Deep Leakage from Model in Federated Learning

TL;DR

This paper demonstrates that transmitting model weights in federated learning can leak private client data, introduces two novel attack frameworks, and evaluates defenses to enhance security in distributed machine learning.

Contribution

The paper introduces two new frameworks, DLM and DLM+, showing that model weights can leak private data in federated learning, and evaluates defenses against these attacks.

Findings

Model weights transmission can leak private data.

The proposed attacks are effective across various scenarios.

Defense mechanisms can mitigate the data leakage risks.

Abstract

Distributed machine learning has been widely used in recent years to tackle the large and complex dataset problem. Therewith, the security of distributed learning has also drawn increasing attentions from both academia and industry. In this context, federated learning (FL) was developed as a "secure" distributed learning by maintaining private training data locally and only public model gradients are communicated between. However, to date, a variety of gradient leakage attacks have been proposed for this procedure and prove that it is insecure. For instance, a common drawback of these attacks is shared: they require too much auxiliary information such as model weights, optimizers, and some hyperparameters (e.g., learning rate), which are difficult to obtain in real situations. Moreover, many existing algorithms avoid transmitting model gradients in FL and turn to sending model weights, such as FedAvg, but few people consider its security breach. In this paper, we present two novel frameworks to demonstrate that transmitting model weights is also likely to leak private local data of clients, i.e., (DLM and DLM+), under the FL scenario. In addition, a number of experiments are performed to illustrate the effect and generality of our attack frameworks. At the end of this paper, we also introduce two defenses to the proposed attacks and evaluate their protection effects. Comprehensively, the proposed attack and defense schemes can be applied to the general distributed learning scenario as well, just with some appropriate customization.