Federated Learning Nodes Can Reconstruct Peers' Image Data
Ethan Wilson, Kai Yue, Chau-Wai Wong, and Huaiyu Dai
TL;DR
This paper reveals that in federated learning, individual nodes can secretly reconstruct other nodes' private image data using gradient inversion and diffusion models, exposing significant privacy vulnerabilities.
Contribution
It demonstrates that honest-but-curious clients can perform silent, high-quality image reconstruction attacks on peers using gradient information and diffusion models, highlighting privacy risks.
Findings
Single clients can reconstruct peers' images from updates.
Diffusion models improve the perceptual quality of reconstructed images.
Reveals severe privacy risks in federated learning environments.
Abstract
Federated learning (FL) is a privacy-preserving machine learning framework that enables multiple nodes to train models on their local data and periodically average weight updates to benefit from other nodes' training. Each node's goal is to collaborate with other nodes to improve the model's performance while keeping its training data private. However, this framework does not guarantee data privacy. Prior work has shown that the gradient-sharing steps in FL can be vulnerable to data reconstruction attacks from an honest-but-curious central server. In this work, we show that an honest-but-curious node/client can also launch attacks to reconstruct peers' image data through gradient inversion, presenting a severe privacy risk. We demonstrate that a single client can silently reconstruct other clients' private images using diluted information available within consecutive updates. We…
Peer Reviews
Decision·Submitted to ICLR 2025
The strength of this paper lies in its successful implementation of an attack capable of reconstructing images from other participating users. The experiments effectively demonstrate the effectiveness of the proposed method.
I have several concerns regarding the experimental setup and the novelty of this paper, which I outline below: The method relies on several assumptions, including that each client has ample computational resources, employs a consistent learning rate, and trains with an equal number of images locally. Additionally, the approach presumes that the attacker is either aware of or can accurately estimate the number of clients participating in each training round. Further assumptions, such as the use
1. **Stealth and Undetectability**: The attack method does not disrupt the training process or introduce corrupted data, making it challenging for detection by servers or other clients, which underscores its potential impact. 2. **Relevance to Cross-Silo FL**: The findings are particularly concerning for cross-silo FL, where data scarcity is addressed through collaboration, emphasizing the need for enhanced privacy measures in such settings. 3. **Extensive Experiments**: The paper conducts tho
1. This paper attacks from the perspective of any node/client and reconstruct all training data of all other participants. However, this is no different from a conventional inversion attack launched from the server. When the secure aggregation protocol is applied, the server can obtain the model parameters at time $t$ and the corresponding aggregated gradients; while any client can receive the model parameters at time $t$ and time $t+1$. Obviously, the information obtained in these two cases is
This paper integrates gradient inversion attacks with generative models to achieve higher quality privacy attacks. Additionally, it takes into account attacks from peer nodes, making the scenario more versatile compared to traditional ones.
The authors claim that the advantage of this paper lies in the achievement of node-level privacy attacks in the federated learning scenario. However, there are several significant limitations: 1. Unreasonable assumptions. In the aggregation of global gradients, updates from different nodes are weighted based on the amount of training data used by each party. However, the authors simplistically assume that the parties aggregate with equal weights. Additionally, the authors mention that an attacke
Videos
No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.
Taxonomy
TopicsPrivacy-Preserving Technologies in Data · Brain Tumor Detection and Classification · Stochastic Gradient Optimization Techniques
MethodsDiffusion