Mjolnir: Breaking the Shield of Perturbation-Protected Gradients via Adaptive Diffusion

TL;DR

This paper introduces Mjolnir, a novel diffusion-based attack that can effectively remove noise from perturbed gradients in federated learning, exposing private data despite existing protection mechanisms.

Contribution

Mjolnir is the first gradient leakage attack capable of breaking perturbation protections without access to original models or external data, using a diffusion model for denoising.

Findings

Mjolnir successfully recovers original gradients from noisy, protected gradients.

The attack exposes vulnerabilities in existing differential privacy defenses.

Extensive experiments confirm Mjolnir's effectiveness across models and noise types.

Abstract

Perturbation-based mechanisms, such as differential privacy, mitigate gradient leakage attacks by introducing noise into the gradients, thereby preventing attackers from reconstructing clients' private data from the leaked gradients. However, can gradient perturbation protection mechanisms truly defend against all gradient leakage attacks? In this paper, we present the first attempt to break the shield of gradient perturbation protection in Federated Learning for the extraction of private information. We focus on common noise distributions, specifically Gaussian and Laplace, and apply our approach to DNN and CNN models. We introduce Mjolnir, a perturbation-resilient gradient leakage attack that is capable of removing perturbations from gradients without requiring additional access to the original model structure or external data. Specifically, we leverage the inherent diffusion properties of gradient perturbation protection to develop a novel diffusion-based gradient denoising model for Mjolnir. By constructing a surrogate client model that captures the structure of perturbed gradients, we obtain crucial gradient data for training the diffusion model. We further utilize the insight that monitoring disturbance levels during the reverse diffusion process can enhance gradient denoising capabilities, allowing Mjolnir to generate gradients that closely approximate the original, unperturbed versions through adaptive sampling steps. Extensive experiments demonstrate that Mjolnir effectively recovers the protected gradients and exposes the Federated Learning process to the threat of gradient leakage, achieving superior performance in gradient denoising and private data recovery.