Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Combining Stochastic Defenses to Resist Gradient Inversion: An Ablation Study

Daniel Scheliga, Patrick Mäder, Marco Seeland

TL;DR

The paper addresses the privacy threat of gradient inversion in Federated Learning and shows that individual defenses can be circumvented if an attacker mimics a client's stochastic gradient computation. It introduces CDIA, an attack framework that leverages awareness of applied defenses to reconstruct data, and demonstrates that combining differential privacy with a stochastic privacy module (PRECODE or CVB) can reduce the attack success rate to zero while maintaining or improving model utility. Across MNIST, CIFAR-10, and additional architectures, the results underscore that defense stacking substantially strengthens privacy and that there is no reliable protection from single defenses alone. The findings advocate for evaluating defense strategies in combination and from an attacker’s perspective to ensure practical privacy in collaborative learning systems.

Abstract

Gradient Inversion (GI) attacks are a ubiquitous threat in Federated Learning (FL) as they exploit gradient leakage to reconstruct supposedly private training data. Common defense mechanisms such as Differential Privacy (DP) or stochastic Privacy Modules (PMs) introduce randomness during gradient computation to prevent such attacks. However, we pose that if an attacker effectively mimics a client's stochastic gradient computation, the attacker can circumvent the defense and reconstruct clients' private training data. This paper introduces several targeted GI attacks that leverage this principle to bypass common defense mechanisms. As a result, we demonstrate that no individual defense provides sufficient privacy protection. To address this issue, we propose to combine multiple defenses. We conduct an extensive ablation study to evaluate the influence of various combinations of defenses on privacy protection and model utility. We observe that only the combination of DP and a stochastic PM was sufficient to decrease the Attack Success Rate (ASR) from 100% to 0%, thus preserving privacy. Moreover, we found that this combination of defenses consistently achieves the best trade-off between privacy and model utility.

Combining Stochastic Defenses to Resist Gradient Inversion: An Ablation Study

TL;DR

The paper addresses the privacy threat of gradient inversion in Federated Learning and shows that individual defenses can be circumvented if an attacker mimics a client's stochastic gradient computation. It introduces CDIA, an attack framework that leverages awareness of applied defenses to reconstruct data, and demonstrates that combining differential privacy with a stochastic privacy module (PRECODE or CVB) can reduce the attack success rate to zero while maintaining or improving model utility. Across MNIST, CIFAR-10, and additional architectures, the results underscore that defense stacking substantially strengthens privacy and that there is no reliable protection from single defenses alone. The findings advocate for evaluating defense strategies in combination and from an attacker’s perspective to ensure practical privacy in collaborative learning systems.

Abstract

Gradient Inversion (GI) attacks are a ubiquitous threat in Federated Learning (FL) as they exploit gradient leakage to reconstruct supposedly private training data. Common defense mechanisms such as Differential Privacy (DP) or stochastic Privacy Modules (PMs) introduce randomness during gradient computation to prevent such attacks. However, we pose that if an attacker effectively mimics a client's stochastic gradient computation, the attacker can circumvent the defense and reconstruct clients' private training data. This paper introduces several targeted GI attacks that leverage this principle to bypass common defense mechanisms. As a result, we demonstrate that no individual defense provides sufficient privacy protection. To address this issue, we propose to combine multiple defenses. We conduct an extensive ablation study to evaluate the influence of various combinations of defenses on privacy protection and model utility. We observe that only the combination of DP and a stochastic PM was sufficient to decrease the Attack Success Rate (ASR) from 100% to 0%, thus preserving privacy. Moreover, we found that this combination of defenses consistently achieves the best trade-off between privacy and model utility.
Paper Structure (29 sections, 2 equations, 2 figures, 5 tables, 2 algorithms)

This paper contains 29 sections, 2 equations, 2 figures, 5 tables, 2 algorithms.

Table of Contents

  1. Introduction
  2. Related Work
  3. Attacks
  4. Defenses
  5. GP
  6. PM
  7. Dropout
  8. Preliminaries
  9. Federated Learning
  10. Threat Model
  11. Gradient Inversion Attacks
  12. Defense Mechanisms
  13. Dropout
  14. Differential Privacy
  15. Gradient Pruning
  16. ...and 14 more sections

Figures (2)

  • Figure 1: Visual summary of this paper: Neural networks are trained on MNIST, CIFAR-10, and four other datasets in a FL scenario. If defenses are applied on their own, they can be bypassed by targeted attacks or require such high gradient perturbation rates, that the resulting model would suffer from severe losses in model utility. However, applying a combination of defense mechanisms can prevent leakage from targeted GI attacks and even improve model utility compared to an unprotected baseline model.
  • Figure 2: Example reconstructions for the CNN on the MNIST and CIFAR-10 datasets when protected with different defense combinations. We illustrate examples for Dropout (DO), DP, GP, PRECODE (P) and CVB (C).