Optimal Defenses Against Gradient Reconstruction Attacks

• URL: http://arxiv.org/abs/2411.03746v1
• Date: Wed, 06 Nov 2024 08:22:20 GMT
• Title: Optimal Defenses Against Gradient Reconstruction Attacks
• Authors: Yuxiao Chen, Gamze Gürsoy, Qi Lei,
• Abstract summary: Federated Learning (FL) is designed to prevent data leakage through collaborative model training without centralized data storage. It remains vulnerable to gradient reconstruction attacks that recover original training data from shared gradients.
• Score: 13.728704430883987
• License:
• Abstract: Federated Learning (FL) is designed to prevent data leakage through collaborative model training without centralized data storage. However, it remains vulnerable to gradient reconstruction attacks that recover original training data from shared gradients. To optimize the trade-off between data leakage and utility loss, we first derive a theoretical lower bound of reconstruction error (among all attackers) for the two standard methods: adding noise, and gradient pruning. We then customize these two defenses to be parameter- and model-specific and achieve the optimal trade-off between our obtained reconstruction lower bound and model utility. Experimental results validate that our methods outperform Gradient Noise and Gradient Pruning by protecting the training data better while also achieving better utility.

Related papers

• GIFD: A Generative Gradient Inversion Method with Feature Domain Optimization [52.55628139825667]
  Federated Learning (FL) has emerged as a promising distributed machine learning framework to preserve clients' privacy. Recent studies find that an attacker can invert the shared gradients and recover sensitive data against an FL system by leveraging pre-trained generative adversarial networks (GAN) as prior knowledge. We propose textbfGradient textbfInversion over textbfFeature textbfDomains (GIFD), which disassembles the GAN model and searches the feature domains of the intermediate layers.
  arXiv  Detail & Related papers  (2023-08-09T04:34:21Z)
• TWINS: A Fine-Tuning Framework for Improved Transferability of Adversarial Robustness and Generalization [89.54947228958494]
  This paper focuses on the fine-tuning of an adversarially pre-trained model in various classification tasks. We propose a novel statistics-based approach, Two-WIng NormliSation (TWINS) fine-tuning framework. TWINS is shown to be effective on a wide range of image classification datasets in terms of both generalization and robustness.
  arXiv  Detail & Related papers  (2023-03-20T14:12:55Z)
• Refiner: Data Refining against Gradient Leakage Attacks in Federated Learning [28.76786159247595]
  gradient leakage attacks exploit clients' uploaded gradients to reconstruct their sensitive data. In this paper, we explore a novel defensive paradigm that departs from conventional gradient perturbation approaches. We design Refiner that jointly optimize two metrics for privacy protection and performance maintenance.
  arXiv  Detail & Related papers  (2022-12-05T05:36:15Z)
• Minimizing the Accumulated Trajectory Error to Improve Dataset Distillation [151.70234052015948]
  We propose a novel approach that encourages the optimization algorithm to seek a flat trajectory. We show that the weights trained on synthetic data are robust against the accumulated errors perturbations with the regularization towards the flat trajectory. Our method, called Flat Trajectory Distillation (FTD), is shown to boost the performance of gradient-matching methods by up to 4.7%.
  arXiv  Detail & Related papers  (2022-11-20T15:49:11Z)
• Combining Variational Modeling with Partial Gradient Perturbation to Prevent Deep Gradient Leakage [0.6021787236982659]
  gradient inversion attacks are an ubiquitous threat in collaborative learning of neural networks. Recent work proposed a PRivacy EnhanCing mODulE (PRECODE) based on PPPal modeling as extension for arbitrary model architectures. In this work, we investigate the effect of PRECODE on gradient inversion attacks to reveal its underlying working principle. We show that our approach requires less gradient perturbation to effectively preserve privacy without harming model performance.
  arXiv  Detail & Related papers  (2022-08-09T13:23:29Z)
• Do Gradient Inversion Attacks Make Federated Learning Unsafe? [70.0231254112197]
  Federated learning (FL) allows the collaborative training of AI models without needing to share raw data. Recent works on the inversion of deep neural networks from model gradients raised concerns about the security of FL in preventing the leakage of training data. In this work, we show that these attacks presented in the literature are impractical in real FL use-cases and provide a new baseline attack.
  arXiv  Detail & Related papers  (2022-02-14T18:33:12Z)
• CAFE: Catastrophic Data Leakage in Vertical Federated Learning [65.56360219908142]
  Recent studies show that private training data can be leaked through the gradients sharing mechanism deployed in distributed machine learning systems. We propose an advanced data leakage attack with theoretical justification to efficiently recover batch data from the shared aggregated gradients.
  arXiv  Detail & Related papers  (2021-10-26T23:22:58Z)
• PRECODE - A Generic Model Extension to Prevent Deep Gradient Leakage [0.8029049649310213]
  Collaborative training of neural networks leverages distributed data by exchanging gradient information between different clients. gradient perturbation techniques have been proposed to enhance privacy, but they come at the cost of reduced model performance, increased convergence time, or increased data demand. We introduce PRECODE, a PRivacy EnhanCing mODulE that can be used as generic extension for arbitrary model architectures.
  arXiv  Detail & Related papers  (2021-08-10T14:43:17Z)
• R-GAP: Recursive Gradient Attack on Privacy [5.687523225718642]
  Federated learning is a promising approach to break the dilemma between demands on privacy and the promise of learning from large collections of distributed data. We provide a closed-form recursion procedure to recover data from gradients in deep neural networks. We also propose a Rank Analysis method to estimate the risk of gradient attacks inherent in certain network architectures.
  arXiv  Detail & Related papers  (2020-10-15T13:22:40Z)
• Extrapolation for Large-batch Training in Deep Learning [72.61259487233214]
  We show that a host of variations can be covered in a unified framework that we propose. We prove the convergence of this novel scheme and rigorously evaluate its empirical performance on ResNet, LSTM, and Transformer.
  arXiv  Detail & Related papers  (2020-06-10T08:22:41Z)

This list is automatically generated from the titles and abstracts of the papers in this site.

This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.