOI: https://doi.org/10.3390/s22197157

IF: 3.9

2022-09-22

Sensors

Abstract:Exchanging gradient is a widely used method in modern multinode machine learning system (e.g., distributed training, Federated Learning). Gradients and weights of model has been presumed to be safe to delivery. However, some studies have shown that gradient inversion technique can reconstruct the input images on the pixel level. In this study, we review the research work of data leakage by gradient inversion technique and categorize existing works into three groups: (i) Bias Attacks, (ii) Optimization-Based Attacks, and (iii) Linear Equation Solver Attacks. According to the characteristics of these algorithms, we propose one privacy attack system, i.e., Single-Sample Reconstruction Attack System (SSRAS). This system can carry out image reconstruction regardless of whether the label can be determined. It can extends gradient inversion attack from a fully connected layer with bias terms to attack a fully connected layer and convolutional neural network with or without bias terms. We also propose Improved R-GAP Alogrithm, which can utlize DLG algorithm to derive ground truth. Furthermore, we introduce Rank Analysis Index (RA-I) to measure the possible of whether the user's raw image data can be reconstructed. This rank analysis derive virtual constraints Vi from weights. Compared with the most representative attack algorithms, this reconstruction attack system can recover a user's private training image with high fidelity and attack success rate. Experimental results also show the superiority of the attack system over some other state-of-the-art attack algorithms.

engineering, electrical & electronic,chemistry, analytical,instruments & instrumentation

Liwen Wu,Zhizhi Liu,Bin Pu,Kang Wei,Hangcheng Cao,Shaowen Yao

DOI: https://doi.org/10.1016/j.inffus.2024.102620

IF: 18.6

2025-01-01

Information Fusion

Abstract:Federated learning is a privacy-preserving distributed framework that facilitates information fusion and sharing among different clients, enabling the training of a global model without exposing raw data. However, the gradient inversion attack that can reconstruct the training data via gradients has posed a significant threat. Prior attack approaches have demonstrated the efficacy of gradient inversion on low-resolution datasets with small batch sizes, which is impractical in real scenarios. To tackle this issue, this paper proposes an innovative and practical gradient inversion method, namely Deep Generative Gradient Inversion (DGGI), which employs the prior knowledge of diffusion models to enhance reconstruction performance on high-resolution datasets and larger batch sizes. Furthermore, a novel group consistency regularization term that constrains the distance between reconstruction and alignment images has been developed to address the issue of spatial variations caused by pre-trained diffusion model. Experiments conducted on both natural and medical image datasets demonstrate that our DGGI method outperforms state-of-the-art baselines in image reconstruction metrics. Furthermore, our approach achieves pixel-level reconstruction and causes leakage of privacy information, even at larger batch sizes or under various defenses, which can aid in the exploration of latent security concerns within information fusion models.

Jiahui Geng,Yongli Mou,Feifei Li,Qing Li,Oya Beyan,Stefan Decker,Chunming Rong

DOI: https://doi.org/10.48550/arXiv.2110.09074

2022-01-26

Abstract:Unlike traditional central training, federated learning (FL) improves the performance of the global model by sharing and aggregating local models rather than local data to protect the users' privacy. Although this training approach appears secure, some research has demonstrated that an attacker can still recover private data based on the shared gradient information. This on-the-fly reconstruction attack deserves to be studied in depth because it can occur at any stage of training, whether at the beginning or at the end of model training; no relevant dataset is required and no additional models need to be trained. We break through some unrealistic assumptions and limitations to apply this reconstruction attack in a broader range of scenarios. We propose methods that can reconstruct the training data from shared gradients or weights, corresponding to the FedSGD and FedAvg usage scenarios, respectively. We propose a zero-shot approach to restore labels even if there are duplicate labels in the batch. We study the relationship between the label and image restoration. We find that image restoration fails even if there is only one incorrectly inferred label in the batch; we also find that when batch images have the same label, the corresponding image is restored as a fusion of that class of images. Our approaches are evaluated on classic image benchmarks, including CIFAR-10 and ImageNet. The batch size, image quality, and the adaptability of the label distribution of our approach exceed those of GradInversion, the state-of-the-art.

