Robbing the Fed: Directly Obtaining Private Data in Federated Learning
with Modified Models
- URL: http://arxiv.org/abs/2110.13057v1
- Date: Mon, 25 Oct 2021 15:52:06 GMT
- Title: Robbing the Fed: Directly Obtaining Private Data in Federated Learning
with Modified Models
- Authors: Liam Fowl, Jonas Geiping, Wojtek Czaja, Micah Goldblum, Tom Goldstein
- Abstract summary: Federated learning has quickly gained popularity with its promises of increased user privacy and efficiency.
Previous attacks on user privacy have been limited in scope and do not scale to gradient updates aggregated over even a handful of data points.
We introduce a new threat model based on minimal but malicious modifications of the shared model architecture.
- Score: 56.0250919557652
- License: http://creativecommons.org/licenses/by/4.0/
- Abstract: Federated learning has quickly gained popularity with its promises of
increased user privacy and efficiency. Previous works have shown that federated
gradient updates contain information that can be used to approximately recover
user data in some situations. These previous attacks on user privacy have been
limited in scope and do not scale to gradient updates aggregated over even a
handful of data points, leaving some to conclude that data privacy is still
intact for realistic training regimes. In this work, we introduce a new threat
model based on minimal but malicious modifications of the shared model
architecture which enable the server to directly obtain a verbatim copy of user
data from gradient updates without solving difficult inverse problems. Even
user data aggregated over large batches -- where previous methods fail to
extract meaningful content -- can be reconstructed by these minimally modified
models.
Related papers
- QBI: Quantile-Based Bias Initialization for Efficient Private Data Reconstruction in Federated Learning [0.5497663232622965]
Federated learning enables the training of machine learning models on distributed data without compromising user privacy.
Recent research has shown that the central entity can perfectly reconstruct private data from shared model updates.
arXiv Detail & Related papers (2024-06-26T20:19:32Z) - Ungeneralizable Examples [70.76487163068109]
Current approaches to creating unlearnable data involve incorporating small, specially designed noises.
We extend the concept of unlearnable data to conditional data learnability and introduce textbfUntextbfGeneralizable textbfExamples (UGEs)
UGEs exhibit learnability for authorized users while maintaining unlearnability for potential hackers.
arXiv Detail & Related papers (2024-04-22T09:29:14Z) - Privacy Backdoors: Enhancing Membership Inference through Poisoning Pre-trained Models [112.48136829374741]
In this paper, we unveil a new vulnerability: the privacy backdoor attack.
When a victim fine-tunes a backdoored model, their training data will be leaked at a significantly higher rate than if they had fine-tuned a typical model.
Our findings highlight a critical privacy concern within the machine learning community and call for a reevaluation of safety protocols in the use of open-source pre-trained models.
arXiv Detail & Related papers (2024-04-01T16:50:54Z) - LOKI: Large-scale Data Reconstruction Attack against Federated Learning
through Model Manipulation [25.03733882637947]
We introduce LOKI, an attack that overcomes previous limitations and also breaks the anonymity of aggregation.
With FedAVG and aggregation across 100 clients, prior work can leak less than 1% of images on MNIST, CIFAR-100, and Tiny ImageNet.
Using only a single training round, LOKI is able to leak 76-86% of all data samples.
arXiv Detail & Related papers (2023-03-21T23:29:35Z) - Client-specific Property Inference against Secure Aggregation in
Federated Learning [52.8564467292226]
Federated learning has become a widely used paradigm for collaboratively training a common model among different participants.
Many attacks have shown that it is still possible to infer sensitive information such as membership, property, or outright reconstruction of participant data.
We show that simple linear models can effectively capture client-specific properties only from the aggregated model updates.
arXiv Detail & Related papers (2023-03-07T14:11:01Z) - Do Gradient Inversion Attacks Make Federated Learning Unsafe? [70.0231254112197]
Federated learning (FL) allows the collaborative training of AI models without needing to share raw data.
Recent works on the inversion of deep neural networks from model gradients raised concerns about the security of FL in preventing the leakage of training data.
In this work, we show that these attacks presented in the literature are impractical in real FL use-cases and provide a new baseline attack.
arXiv Detail & Related papers (2022-02-14T18:33:12Z) - Fishing for User Data in Large-Batch Federated Learning via Gradient
Magnification [65.33308059737506]
Federated learning (FL) has rapidly risen in popularity due to its promise of privacy and efficiency.
Previous works have exposed privacy vulnerabilities in the FL pipeline by recovering user data from gradient updates.
We introduce a new strategy that dramatically elevates existing attacks to operate on batches of arbitrarily large size.
arXiv Detail & Related papers (2022-02-01T17:26:11Z) - When the Curious Abandon Honesty: Federated Learning Is Not Private [36.95590214441999]
In federated learning (FL), data does not leave personal devices when they are jointly training a machine learning model.
We show a novel data reconstruction attack which allows an active and dishonest central party to efficiently extract user data from the received gradients.
arXiv Detail & Related papers (2021-12-06T10:37:03Z) - PRECODE - A Generic Model Extension to Prevent Deep Gradient Leakage [0.8029049649310213]
Collaborative training of neural networks leverages distributed data by exchanging gradient information between different clients.
gradient perturbation techniques have been proposed to enhance privacy, but they come at the cost of reduced model performance, increased convergence time, or increased data demand.
We introduce PRECODE, a PRivacy EnhanCing mODulE that can be used as generic extension for arbitrary model architectures.
arXiv Detail & Related papers (2021-08-10T14:43:17Z)
This list is automatically generated from the titles and abstracts of the papers in this site.
This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.