SPEAR:Exact Gradient Inversion of Batches in Federated Learning
0
Sign in to get full access
Overview
• Federated learning is a machine learning approach where a shared model is trained across multiple devices without centralizing the training data.
• Gradient inversion attacks aim to reconstruct the original training data from the model updates (gradients) shared during the federated learning process.
• This paper presents a new technique called "Exact Reconstruction of Batches" that can accurately reconstruct the original training data batches from the gradients shared in federated learning.
Plain English Explanation
Federated learning is a way of training machine learning models that keeps the training data distributed across many different devices, like phones or computers, rather than centralizing it in one place. This can help protect people's privacy, since the raw data never leaves their devices.
However, there's a risk that attackers could try to reverse-engineer the original training data from the model updates (gradients) that get shared during the federated learning process. This is known as a gradient inversion attack.
The researchers in this paper developed a new technique called "Exact Reconstruction of Batches" that can accurately reconstruct the original training data batches from just the gradients. This shows that gradient inversion attacks can be a serious threat to the privacy promises of federated learning.
The paper demonstrates that their technique works well, even on large language models like GPT-3. This is concerning, as these kinds of models are often trained using federated learning approaches to protect user data.
Technical Explanation
The paper introduces a new gradient inversion attack called "Exact Reconstruction of Batches" that can accurately reconstruct the original training data batches from the gradients shared during federated learning.
The key innovation is the use of a differentiable batch reconstruction module that can be optimized to find the exact input batch that would produce the observed gradients. This is in contrast to previous gradient inversion attacks that could only approximately reconstruct the input data.
The researchers demonstrate the effectiveness of their technique on large language models like GPT-3, showing that it can accurately reconstruct the original training batches. This is concerning, as these types of language models are often trained using federated learning approaches to protect user privacy.
Critical Analysis
The paper provides a thorough evaluation of the "Exact Reconstruction of Batches" technique, including experiments on a range of language models and dataset sizes. However, it does not address some potential limitations or avenues for future research.
For example, the paper does not explore the impact of different federated learning optimization strategies, such as gradient congruity guided sparse training, which may be more resilient to gradient inversion attacks.
Additionally, the paper does not discuss potential defenses or mitigations against the proposed attack, such as techniques to eliminate hard label constraints in gradient inversion. Exploring such countermeasures would be an important next step.
Overall, this paper makes a significant contribution by demonstrating the threat that gradient inversion attacks pose to the privacy promises of federated learning. However, more research is needed to fully understand the implications and develop effective defenses.
Conclusion
This paper presents a new gradient inversion attack called "Exact Reconstruction of Batches" that can accurately reconstruct the original training data batches from the gradients shared during federated learning. The researchers demonstrate the effectiveness of their technique on large language models like GPT-3, which are often trained using federated learning approaches to protect user privacy.
The paper highlights the significant threat that gradient inversion attacks pose to the privacy promises of federated learning. As the use of federated learning continues to grow, especially in sensitive domains like healthcare and finance, addressing these privacy concerns will be crucial for building trust and ensuring the responsible deployment of these technologies.
This summary was produced with help from an AI and may contain inaccuracies - check out the links to read the original source documents!
Related Papers
0
SPEAR:Exact Gradient Inversion of Batches in Federated Learning
Dimitar I. Dimitrov, Maximilian Baader, Mark Niklas Muller, Martin Vechev
Federated learning is a framework for collaborative machine learning where clients only share gradient updates and not their private data with a server. However, it was recently shown that gradient inversion attacks can reconstruct this data from the shared gradients. In the important honest-but-curious setting, existing attacks enable exact reconstruction only for a batch size of $b=1$, with larger batches permitting only approximate reconstruction. In this work, we propose SPEAR, the first algorithm reconstructing whole batches with $b >1$ exactly. SPEAR combines insights into the explicit low-rank structure of gradients with a sampling-based algorithm. Crucially, we leverage ReLU-induced gradient sparsity to precisely filter out large numbers of incorrect samples, making a final reconstruction step tractable. We provide an efficient GPU implementation for fully connected networks and show that it recovers high-dimensional ImageNet inputs in batches of up to $b lesssim 25$ exactly while scaling to large networks. Finally, we show theoretically that much larger batches can be reconstructed with high probability given exponential time.