Machine Learning,Artificial Intelligence

Hao Fang,Bin Chen,Xuan Wang,Zhi Wang,Shu-Tao Xia

2023-09-11

Abstract:Federated Learning (FL) has recently emerged as a promising distributed machine learning framework to preserve clients' privacy, by allowing multiple clients to upload the gradients calculated from their local data to a central server. Recent studies find that the exchanged gradients also take the risk of privacy leakage, e.g., an attacker can invert the shared gradients and recover sensitive data against an FL system by leveraging pre-trained generative adversarial networks (GAN) as prior knowledge. However, performing gradient inversion attacks in the latent space of the GAN model limits their expression ability and generalizability. To tackle these challenges, we propose \textbf{G}radient \textbf{I}nversion over \textbf{F}eature \textbf{D}omains (GIFD), which disassembles the GAN model and searches the feature domains of the intermediate layers. Instead of optimizing only over the initial latent code, we progressively change the optimized layer, from the initial latent space to intermediate layers closer to the output images. In addition, we design a regularizer to avoid unreal image generation by adding a small ${l_1}$ ball constraint to the searching range. We also extend GIFD to the out-of-distribution (OOD) setting, which weakens the assumption that the training sets of GANs and FL tasks obey the same data distribution. Extensive experiments demonstrate that our method can achieve pixel-level reconstruction and is superior to the existing methods. Notably, GIFD also shows great generalizability under different defense strategy settings and batch sizes.

Computer Vision and Pattern Recognition,Cryptography and Security

Jiyue Huang,Chi Hong,Lydia Y. Chen,Stefanie Roos

2024-05-31

Abstract:Diffusion models are becoming defector generative models, which generate exceptionally high-resolution image data. Training effective diffusion models require massive real data, which is privately owned by distributed parties. Each data party can collaboratively train diffusion models in a federated learning manner by sharing gradients instead of the raw data. In this paper, we study the privacy leakage risk of gradient inversion attacks. First, we design a two-phase fusion optimization, GIDM, to leverage the well-trained generative model itself as prior knowledge to constrain the inversion search (latent) space, followed by pixel-wise fine-tuning. GIDM is shown to be able to reconstruct images almost identical to the original ones. Considering a more privacy-preserving training scenario, we then argue that locally initialized private training noise $\epsilon$ and sampling step t may raise additional challenges for the inversion attack. To solve this, we propose a triple-optimization GIDM+ that coordinates the optimization of the unknown data, $\epsilon$ and $t$. Our extensive evaluation results demonstrate the vulnerability of sharing gradient for data protection of diffusion models, even high-resolution images can be reconstructed with high quality.

Artificial Intelligence,Cryptography and Security,Computer Vision and Pattern Recognition

Zipeng Ye,Wenjian Luo,Qi Zhou,Yubo Tang

DOI: https://doi.org/10.1609/aaai.v38i18.29975

2024-01-01

Abstract:Distributed learning frameworks aim to train global models by sharing gradients among clients while preserving the data privacy of each individual client. However, extensive research has demonstrated that these learning frameworks do not absolutely ensure the privacy, as training data can be reconstructed from shared gradients. Nevertheless, the existing privacy-breaking attack methods have certain limitations. Some are applicable only to small models, while others can only recover images in small batch size and low resolutions, or with low fidelity. Furthermore, when there are some data with the same label in a training batch, existing attack methods usually perform poorly. In this work, we successfully address the limitations of existing attacks by two steps. Firstly, we model the coefficient of variation (CV) of features and design an evolutionary algorithm based on the minimum CV to accurately reconstruct the labels of all training data. After that, we propose a stepwise gradient inversion attack, which dynamically adapts the objective function, thereby effectively and rationally promoting the convergence of attack results towards an optimal solution. With these two steps, our method is able to recover high resolution images (224*224 pixel, from ImageNet and Web) with high fidelity in distributed learning scenarios involving complex models and larger batch size. Experiment results demonstrate the superiority of our approach, reveal the potential vulnerabilities of the distributed learning paradigm, and emphasize the necessity of developing more secure mechanisms. Source code is available at https://github.com/MiLab-HITSZ/2023YeHFGradInv.

