Surrogate Model Extension (SME): A Fast and Accurate Weight Update Attack on Federated Learning

TL;DR

This paper introduces a novel surrogate model extension that significantly enhances the effectiveness and speed of gradient inversion attacks on federated learning weight updates, revealing greater privacy vulnerabilities.

Contribution

The authors propose a new surrogate model method leveraging gradient flow and low-rank properties to improve attack accuracy and speed on federated learning weight updates.

Findings

Achieves state-of-the-art attack performance on weight updates.

Runs up to 100 times faster than previous methods.

Reveals increased privacy risks in federated learning.

Abstract

In Federated Learning (FL) and many other distributed training frameworks, collaborators can hold their private data locally and only share the network weights trained with the local data after multiple iterations. Gradient inversion is a family of privacy attacks that recovers data from its generated gradients. Seemingly, FL can provide a degree of protection against gradient inversion attacks on weight updates, since the gradient of a single step is concealed by the accumulation of gradients over multiple local iterations. In this work, we propose a principled way to extend gradient inversion attacks to weight updates in FL, thereby better exposing weaknesses in the presumed privacy protection inherent in FL. In particular, we propose a surrogate model method based on the characteristic of two-dimensional gradient flow and low-rank property of local updates. Our method largely boosts the ability of gradient inversion attacks on weight updates containing many iterations and achieves state-of-the-art (SOTA) performance. Additionally, our method runs up to $100\times$ faster than the SOTA baseline in the common FL scenario. Our work re-evaluates and highlights the privacy risk of sharing network weights. Our code is available at https://github.com/JunyiZhu-AI/surrogate_model_extension.