Deep Leakage from Gradients

TL;DR

This paper demonstrates that private training data can be reconstructed from shared gradients in distributed machine learning, revealing significant privacy risks and proposing gradient pruning as a defense.

Contribution

It introduces the concept of Deep Leakage from Gradient, showing how to recover training data from gradients and evaluating its effectiveness across vision and NLP tasks.

Findings

Gradient leakage is highly accurate for images and texts.

The proposed attack outperforms previous methods.

Gradient pruning effectively prevents data leakage.

Abstract

Exchanging gradients is a widely used method in modern multi-node machine learning system (e.g., distributed training, collaborative learning). For a long time, people believed that gradients are safe to share: i.e., the training data will not be leaked by gradient exchange. However, we show that it is possible to obtain the private training data from the publicly shared gradients. We name this leakage as Deep Leakage from Gradient and empirically validate the effectiveness on both computer vision and natural language processing tasks. Experimental results show that our attack is much stronger than previous approaches: the recovery is pixel-wise accurate for images and token-wise matching for texts. We want to raise people's awareness to rethink the gradient's safety. Finally, we discuss several possible strategies to prevent such deep leakage. The most effective defense method is gradient pruning.