Yiming Liu,Kejie Xu,Qiji Zheng,Jianhao Cui

DOI: https://doi.org/10.1109/ICFTIC54370.2021.9647073

2021-11-12

Abstract:In recent years, federated learning is often used as a means to protect data privacy and is widely used in face recognition and other privacy-related scenarios. In the past, it was generally believed that the gradient information uploaded to the server would not leak the original training data. However, it has been discovered that an efficient gradient leakage attack can restore the original data only through the gradient information. In the scene of face recognition, since the facial features contain complex information, the attack effect of this traditional gradient leakage attack is not ideal. This paper aims at the face recognition task in the federated learning scenario, for the first time through the constraints and round optimization of Face GAN, to indicate the best gradient descent direction for the training of the attack network model, so as to avoid falling into the local minimum, to improve the traditional gradient leakage attack. Experiments show that when the batch size=1 of the proposed scheme, after adding noise to the picture, our optimization scheme can significantly improve the anti-interference ability of the attack. The facial features recovered are clearer, the face is more natural, and the error with the original data is smaller, the error is reduced by 80% at most; when batch size>1, the improved attack scheme can prevent multiple pictures from being mixed on one picture, thereby recovering a larger number of pictures.

Computer Science

Luiz Leite,Yuri Santo,Bruno L. Dalmazo,André Riker

2024-09-26

Abstract:Federated Learning (FL) has emerged as a machine learning approach able to preserve the privacy of user's data. Applying FL, clients train machine learning models on a local dataset and a central server aggregates the learned parameters coming from the clients, training a global machine learning model without sharing user's data. However, the state-of-the-art shows several approaches to promote attacks on FL systems. For instance, inverting or leaking gradient attacks can find, with high precision, the local dataset used during the training phase of the FL. This paper presents an approach, called Deep Leakage from Gradients with Feedback Blending (DLG-FB), which is able to improve the inverting gradient attack, considering the spatial correlation that typically exists in batches of images. The performed evaluation shows an improvement of 19.18% and 48,82% in terms of attack success rate and the number of iterations per attacked image, respectively.

Cryptography and Security,Artificial Intelligence

Yanbo Wang,Jian Liang,Ran He

2024-04-15

Abstract:Gradient inversion attacks aim to reconstruct local training data from intermediate gradients exposed in the federated learning framework. Despite successful attacks, all previous methods, starting from reconstructing a single data point and then relaxing the single-image limit to batch level, are only tested under hard label constraints. Even for single-image reconstruction, we still lack an analysis-based algorithm to recover augmented soft labels. In this work, we change the focus from enlarging batchsize to investigating the hard label constraints, considering a more realistic circumstance where label smoothing and mixup techniques are used in the training process. In particular, we are the first to initiate a novel algorithm to simultaneously recover the ground-truth augmented label and the input feature of the last fully-connected layer from single-input gradients, and provide a necessary condition for any analytical-based label recovery methods. Extensive experiments testify to the label recovery accuracy, as well as the benefits to the following image reconstruction. We believe soft labels in classification tasks are worth further attention in gradient inversion attacks.

Cryptography and Security,Computer Vision and Pattern Recognition,Machine Learning

Kailang Ma,Yu Sun,Jian Cui,Dawei Li,Zhenyu Guan,Jianwei Liu

2023-01-01

Abstract:Gradient inversion attacks have posed a serious threat to the privacy of federated learning. The attacks search for the optimal pair of input and label best matching the shared gradients and the search space of the attacks can be reduced by pre-restoring labels. Recently, label restoration technique allows for the extraction of labels from gradients analytically, but even the state-of-the-art remains limited to identify the presence of categories (i.e., the class-wise label restoration). This work considers the more real-world settings, where there are multiple instances of each class in a training batch. An analytic method is proposed to perform instance-wise batch label restoration from only the gradient of the final layer. On the basis of the approximate recovered class-wise embeddings and post-softmax probabilities, we establish linear equations of the gradients, probabilities and labels to derive the Number of Instances (NoI) per class by the Moore-Penrose pseudoinverse algorithm. Our experimental evaluations reach over 99% Label existence Accuracy (LeAcc) and exceed 96% Label number Accuracy (LnAcc) in most cases on three image datasets and four classification models. The two metrics are used to evaluate class-wise and instance-wise label restoration accuracy, respectively. And the recovery is made feasible even with a batch size of 4096 and partially negative activations (e.g., Leaky ReLU and Swish). Furthermore, we demonstrate that our method facilitates the existing gradient inversion attacks by exploiting the recovered labels, with an increase of 6-7 in PSNR on both MNIST and CIFAR100.

