Summary
Federated Learning (FL) is an emerging distributed machine learning framework for collaborative model training with customer networks (edge devices). Federated learning allows customers to keep their sensitive data locally on their device and only share local training parameter updates with the federated server, thereby defaulting to customer privacy. However, recent research shows that even sharing local parameter updates from the client to the federated server can be subject to gradient leakage attacks and violate the client's privacy regarding their training data. In this paper, we propose a principled framework to evaluate and compare different forms of client-side privacy leakage attacks. We first provide formal and experimental analyzes showing how an adversary can reconstruct private local training data by simply analyzing locally trained shared parameter updates (such as local gradients or weight update vectors). We then analyze how different hyperparameter configurations and different attack algorithm settings in federated learning affect the effectiveness and attack cost of the attack. Our framework also measures, evaluates, and analyzes the effectiveness of client-side privacy leakage attacks under different gradient compression ratios when using the communication-efficient FL protocol. Our experiments also include some preliminary mitigation strategies to highlight the importance of providing a systematic attack assessment framework to gain insights into various forms of client privacy leakage threats in federated learning and to lay a theoretical foundation for attack mitigation.
main content
This article mainly explains a CPL (client privacy leakage) privacy leakage attack method, and because the adversary is a FL participant and knows the parameters of the model, it conducts a white-box attack.
pseudocode
Lines 4-6 convert weight updates into gradient values
Line 9 is to get the labels from local training in order to get the labels from the actual gradient sharing.
Lines 10-14 introduce the iterative reconstruction process that produces reconstructed private training data based on client gradient updates.
Since the local training update to the true label of the training input data should be the most positive (the most positive can also be said to be the most positive) compared to other labels, the sign of the gradient of the true label of the data in the private dataset will be the same as that of other classes. Different, its absolute value is usually the largest. (PS: In the process of machine learning, the gradients generated by correct and incorrect content are usually very different)
In fact, this attack is to first create an image with the same resolution as the images in other training sets, then use the model to train this image, compare the obtained gradient with the gradient trained by others using the correct image, and then obtain a distance difference. , and then continue to add perturbations to improve the difference. Finally, when the difference converges, it proves that our pictures have been trained well, because the gradients of our pictures and other people's pictures in this model are almost the same.
The framework of this article will study the impact of different configurations of FL hyperparameters on the success rate and cost of privacy leakage attacks.
It is worth noting that even if the network connection between the client and the server is secure, a client privacy leak attack can occur on the compromised client before local parameter updates are ready to be uploaded to the server. (As mentioned in the original article, I don’t understand exactly how he leaked it before uploading. It may be that he was exposed to other people’s gradients before uploading. I think it may be because FL is a content that is trained by multiple clients together. , so you don’t necessarily need to use someone’s gradient, you can directly use the model that has been generated before to infer your private data set)
The impact of different settings on CPL attacks
Different initialization
different random seeds
Different attack termination conditions
In any case, an increase in the number of iterations will increase the success rate of the attack. Therefore, in all cases, we only need to find a number of iterations that increases the success rate to an acceptable level, and the initialization settings will affect the iterations. times, so essentially you still need to choose the initialization method and then choose the appropriate number of iterations according to different initialization methods.
different loss functions
Some loss functions make training slower
Different attack optimizations
While first-order optimization techniques are easier to compute and less time-consuming, second-order techniques are better at getting rid of slow convergence paths around saddle points
Different batch sizes
The effect is best when batchsize = 1, and when the gap between classes in the data set is small, the effect is better
Different picture resolutions
Obviously, the smaller the resolution, the fewer the number of iterations, and the faster the training speed.
Different activation functions
It is clearly shown here that the activation function will affect the success rate of CPL attacks, and through comparison of activation functions and theoretical knowledge, it can be concluded that when we affect the integrity and uniqueness of the gradient, it can affect the success rate of CPL attacks. Success rate
We observe that ReLU naturally prevents full reconstruction of the training data using gradients, because the gradient of the negative part of ReLU will be 0, i.e. that part of the trainable parameters will stop reacting to changes in the error and will not be used during the optimization process. will be adjusted. This dying ReLU problem eliminates the gradient information required for CPL attacks. In contrast, both Sigmoid and Tanh are definite bijections that can propagate gradients from one layer to another in an almost lossless manner. LeakyReLU sets a slightly sloping line for the negative part of ReLU to mitigate the problem of dying ReLU and therefore vulnerable to CPL attacks.
different compression ratios
Attack evaluation metrics (4 types)
-
Attack success rate (ASR)
-
MSE
Use root mean square deviation to measure the similarity between the reconstructed input x rec and the real input x
-
YES
Measuring the structural similarity between two images is based on perceptual models [ Wang, Z., Bovik, AC, Sheikh, HR, Simoncelli, EP: Image quality assessment: from error visibility to structural similarity. IEEE transactions on image processing 13 (4), 600–612 (2004) ], this model considers image degradation to be a change in perception
where μ x and μ x0 are the mean values of x and x 0 , σ 2 x and σ 2 x0 are the variances of x and x 0 , and σ
The closer the SSIM is to 1, the better the quality of the attack in terms of image reconstruction. SSIM is designed to improve traditional methods such as MSE for image similarity.
-
Attack iteration
Overall, it shows that the CPL attack mode in this article is better than the deep gradient attack and gradient inversion attack, and shows that CPL is faster, more effective, has a higher success rate, and has fewer iterations. At the same time, SSIM is very high (1 is the best) , MSE is very low, indicating that the quality of the reconstructed data is almost the same as the private training data
In some cases (as shown below), when the compression rate increases, the number of iterations decreases, which shows that there are many unnecessary (unimportant) contents in the gradient. The CPL method may be more effective when there are many classes. The possible reason is: because when there are many classes, the gradient of information will be more concentrated
The defense methods given in the article
1. Add noise (Gaussian noise/Laplacian noise)
2. Iterate several times locally and upload the gradient of the last iteration, which means that the gradient data of each iteration is not uploaded.