Combining Stochastic Defenses to Resist Gradient Inversion: An Ablation Study

• URL: http://arxiv.org/abs/2208.04767v2
• Date: Thu, 05 Dec 2024 09:07:23 GMT
• Title: Combining Stochastic Defenses to Resist Gradient Inversion: An Ablation Study
• Authors: Daniel Scheliga, Patrick Mäder, Marco Seeland,
• Abstract summary: Common defense mechanisms such as Differential Privacy (DP) or Privacy Modules (PMs) introduce randomness during computation to prevent such attacks. This paper introduces several targeted GI attacks that leverage this principle to bypass common defense mechanisms.
• Score: 6.766058964358335
• License:
• Abstract: Gradient Inversion (GI) attacks are a ubiquitous threat in Federated Learning (FL) as they exploit gradient leakage to reconstruct supposedly private training data. Common defense mechanisms such as Differential Privacy (DP) or stochastic Privacy Modules (PMs) introduce randomness during gradient computation to prevent such attacks. However, we pose that if an attacker effectively mimics a client's stochastic gradient computation, the attacker can circumvent the defense and reconstruct clients' private training data. This paper introduces several targeted GI attacks that leverage this principle to bypass common defense mechanisms. As a result, we demonstrate that no individual defense provides sufficient privacy protection. To address this issue, we propose to combine multiple defenses. We conduct an extensive ablation study to evaluate the influence of various combinations of defenses on privacy protection and model utility. We observe that only the combination of DP and a stochastic PM was sufficient to decrease the Attack Success Rate (ASR) from 100% to 0%, thus preserving privacy. Moreover, we found that this combination of defenses consistently achieves the best trade-off between privacy and model utility.

Related papers

• Evaluating the Robustness of the "Ensemble Everything Everywhere" Defense [90.7494670101357]
  Ensemble everything everywhere is a defense to adversarial examples. We show that this defense is not robust to adversarial attack. We then use standard adaptive attack techniques to reduce the defense's robust accuracy.
  arXiv  Detail & Related papers  (2024-11-22T10:17:32Z)
• Privacy-preserving Universal Adversarial Defense for Black-box Models [20.968518031455503]
  We introduce DUCD, a universal black-box defense method that does not require access to the target model's parameters or architecture. Our approach involves querying the target model by querying it with data, creating a white-box surrogate while preserving data privacy. Experiments on multiple image classification datasets show that DUCD not only outperforms existing black-box defenses but also matches the accuracy of white-box defenses.
  arXiv  Detail & Related papers  (2024-08-20T08:40:39Z)
• BadCLIP: Dual-Embedding Guided Backdoor Attack on Multimodal Contrastive Learning [85.2564206440109]
  This paper reveals the threats in this practical scenario that backdoor attacks can remain effective even after defenses. We introduce the emphtoolns attack, which is resistant to backdoor detection and model fine-tuning defenses.
  arXiv  Detail & Related papers  (2023-11-20T02:21:49Z)
• FLIP: A Provable Defense Framework for Backdoor Mitigation in Federated Learning [66.56240101249803]
  We study how hardening benign clients can affect the global model (and the malicious clients) We propose a trigger reverse engineering based defense and show that our method can achieve improvement with guarantee robustness. Our results on eight competing SOTA defense methods show the empirical superiority of our method on both single-shot and continuous FL backdoor attacks.
  arXiv  Detail & Related papers  (2022-10-23T22:24:03Z)
• Learning to Invert: Simple Adaptive Attacks for Gradient Inversion in Federated Learning [31.374376311614675]
  Gradient inversion attack enables recovery of training samples from model gradients in federated learning. We show that existing defenses can be broken by a simple adaptive attack.
  arXiv  Detail & Related papers  (2022-10-19T20:41:30Z)
• Defense Against Gradient Leakage Attacks via Learning to Obscure Data [48.67836599050032]
  Federated learning is considered as an effective privacy-preserving learning mechanism. In this paper, we propose a new defense method to protect the privacy of clients' data by learning to obscure data.
  arXiv  Detail & Related papers  (2022-06-01T21:03:28Z)
• One Parameter Defense -- Defending against Data Inference Attacks via Differential Privacy [26.000487178636927]
  Machine learning models are vulnerable to data inference attacks, such as membership inference and model inversion attacks. Most existing defense methods only protect against membership inference attacks. We propose a differentially private defense method that handles both types of attacks in a time-efficient manner.
  arXiv  Detail & Related papers  (2022-03-13T06:06:24Z)
• Defending against Reconstruction Attacks with R\'enyi Differential Privacy [72.1188520352079]
  Reconstruction attacks allow an adversary to regenerate data samples of the training set using access to only a trained model. Differential privacy is a known solution to such attacks, but is often used with a relatively large privacy budget. We show that, for a same mechanism, we can derive privacy guarantees for reconstruction attacks that are better than the traditional ones from the literature.
  arXiv  Detail & Related papers  (2022-02-15T18:09:30Z)
• Evaluating Gradient Inversion Attacks and Defenses in Federated Learning [43.993693910541275]
  This paper evaluates existing attacks and defenses against gradient inversion attacks. We show the trade-offs of privacy leakage and data utility of three proposed defense mechanisms. Our findings suggest that the state-of-the-art attacks can currently be defended against with minor data utility loss.
  arXiv  Detail & Related papers  (2021-11-30T19:34:16Z)
• DP-InstaHide: Provably Defusing Poisoning and Backdoor Attacks with Differentially Private Data Augmentations [54.960853673256]
  We show that strong data augmentations, such as mixup and random additive noise, nullify poison attacks while enduring only a small accuracy trade-off. A rigorous analysis of DP-InstaHide shows that mixup does indeed have privacy advantages, and that training with k-way mixup provably yields at least k times stronger DP guarantees than a naive DP mechanism.
  arXiv  Detail & Related papers  (2021-03-02T23:07:31Z)

This list is automatically generated from the titles and abstracts of the papers in this site.

This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.