Divya Anand Sinha,Yezi Liu,Ruijie Du,Yanning Shen

2024-11-29

Abstract:Graph federated learning is of essential importance for training over large graph datasets while protecting data privacy, where each client stores a subset of local graph data, while the server collects the local gradients and broadcasts only the aggregated gradients. Recent studies reveal that a malicious attacker can steal private image data from gradient exchanging of neural networks during federated learning. However, none of the existing works have studied the vulnerability of graph data and graph neural networks under such attack. To answer this question, the present paper studies the problem of whether private data can be recovered from leaked gradients in both node classification and graph classification tasks and { proposes a novel attack named Graph Leakage from Gradients (GLG)}. Two widely-used GNN frameworks are analyzed, namely GCN and GraphSAGE. The effects of different model settings on recovery are extensively discussed. Through theoretical analysis and empirical validation, it is shown that parts of the graph data can be leaked from the gradients.

Machine Learning,Artificial Intelligence

Haomiao Yang,Mengyu Ge,Kunlan Xiang,Jingwei Li

DOI: https://doi.org/10.1109/tifs.2022.3227761

IF: 7.231

2023-01-01

IEEE Transactions on Information Forensics and Security

Abstract:Federated learning (FL) preserves data privacy by exchanging gradients instead of local training data. However, these private data can still be reconstructed from the exchanged gradients. Deep leakage from gradients (DLG) is a classical reconstruction attack that optimizes dummy data to real data by making the corresponding dummy and real gradients as similar as possible. Nevertheless, DLG fails with highly compressed gradients, which are crucial for communication-efficient FL. In this study, we propose an effective data reconstruction attack against highly compressed gradients, called highly compressed gradient leakage attack (HCGLA). In particular, HCGLA is characterized by the following three key techniques: 1) Owing to the unreasonable optimization objective of DLG in compression scenarios, we redesign a plausible objective function, ensuring that compressed dummy gradients are similar to the compressed real gradients. 2) Instead of simply initializing dummy data through random noise, as in DLG, we design a novel dummy data initialization method, Init-Generation, to compensate for information loss caused by gradient compression. 3) To further enhance reconstruction quality, we train an ad hoc denoising model using the methods of “first optimizing, next filtering, and then reoptimizing”. Extensive experiments on various benchmark data sets and mainstream models show that HCGLA is an effective reconstruction attack even against highly compressed gradients of 0.1%, whereas state-of-the-art attacks can only support 70% compression, thereby achieving a 700-fold improvement.

Cangxiong Chen,Neill D.F. Campbell

DOI: https://doi.org/10.48550/arXiv.2111.10178

2021-11-19

Abstract:Federated learning of deep learning models for supervised tasks, e.g. image classification and segmentation, has found many applications: for example in human-in-the-loop tasks such as film post-production where it enables sharing of domain expertise of human artists in an efficient and effective fashion. In many such applications, we need to protect the training data from being leaked when gradients are shared in the training process due to IP or privacy concerns. Recent works have demonstrated that it is possible to reconstruct the training data from gradients for an image-classification model when its architecture is known. However, there is still an incomplete theoretical understanding of the efficacy and failure of such attacks. In this paper, we analyse the source of training-data leakage from gradients. We formulate the problem of training data reconstruction as solving an optimisation problem iteratively for each layer. The layer-wise objective function is primarily defined by weights and gradients from the current layer as well as the output from the reconstruction of the subsequent layer, but it might also involve a 'pull-back' constraint from the preceding layer. Training data can be reconstructed when we solve the problem backward from the output of the network through each layer. Based on this formulation, we are able to attribute the potential leakage of the training data in a deep network to its architecture. We also propose a metric to measure the level of security of a deep learning model against gradient-based attacks on the training data.

