Understanding Training-Data Leakage from Gradients in Neural Networks
for Image Classification
- URL: http://arxiv.org/abs/2111.10178v1
- Date: Fri, 19 Nov 2021 12:14:43 GMT
- Title: Understanding Training-Data Leakage from Gradients in Neural Networks
for Image Classification
- Authors: Cangxiong Chen, Neill D.F. Campbell
- Abstract summary: In many applications, we need to protect the training data from being leaked due to IP or privacy concerns.
Recent works have demonstrated that it is possible to reconstruct the training data from gradients for an image-classification model when its architecture is known.
We formulate the problem of training data reconstruction as solving an optimisation problem iteratively for each layer.
We are able to attribute the potential leakage of the training data in a deep network to its architecture.
- Score: 11.272188531829016
- License: http://creativecommons.org/licenses/by/4.0/
- Abstract: Federated learning of deep learning models for supervised tasks, e.g. image
classification and segmentation, has found many applications: for example in
human-in-the-loop tasks such as film post-production where it enables sharing
of domain expertise of human artists in an efficient and effective fashion. In
many such applications, we need to protect the training data from being leaked
when gradients are shared in the training process due to IP or privacy
concerns. Recent works have demonstrated that it is possible to reconstruct the
training data from gradients for an image-classification model when its
architecture is known. However, there is still an incomplete theoretical
understanding of the efficacy and failure of such attacks. In this paper, we
analyse the source of training-data leakage from gradients. We formulate the
problem of training data reconstruction as solving an optimisation problem
iteratively for each layer. The layer-wise objective function is primarily
defined by weights and gradients from the current layer as well as the output
from the reconstruction of the subsequent layer, but it might also involve a
'pull-back' constraint from the preceding layer. Training data can be
reconstructed when we solve the problem backward from the output of the network
through each layer. Based on this formulation, we are able to attribute the
potential leakage of the training data in a deep network to its architecture.
We also propose a metric to measure the level of security of a deep learning
model against gradient-based attacks on the training data.
Related papers
- R-CONV: An Analytical Approach for Efficient Data Reconstruction via Convolutional Gradients [40.209183669098735]
This paper introduces an advanced data leakage method to efficiently exploit convolutional layers' gradients.
To the best of our knowledge, this is the first analytical approach that successfully reconstructs convolutional layer inputs directly from the gradients.
arXiv Detail & Related papers (2024-06-06T16:28:04Z) - Take A Shortcut Back: Mitigating the Gradient Vanishing for Training Spiking Neural Networks [15.691263438655842]
Spiking Neural Network (SNN) is a biologically inspired neural network infrastructure that has recently garnered significant attention.
Training an SNN directly poses a challenge due to the undefined gradient of the firing spike process.
We propose a shortcut back-propagation method in our paper, which advocates for transmitting the gradient directly from the loss to the shallow layers.
arXiv Detail & Related papers (2024-01-09T10:54:41Z) - Learn to Unlearn for Deep Neural Networks: Minimizing Unlearning
Interference with Gradient Projection [56.292071534857946]
Recent data-privacy laws have sparked interest in machine unlearning.
Challenge is to discard information about the forget'' data without altering knowledge about remaining dataset.
We adopt a projected-gradient based learning method, named as Projected-Gradient Unlearning (PGU)
We provide empirically evidence to demonstrate that our unlearning method can produce models that behave similar to models retrained from scratch across various metrics even when the training dataset is no longer accessible.
arXiv Detail & Related papers (2023-12-07T07:17:24Z) - Optimal transfer protocol by incremental layer defrosting [66.76153955485584]
Transfer learning is a powerful tool enabling model training with limited amounts of data.
The simplest transfer learning protocol is based on freezing" the feature-extractor layers of a network pre-trained on a data-rich source task.
We show that this protocol is often sub-optimal and the largest performance gain may be achieved when smaller portions of the pre-trained network are kept frozen.
arXiv Detail & Related papers (2023-03-02T17:32:11Z) - Understanding Reconstruction Attacks with the Neural Tangent Kernel and
Dataset Distillation [110.61853418925219]
We build a stronger version of the dataset reconstruction attack and show how it can provably recover the emphentire training set in the infinite width regime.
We show that both theoretically and empirically, reconstructed images tend to "outliers" in the dataset.
These reconstruction attacks can be used for textitdataset distillation, that is, we can retrain on reconstructed images and obtain high predictive accuracy.
arXiv Detail & Related papers (2023-02-02T21:41:59Z) - Reconstructing Training Data from Model Gradient, Provably [68.21082086264555]
We reconstruct the training samples from a single gradient query at a randomly chosen parameter value.
As a provable attack that reveals sensitive training data, our findings suggest potential severe threats to privacy.
arXiv Detail & Related papers (2022-12-07T15:32:22Z) - Analysing Training-Data Leakage from Gradients through Linear Systems
and Gradient Matching [8.071506311915396]
We propose a novel framework to analyse training-data leakage from gradients.
We draw insights from both analytic and optimisation-based gradient-leakage attacks.
We also propose a metric to measure the level of security of a deep learning model against gradient-based attacks.
arXiv Detail & Related papers (2022-10-20T08:53:20Z) - Unsupervised Restoration of Weather-affected Images using Deep Gaussian
Process-based CycleGAN [92.15895515035795]
We describe an approach for supervising deep networks that are based on CycleGAN.
We introduce new losses for training CycleGAN that lead to more effective training, resulting in high-quality reconstructions.
We demonstrate that the proposed method can be effectively applied to different restoration tasks like de-raining, de-hazing and de-snowing.
arXiv Detail & Related papers (2022-04-23T01:30:47Z) - Revealing and Protecting Labels in Distributed Training [3.18475216176047]
We propose a method to discover the set of labels of training samples from only the gradient of the last layer and the id to label mapping.
We demonstrate the effectiveness of our method for model training in two domains - image classification, and automatic speech recognition.
arXiv Detail & Related papers (2021-10-31T17:57:49Z) - Adversarially-Trained Deep Nets Transfer Better: Illustration on Image
Classification [53.735029033681435]
Transfer learning is a powerful methodology for adapting pre-trained deep neural networks on image recognition tasks to new domains.
In this work, we demonstrate that adversarially-trained models transfer better than non-adversarially-trained models.
arXiv Detail & Related papers (2020-07-11T22:48:42Z)
This list is automatically generated from the titles and abstracts of the papers in this site.
This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.