From Risk to Resilience: Towards Assessing and Mitigating the Risk of Data Reconstruction Attacks in Federated Learning

TL;DR

This paper introduces a theoretical framework and practical tools for assessing and mitigating the risk of Data Reconstruction Attacks in Federated Learning, improving privacy protections while maintaining model performance.

Contribution

It proposes InvLoss for quantifying DRA effectiveness, derives an upper bound, and develops InvRE for comprehensive risk estimation, along with adaptive defenses.

Findings

InvLoss effectively measures DRA risk for FL models.

Spectral properties of Jacobian matrices influence DRA success.

Adaptive noise defenses improve privacy without reducing accuracy.

Abstract

Data Reconstruction Attacks (DRA) pose a significant threat to Federated Learning (FL) systems by enabling adversaries to infer sensitive training data from local clients. Despite extensive research, the question of how to characterize and assess the risk of DRAs in FL systems remains unresolved due to the lack of a theoretically-grounded risk quantification framework. In this work, we address this gap by introducing Invertibility Loss (InvLoss) to quantify the maximum achievable effectiveness of DRAs for a given data instance and FL model. We derive a tight and computable upper bound for InvLoss and explore its implications from three perspectives. First, we show that DRA risk is governed by the spectral properties of the Jacobian matrix of exchanged model updates or feature embeddings, providing a unified explanation for the effectiveness of defense methods. Second, we develop InvRE, an InvLoss-based DRA risk estimator that offers attack method-agnostic, comprehensive risk evaluation across data instances and model architectures. Third, we propose two adaptive noise perturbation defenses that enhance FL privacy without harming classification accuracy. Extensive experiments on real-world datasets validate our framework, demonstrating its potential for systematic DRA risk evaluation and mitigation in FL systems.