Machine Learning

Can Liu,Jin Wang,and Yipeng Zhou,Yachao Yuan,Quanzheng Sheng,Kejie Lu

2024-07-31

Abstract:Federated learning (FL) empowers privacypreservation in model training by only exposing users' model gradients. Yet, FL users are susceptible to gradient inversion attacks (GIAs) which can reconstruct ground-truth training data such as images based on model gradients. However, reconstructing high-resolution images by existing GIAs faces two challenges: inferior accuracy and slow-convergence, especially when duplicating labels exist in the training batch. To address these challenges, we present an Accurate and Fast-convergent Gradient Inversion attack algorithm, called AFGI, with two components: Label Recovery Block (LRB) which can accurately restore duplicating labels of private images based on exposed gradients; VME Regularization Term, which includes the total variance of reconstructed images, the discrepancy between three-channel means and edges, between values from exposed gradients and reconstructed images, respectively. The AFGI can be regarded as a white-box attack strategy to reconstruct images by leveraging labels recovered by LRB. In particular, AFGI is efficient that accurately reconstruct ground-truth images when users' training batch size is up to 48. Our experimental results manifest that AFGI can diminish 85% time costs while achieving superb inversion quality in the ImageNet dataset. At last, our study unveils the shortcomings of FL in privacy-preservation, prompting the development of more advanced countermeasure strategies.

Computer Vision and Pattern Recognition

Yangsibo Huang,Samyak Gupta,Zhao Song,Kai Li,Sanjeev Arora

DOI: https://doi.org/10.48550/arXiv.2112.00059

2021-12-01

Abstract:Gradient inversion attack (or input recovery from gradient) is an emerging threat to the security and privacy preservation of Federated learning, whereby malicious eavesdroppers or participants in the protocol can recover (partially) the clients' private data. This paper evaluates existing attacks and defenses. We find that some attacks make strong assumptions about the setup. Relaxing such assumptions can substantially weaken these attacks. We then evaluate the benefits of three proposed defense mechanisms against gradient inversion attacks. We show the trade-offs of privacy leakage and data utility of these defense methods, and find that combining them in an appropriate manner makes the attack less effective, even under the original strong assumptions. We also estimate the computation cost of end-to-end recovery of a single image under each evaluated defense. Our findings suggest that the state-of-the-art attacks can currently be defended against with minor data utility loss, as summarized in a list of potential strategies. Our code is available at: <a class="link-external link-https" href="https://github.com/Princeton-SysML/GradAttack" rel="external noopener nofollow">this https URL</a>.

Cryptography and Security,Machine Learning

Haomiao Yang,Dongyun Xue,Mengyu Ge,Jingwei Li,Guowen Xu,Hongwei Li,Rongxing Lu

DOI: https://doi.org/10.1109/TDSC.2024.3387570

2024-01-01

IEEE Transactions on Dependable and Secure Computing

Abstract:Federated learning (FL) is a distributed machine learning technique that guarantees the privacy of user data. However, FL has been shown to be vulnerable to gradient leakage attacks (GLA), which have the ability to reconstruct private training data from public gradients with high probability. These attacks are either analytic-based, requiring modification of the FL model, or optimization-based, requiring long convergence times and failing to effectively address the challenge of dealing with highly compressed gradients in practical FL systems. This paper presents a pioneering generation-based GLA method called FGLA that can reconstruct batches of user data without the need for the optimization process. We specifically design a feature separation technique that first extracts the features of each sample in a batch and then directly generates the user data. Our extensive experiments on multiple image datasets show that FGLA can reconstruct user images in seconds with a batch size of 256 from highly compressed gradients (0.8% compression ratio or higher), thereby significantly outperforming state-of-the-art methods.

Dimitar I. Dimitrov,Maximilian Baader,Mark Niklas Müller,Martin Vechev

2024-06-03

Abstract:Federated learning is a framework for collaborative machine learning where clients only share gradient updates and not their private data with a server. However, it was recently shown that gradient inversion attacks can reconstruct this data from the shared gradients. In the important honest-but-curious setting, existing attacks enable exact reconstruction only for a batch size of $b=1$, with larger batches permitting only approximate reconstruction. In this work, we propose SPEAR, the first algorithm reconstructing whole batches with $b >1$ exactly. SPEAR combines insights into the explicit low-rank structure of gradients with a sampling-based algorithm. Crucially, we leverage ReLU-induced gradient sparsity to precisely filter out large numbers of incorrect samples, making a final reconstruction step tractable. We provide an efficient GPU implementation for fully connected networks and show that it recovers high-dimensional ImageNet inputs in batches of up to $b \lesssim 25$ exactly while scaling to large networks. Finally, we show theoretically that much larger batches can be reconstructed with high probability given exponential time.

