Exploiting Defenses against GAN-Based Feature Inference Attacks in Federated Learning

TL;DR

This work addresses GAN-based feature inference threats in federated learning by introducing Anti-GAN, a defense that obfuscates the visual content of generated images while preserving classification features. It combines a CGAN-driven obfuscation, a low-level feature preservation mechanism via a pre-trained network, and a Mixup augmentation to form a safe training set for the federated model. Empirical results across MNIST, Fashion-MNIST, CelebA, and CIFAR-10 show substantial reductions in attacker reconstruction quality (SSIM) with limited accuracy loss (ADR typically under 5%), outperforming DP-SGD and dropout baselines. The study demonstrates that protecting group-level data distributions is feasible with practical utility, offering a new direction for privacy in FL, albeit without formal guarantees for group-level privacy.

Abstract

Federated learning (FL) is a decentralized model training framework that aims to merge isolated data islands while maintaining data privacy. However, recent studies have revealed that Generative Adversarial Network (GAN) based attacks can be employed in FL to learn the distribution of private datasets and reconstruct recognizable images. In this paper, we exploit defenses against GAN-based attacks in FL and propose a framework, Anti-GAN, to prevent attackers from learning the real distribution of the victim's data. The core idea of Anti-GAN is to manipulate the visual features of private training images to make them indistinguishable to human eyes even restored by attackers. Specifically, Anti-GAN projects the private dataset onto a GAN's generator and combines the generated fake images with the actual images to create the training dataset, which is then used for federated model training. The experimental results demonstrate that Anti-GAN is effective in preventing attackers from learning the distribution of private images while causing minimal harm to the accuracy of the federated model.

Figures (7)

• Figure 1: The defense framework of Anti-GAN.
• Figure 2: (a) examples generated from Eq. \ref{['eq-obf-window']}, where the red box denotes a $5\times 5$ window; (b) features extracted by the first convolutional layer of ResNet-18.
• Figure 3: The structure of the defender's GAN.
• Figure 4: (a)-(b): The accuracy degradation of the federated model and the performance of GAN-based attacks under Anti-GAN with different pixel variances $v_e$ and $\mu=0.5$; (c)-(d): the accuracy degradation and attack performance tested under Anti-GAN with different mixup parameters $\mu$ and $v_e=0.5$.
• Figure 5: Examples generated with different (a) pixel variance $v_e$ and (b) Mixup parameter $\mu$. $x$ denotes the original images, $x'$ denotes the images generated by the defender's GAN, $\hat{x}$ denotes the Mixup images of $x$ and $x'$, and $\Tilde{x}$ denotes the restored images by hitaj2017deep. Note that the images of $\Tilde{x}$ do not correspond to $\hat{x}$ in a one-to-one manner, as GAN models are capable of generating only class representations rather than the original training images.