Read more6/4/2024
💬
0
DAGER: Exact Gradient Inversion for Large Language Models
Ivo Petrov, Dimitar I. Dimitrov, Maximilian Baader, Mark Niklas Muller, Martin Vechev
Federated learning works by aggregating locally computed gradients from multiple clients, thus enabling collaborative training without sharing private client data. However, prior work has shown that the data can actually be recovered by the server using so-called gradient inversion attacks. While these attacks perform well when applied on images, they are limited in the text domain and only permit approximate reconstruction of small batches and short input sequences. In this work, we propose DAGER, the first algorithm to recover whole batches of input text exactly. DAGER leverages the low-rank structure of self-attention layer gradients and the discrete nature of token embeddings to efficiently check if a given token sequence is part of the client data. We use this check to exactly recover full batches in the honest-but-curious setting without any prior on the data for both encoder- and decoder-based architectures using exhaustive heuristic search and a greedy approach, respectively. We provide an efficient GPU implementation of DAGER and show experimentally that it recovers full batches of size up to 128 on large language models (LLMs), beating prior attacks in speed (20x at same batch size), scalability (10x larger batches), and reconstruction quality (ROUGE-1/2 > 0.99).
Read more5/27/2024
0
Federated Learning under Attack: Improving Gradient Inversion for Batch of Images
Luiz Leite, Yuri Santo, Bruno L. Dalmazo, Andr'e Riker
Federated Learning (FL) has emerged as a machine learning approach able to preserve the privacy of user's data. Applying FL, clients train machine learning models on a local dataset and a central server aggregates the learned parameters coming from the clients, training a global machine learning model without sharing user's data. However, the state-of-the-art shows several approaches to promote attacks on FL systems. For instance, inverting or leaking gradient attacks can find, with high precision, the local dataset used during the training phase of the FL. This paper presents an approach, called Deep Leakage from Gradients with Feedback Blending (DLG-FB), which is able to improve the inverting gradient attack, considering the spatial correlation that typically exists in batches of images. The performed evaluation shows an improvement of 19.18% and 48,82% in terms of attack success rate and the number of iterations per attacked image, respectively.
Read more9/27/2024
0
AFGI: Towards Accurate and Fast-convergent Gradient Inversion Attack in Federated Learning
Can Liu, Jin Wang, and Yipeng Zhou, Yachao Yuan, Quanzheng Sheng, Kejie Lu
Federated learning (FL) empowers privacypreservation in model training by only exposing users' model gradients. Yet, FL users are susceptible to gradient inversion attacks (GIAs) which can reconstruct ground-truth training data such as images based on model gradients. However, reconstructing high-resolution images by existing GIAs faces two challenges: inferior accuracy and slow-convergence, especially when duplicating labels exist in the training batch. To address these challenges, we present an Accurate and Fast-convergent Gradient Inversion attack algorithm, called AFGI, with two components: Label Recovery Block (LRB) which can accurately restore duplicating labels of private images based on exposed gradients; VME Regularization Term, which includes the total variance of reconstructed images, the discrepancy between three-channel means and edges, between values from exposed gradients and reconstructed images, respectively. The AFGI can be regarded as a white-box attack strategy to reconstruct images by leveraging labels recovered by LRB. In particular, AFGI is efficient that accurately reconstruct ground-truth images when users' training batch size is up to 48. Our experimental results manifest that AFGI can diminish 85% time costs while achieving superb inversion quality in the ImageNet dataset. At last, our study unveils the shortcomings of FL in privacy-preservation, prompting the development of more advanced countermeasure strategies.
Read more8/1/2024