Defending Against Data Reconstruction Attacks in Federated Learning: An
Information Theory Approach
- URL: http://arxiv.org/abs/2403.01268v1
- Date: Sat, 2 Mar 2024 17:12:32 GMT
- Title: Defending Against Data Reconstruction Attacks in Federated Learning: An
Information Theory Approach
- Authors: Qi Tan, Qi Li, Yi Zhao, Zhuotao Liu, Xiaobing Guo, Ke Xu
- Abstract summary: Federated Learning (FL) trains a black-box and high-dimensional model among different clients by exchanging parameters instead of direct data sharing.
FL still suffers from membership inference attacks (MIA) or data reconstruction attacks (DRA)
- Score: 21.03960608358235
- License: http://arxiv.org/licenses/nonexclusive-distrib/1.0/
- Abstract: Federated Learning (FL) trains a black-box and high-dimensional model among
different clients by exchanging parameters instead of direct data sharing,
which mitigates the privacy leak incurred by machine learning. However, FL
still suffers from membership inference attacks (MIA) or data reconstruction
attacks (DRA). In particular, an attacker can extract the information from
local datasets by constructing DRA, which cannot be effectively throttled by
existing techniques, e.g., Differential Privacy (DP).
In this paper, we aim to ensure a strong privacy guarantee for FL under DRA.
We prove that reconstruction errors under DRA are constrained by the
information acquired by an attacker, which means that constraining the
transmitted information can effectively throttle DRA. To quantify the
information leakage incurred by FL, we establish a channel model, which depends
on the upper bound of joint mutual information between the local dataset and
multiple transmitted parameters. Moreover, the channel model indicates that the
transmitted information can be constrained through data space operation, which
can improve training efficiency and the model accuracy under constrained
information. According to the channel model, we propose algorithms to constrain
the information transmitted in a single round of local training. With a limited
number of training rounds, the algorithms ensure that the total amount of
transmitted information is limited. Furthermore, our channel model can be
applied to various privacy-enhancing techniques (such as DP) to enhance privacy
guarantees against DRA. Extensive experiments with real-world datasets validate
the effectiveness of our methods.
Related papers
- Ungeneralizable Examples [70.76487163068109]
Current approaches to creating unlearnable data involve incorporating small, specially designed noises.
We extend the concept of unlearnable data to conditional data learnability and introduce textbfUntextbfGeneralizable textbfExamples (UGEs)
UGEs exhibit learnability for authorized users while maintaining unlearnability for potential hackers.
arXiv Detail & Related papers (2024-04-22T09:29:14Z) - Defending against Data Poisoning Attacks in Federated Learning via User Elimination [0.0]
This paper introduces a novel framework focused on the strategic elimination of adversarial users within a federated model.
We detect anomalies in the aggregation phase of the Federated Algorithm, by integrating metadata gathered by the local training instances with Differential Privacy techniques.
Our experiments demonstrate the efficacy of our methods, significantly mitigating the risk of data poisoning while maintaining user privacy and model performance.
arXiv Detail & Related papers (2024-04-19T10:36:00Z) - Mitigating Cross-client GANs-based Attack in Federated Learning [78.06700142712353]
Multi distributed multimedia clients can resort to federated learning (FL) to jointly learn a global shared model.
FL suffers from the cross-client generative adversarial networks (GANs)-based (C-GANs) attack.
We propose Fed-EDKD technique to improve the current popular FL schemes to resist C-GANs attack.
arXiv Detail & Related papers (2023-07-25T08:15:55Z) - PS-FedGAN: An Efficient Federated Learning Framework Based on Partially
Shared Generative Adversarial Networks For Data Privacy [56.347786940414935]
Federated Learning (FL) has emerged as an effective learning paradigm for distributed computation.
This work proposes a novel FL framework that requires only partial GAN model sharing.
Named as PS-FedGAN, this new framework enhances the GAN releasing and training mechanism to address heterogeneous data distributions.
arXiv Detail & Related papers (2023-05-19T05:39:40Z) - FedPDD: A Privacy-preserving Double Distillation Framework for
Cross-silo Federated Recommendation [4.467445574103374]
Cross-platform recommendation aims to improve recommendation accuracy by gathering heterogeneous features from different platforms.
Such cross-silo collaborations between platforms are restricted by increasingly stringent privacy protection regulations.
We propose a novel privacy-preserving double distillation framework named FedPDD for cross-silo federated recommendation.
arXiv Detail & Related papers (2023-05-09T16:17:04Z) - Do Gradient Inversion Attacks Make Federated Learning Unsafe? [70.0231254112197]
Federated learning (FL) allows the collaborative training of AI models without needing to share raw data.
Recent works on the inversion of deep neural networks from model gradients raised concerns about the security of FL in preventing the leakage of training data.
In this work, we show that these attacks presented in the literature are impractical in real FL use-cases and provide a new baseline attack.
arXiv Detail & Related papers (2022-02-14T18:33:12Z) - Delving into Data: Effectively Substitute Training for Black-box Attack [84.85798059317963]
We propose a novel perspective substitute training that focuses on designing the distribution of data used in the knowledge stealing process.
The combination of these two modules can further boost the consistency of the substitute model and target model, which greatly improves the effectiveness of adversarial attack.
arXiv Detail & Related papers (2021-04-26T07:26:29Z) - A Quantitative Metric for Privacy Leakage in Federated Learning [22.968763654455298]
We propose a quantitative metric based on mutual information for clients to evaluate the potential risk of information leakage in their gradients.
It is proven that, the risk of information leakage is related to the status of the task model, as well as the inherent data distribution.
arXiv Detail & Related papers (2021-02-24T02:48:35Z) - Privacy-preserving Transfer Learning via Secure Maximum Mean Discrepancy [15.145214895007134]
We propose a Secure version of the widely used Maximum Mean Discrepancy (SMMD) based on homomorphic encryption.
The proposed SMMD is able to avoid the potential information leakage in transfer learning when aligning the source and target data distribution.
arXiv Detail & Related papers (2020-09-24T13:34:32Z) - Privacy-preserving Traffic Flow Prediction: A Federated Learning
Approach [61.64006416975458]
We propose a privacy-preserving machine learning technique named Federated Learning-based Gated Recurrent Unit neural network algorithm (FedGRU) for traffic flow prediction.
FedGRU differs from current centralized learning methods and updates universal learning models through a secure parameter aggregation mechanism.
It is shown that FedGRU's prediction accuracy is 90.96% higher than the advanced deep learning models.
arXiv Detail & Related papers (2020-03-19T13:07:49Z)
This list is automatically generated from the titles and abstracts of the papers in this site.
This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.