Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Approximate and Weighted Data Reconstruction Attack in Federated Learning

Yongcun Song, Ziqi Wang, Enrique Zuazua

TL;DR

An interpolation-based approximation method is proposed, which makes attacking FedAvg scenarios feasible by generating the intermediate model updates of the clients' local training processes, and a layer-wise weighted loss function is designed to improve the data quality of reconstruction.

Abstract

Federated Learning (FL) is a distributed learning paradigm that enables multiple clients to collaborate on building a machine learning model without sharing their private data. Although FL is considered privacy-preserved by design, recent data reconstruction attacks demonstrate that an attacker can recover clients' training data based on the parameters shared in FL. However, most existing methods fail to attack the most widely used horizontal Federated Averaging (FedAvg) scenario, where clients share model parameters after multiple local training steps. To tackle this issue, we propose an interpolation-based approximation method, which makes attacking FedAvg scenarios feasible by generating the intermediate model updates of the clients' local training processes. Then, we design a layer-wise weighted loss function to improve the data quality of reconstruction. We assign different weights to model updates in different layers concerning the neural network structure, with the weights tuned by Bayesian optimization. Finally, experimental results validate the superiority of our proposed approximate and weighted attack (AWA) method over the other state-of-the-art methods, as demonstrated by the substantial improvement in different evaluation metrics for image data reconstructions.

Approximate and Weighted Data Reconstruction Attack in Federated Learning

TL;DR

An interpolation-based approximation method is proposed, which makes attacking FedAvg scenarios feasible by generating the intermediate model updates of the clients' local training processes, and a layer-wise weighted loss function is designed to improve the data quality of reconstruction.

Abstract

Federated Learning (FL) is a distributed learning paradigm that enables multiple clients to collaborate on building a machine learning model without sharing their private data. Although FL is considered privacy-preserved by design, recent data reconstruction attacks demonstrate that an attacker can recover clients' training data based on the parameters shared in FL. However, most existing methods fail to attack the most widely used horizontal Federated Averaging (FedAvg) scenario, where clients share model parameters after multiple local training steps. To tackle this issue, we propose an interpolation-based approximation method, which makes attacking FedAvg scenarios feasible by generating the intermediate model updates of the clients' local training processes. Then, we design a layer-wise weighted loss function to improve the data quality of reconstruction. We assign different weights to model updates in different layers concerning the neural network structure, with the weights tuned by Bayesian optimization. Finally, experimental results validate the superiority of our proposed approximate and weighted attack (AWA) method over the other state-of-the-art methods, as demonstrated by the substantial improvement in different evaluation metrics for image data reconstructions.
Paper Structure (16 sections, 41 equations, 4 figures, 4 tables, 2 algorithms)

This paper contains 16 sections, 41 equations, 4 figures, 4 tables, 2 algorithms.

Table of Contents

  1. Introduction
  2. Preliminaries
  3. Problem Statement of FL
  4. FedAvg Algorithm
  5. Data Reconstruction Attack
  6. Analysis of Attack Scenarios: Different $E$ and $B$
  7. Approximate and Weighted Attack in Data Reconstruction
  8. Approximation of the Intermediate Model Updates
  9. Improved Weighted Loss Function for the Data Reconstruction Attack
  10. Design of Layer Weights
  11. Choice of $Q$ by Bayesian Optimization
  12. Approximate and Weighted Data Reconstruction Attack Method
  13. Experimental Tests
  14. Setups
  15. Results for Image Data Reconstruction Attacks
  16. ...and 1 more sections

Figures (4)

  • Figure 1: Cumulative minimum loss $f(Q)$ of Bayesian optimization in four cases.
  • Figure 2: Comparison of the reconstruction results achieved by three data reconstruction methods in four FedAvg scenarios after 1,000 attack iterations. FedAvg parameters: batch size $N$, number of epochs $E$, number of mini-batches $B$. Methods: AWA (ours): reconstruction with the method in \ref{['alg_DataRecAttack']}, AGIC: reconstruction with the method in xu2022agic, DLG: reconstruction with the method in zhu2019deep.
  • Figure 3: Reconstruction results of our AWA method in four cases after 3,000 attack iterations.
  • Figure 4: Evaluation metrics of our AWA method in four cases after 3,000 attack iterations.

Theorems & Definitions (1)

  • Remark 2.1