Dropout is NOT All You Need to Prevent Gradient Leakage

TL;DR

This paper critically examines dropout's effectiveness in preventing gradient inversion attacks in federated learning, revealing that dropout alone does not reliably protect client data from reconstruction.

Contribution

It introduces a novel Dropout Inversion Attack (DIA) that jointly models dropout masks and client data, demonstrating dropout's insufficiency as a standalone privacy safeguard.

Findings

Dropout-induced stochasticity can hinder gradient inversion attacks.

The proposed DIA effectively reconstructs client data despite dropout defenses.

Dropout alone cannot reliably prevent gradient leakage in federated learning.

Abstract

Gradient inversion attacks on federated learning systems reconstruct client training data from exchanged gradient information. To defend against such attacks, a variety of defense mechanisms were proposed. However, they usually lead to an unacceptable trade-off between privacy and model utility. Recent observations suggest that dropout could mitigate gradient leakage and improve model utility if added to neural networks. Unfortunately, this phenomenon has not been systematically researched yet. In this work, we thoroughly analyze the effect of dropout on iterative gradient inversion attacks. We find that state of the art attacks are not able to reconstruct the client data due to the stochasticity induced by dropout during model training. Nonetheless, we argue that dropout does not offer reliable protection if the dropout induced stochasticity is adequately modeled during attack optimization. Consequently, we propose a novel Dropout Inversion Attack (DIA) that jointly optimizes for client data and dropout masks to approximate the stochastic client model. We conduct an extensive systematic evaluation of our attack on four seminal model architectures and three image classification datasets of increasing complexity. We find that our proposed attack bypasses the protection seemingly induced by dropout and reconstructs client data with high fidelity. Our work demonstrates that privacy inducing changes to model architectures alone cannot be assumed to reliably protect from gradient leakage and therefore should be combined with complementary defense mechanisms.