DRAGD: A Federated Unlearning Data Reconstruction Attack Based on Gradient Differences

TL;DR

This paper introduces DRAGD, a novel attack exploiting gradient differences during federated unlearning to reconstruct deleted data, revealing privacy vulnerabilities and proposing improved reconstruction methods with DRAGDP.

Contribution

The paper presents DRAGD, the first gradient-based attack on federated unlearning, and DRAGDP, an enhancement leveraging prior data to improve reconstruction accuracy.

Findings

DRAGD effectively reconstructs deleted data from gradient differences.

DRAGDP improves reconstruction accuracy using prior publicly available data.

Both methods outperform existing data reconstruction techniques.

Abstract

Federated learning enables collaborative machine learning while preserving data privacy. However, the rise of federated unlearning, designed to allow clients to erase their data from the global model, introduces new privacy concerns. Specifically, the gradient exchanges during the unlearning process can leak sensitive information about deleted data. In this paper, we introduce DRAGD, a novel attack that exploits gradient discrepancies before and after unlearning to reconstruct forgotten data. We also present DRAGDP, an enhanced version of DRAGD that leverages publicly available prior data to improve reconstruction accuracy, particularly for complex datasets like facial images. Extensive experiments across multiple datasets demonstrate that DRAGD and DRAGDP significantly outperform existing methods in data reconstruction.Our work highlights a critical privacy vulnerability in federated unlearning and offers a practical solution, advancing the security of federated unlearning systems in real-world applications.