Machine Learning,Cryptography and Security,Distributed, Parallel, and Cluster Computing

Zhaohua Li,L Wang,Guangyao Chen,Zhiqiang Zhang,Muhammad Shafiq,Zhaoquan Gu

DOI: https://doi.org/10.1109/JBHI.2022.3204455

Abstract:A plethora of healthcare data is produced every day due to the proliferation of prominent technologies such as Internet of Medical Things (IoMT). Digital-driven smart devices like wearable watches, wristbands and bracelets are utilized extensively in modern healthcare applications. Mining valuable information from the data distributed at the owners' level is useful, but it is challenging to preserve data privacy. Federated learning (FL) has swiftly surged in popularity due to its efficacy in dealing privacy vulnerabilities. Recent studies have demonstrated that Gradient Inversion Attack (GIA) can reconstruct the input data by leaked gradients, previous work demonstrated the achievement of GIA in very limited scenarios, such as the label repetition rate of the target sample being low and batch sizes being smaller than 48. In this paper, a novel method of End-to-End Gradient Inversion (E2EGI) is proposed. Compared to the state-of-the-art method, E2EGI's Minimum Loss Combinatorial Optimization (MLCO) has the ability to realize reconstructed samples with higher similarity, and the Distributed Gradient Inversion algorithm can implement GIA with batch sizes of 8 to 256 on deep network models (such as ResNet-50) and ImageNet datasets. A new Label Reconstruction algorithm is developed that relies only on the gradient information of the target model, which can achieve a label reconstruction accuracy of 81% in one batch sample with a label repetition rate of 96%, a 27% improvement over the state-of-the-art method. This proposed work can underpin data security assessments for healthcare federated learning.

Bowen Li,Hanlin Gu,Ruoxin Chen,Jie Li,Chentao Wu,Na Ruan,Xueming Si,Lixin Fan

DOI: https://doi.org/10.48550/arxiv.2306.07883

2023-01-01

Abstract: Federated Learning (FL) has emerged as a promising approach for collaborative model training without sharing private data. However, privacy concerns regarding information exchanged during FL have received significant research attention. Gradient Inversion Attacks (GIAs) have been proposed to reconstruct the private data retained by local clients from the exchanged gradients. While recovering private data, the data dimensions and the model complexity increase, which thwart data reconstruction by GIAs. Existing methods adopt prior knowledge about private data to overcome those challenges. In this paper, we first observe that GIAs with gradients from a single iteration fail to reconstruct private data due to insufficient dimensions of leaked gradients, complex model architectures, and invalid gradient information. We investigate a Temporal Gradient Inversion Attack with a Robust Optimization framework, called TGIAs-RO, which recovers private data without any prior knowledge by leveraging multiple temporal gradients. To eliminate the negative impacts of outliers, e.g., invalid gradients for collaborative optimization, robust statistics are proposed. Theoretical guarantees on the recovery performance and robustness of TGIAs-RO against invalid gradients are also provided. Extensive empirical results on MNIST, CIFAR10, ImageNet and Reuters 21578 datasets show that the proposed TGIAs-RO with 10 temporal gradients improves reconstruction performance compared to state-of-the-art methods, even for large batch sizes (up to 128), complex models like ResNet18, and large datasets like ImageNet (224*224 pixels). Furthermore, the proposed attack method inspires further exploration of privacy-preserving methods in the context of FL.

Yu Yan,Yu Sun,Jian Cui,Jianwei Liu

DOI: https://doi.org/10.1109/smartcloud58862.2023.00015

2023-01-01

Abstract:As a distributed machine learning approach, federated learning enables multiple clients to collaboratively train a deep learning model for a common artificial intelligence task and share their gradients only. However, recent gradient inversion attacks demonstrate the possibility to reconstruct clients' training data from shared gradients and thus pose a severe threat to the privacy of federated learning. In this paper, we focus on the neuron-exclusivity-based gradient inversion attack, which is the first analytic attack based on the neuron exclusivity state. Since the key condition of sufficient exclusivity is required to construct the neuron-exclusivity-based attack, we propose a batch-perturbation-based targeted defense aiming to eliminate the exclusivity state of the training batches. The batch perturbation algorithm can be modeled as an optimization problem that aims to find the optimal perturbation on an input batch to satisfy the secure boundary condition. Then we transform the optimization problem into a linear programming problem and solve it with PuLP. We evaluate our proposed defense on two datasets: MNIST and OrganAMNIST. The experiment results demonstrate that our proposed defense can effectively prevent the neuron-exclusivity-based attack while having almost no negative impact on model training and model performance.