Towards General Deep Leakage in Federated Learning

TL;DR

This paper explores the vulnerabilities of federated learning by developing advanced reconstruction attacks that can recover private training data from shared gradients or weights, demonstrating significant improvements over existing methods.

Contribution

The authors introduce generalized reconstruction techniques applicable to both FedSGD and FedAvg scenarios, including a zero-shot label restoration method that overcomes previous limitations.

Findings

Effective data reconstruction on CIFAR-10 and ImageNet

Outperforms GradInversion in batch size and image quality

Reconstruction fails with even one incorrect label in batch

Abstract

Unlike traditional central training, federated learning (FL) improves the performance of the global model by sharing and aggregating local models rather than local data to protect the users' privacy. Although this training approach appears secure, some research has demonstrated that an attacker can still recover private data based on the shared gradient information. This on-the-fly reconstruction attack deserves to be studied in depth because it can occur at any stage of training, whether at the beginning or at the end of model training; no relevant dataset is required and no additional models need to be trained. We break through some unrealistic assumptions and limitations to apply this reconstruction attack in a broader range of scenarios. We propose methods that can reconstruct the training data from shared gradients or weights, corresponding to the FedSGD and FedAvg usage scenarios, respectively. We propose a zero-shot approach to restore labels even if there are duplicate labels in the batch. We study the relationship between the label and image restoration. We find that image restoration fails even if there is only one incorrectly inferred label in the batch; we also find that when batch images have the same label, the corresponding image is restored as a fusion of that class of images. Our approaches are evaluated on classic image benchmarks, including CIFAR-10 and ImageNet. The batch size, image quality, and the adaptability of the label distribution of our approach exceed those of GradInversion, the state-of-the-art.