Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

OASIS: Offsetting Active Reconstruction Attacks in Federated Learning

Tre' R. Jeter, Truc Nguyen, Raed Alharbi, My T. Thai

TL;DR

This work tackles the risk that dishonest federated servers can actively reconstruct private user data via gradient inversion. It introduces OASIS, an image-augmentation defense that ensures gradients encode a linear combination of original and augmented samples, preventing exact reconstruction while preserving FL performance. The authors analyze the attack principle, generalize attacks like CAH and RTF, and show that augmenting data to create common activation patterns disrupts single-sample gradient extraction. Experimental results on ImageNet and CIFAR100 demonstrate substantial reductions in reconstruction quality with only marginal accuracy loss, offering a scalable defense for privacy-preserving federated learning.

Abstract

Federated Learning (FL) has garnered significant attention for its potential to protect user privacy while enhancing model training efficiency. For that reason, FL has found its use in various domains, from healthcare to industrial engineering, especially where data cannot be easily exchanged due to sensitive information or privacy laws. However, recent research has demonstrated that FL protocols can be easily compromised by active reconstruction attacks executed by dishonest servers. These attacks involve the malicious modification of global model parameters, allowing the server to obtain a verbatim copy of users' private data by inverting their gradient updates. Tackling this class of attack remains a crucial challenge due to the strong threat model. In this paper, we propose a defense mechanism, namely OASIS, based on image augmentation that effectively counteracts active reconstruction attacks while preserving model performance. We first uncover the core principle of gradient inversion that enables these attacks and theoretically identify the main conditions by which the defense can be robust regardless of the attack strategies. We then construct our defense with image augmentation showing that it can undermine the attack principle. Comprehensive evaluations demonstrate the efficacy of the defense mechanism highlighting its feasibility as a solution.

OASIS: Offsetting Active Reconstruction Attacks in Federated Learning

TL;DR

This work tackles the risk that dishonest federated servers can actively reconstruct private user data via gradient inversion. It introduces OASIS, an image-augmentation defense that ensures gradients encode a linear combination of original and augmented samples, preventing exact reconstruction while preserving FL performance. The authors analyze the attack principle, generalize attacks like CAH and RTF, and show that augmenting data to create common activation patterns disrupts single-sample gradient extraction. Experimental results on ImageNet and CIFAR100 demonstrate substantial reductions in reconstruction quality with only marginal accuracy loss, offering a scalable defense for privacy-preserving federated learning.

Abstract

Federated Learning (FL) has garnered significant attention for its potential to protect user privacy while enhancing model training efficiency. For that reason, FL has found its use in various domains, from healthcare to industrial engineering, especially where data cannot be easily exchanged due to sensitive information or privacy laws. However, recent research has demonstrated that FL protocols can be easily compromised by active reconstruction attacks executed by dishonest servers. These attacks involve the malicious modification of global model parameters, allowing the server to obtain a verbatim copy of users' private data by inverting their gradient updates. Tackling this class of attack remains a crucial challenge due to the strong threat model. In this paper, we propose a defense mechanism, namely OASIS, based on image augmentation that effectively counteracts active reconstruction attacks while preserving model performance. We first uncover the core principle of gradient inversion that enables these attacks and theoretically identify the main conditions by which the defense can be robust regardless of the attack strategies. We then construct our defense with image augmentation showing that it can undermine the attack principle. Comprehensive evaluations demonstrate the efficacy of the defense mechanism highlighting its feasibility as a solution.
Paper Structure (15 sections, 1 theorem, 26 equations, 14 figures, 1 table)

This paper contains 15 sections, 1 theorem, 26 equations, 14 figures, 1 table.

Table of Contents

  1. Introduction
  2. Preliminaries
  3. Federated Learning
  4. Image Augmentation
  5. OASIS -- A Proposed Defense
  6. Generalizing Active Reconstruction Attacks via Gradient Inversion
  7. Image Augmentation as a Defense
  8. Experimental Analysis
  9. Experimental Settings
  10. OASIS Defensive Performance
  11. Visual Reconstructions
  12. Gradient Inversion Attack on Linear Models.
  13. Impact of OASIS on Model Performance
  14. Related Work
  15. Conclusion

Key Result

Proposition 1

Given a sample $x_t\in \mathcal{D}$, if there exists an $x'_t\in \mathcal{D}$ such that $x_t$ and $x'_t$ activate the same set of neurons in the malicious layer, then the adversary cannot extract with $\frac{\partial \mathcal{L}_t}{\partial b_i} \neq 0$ from

Figures (14)

  • Figure 1: Overview design of OASIS. Top: Standard active reconstruction attack with malicious model modifications perfectly reconstructing training samples. Bottom: OASIS in place with augmented data to defend the active reconstruction attacks. The resulting reconstruction is a linear combination of images, effectively hiding the content of training samples. Note: Rotation is not the only transformation within OASIS.
  • Figure 2: Example visual representation of PSNR values. Images with lower PSNR tend to have worse reconstruction quality compared to images with higher PSNR.
  • Figure 3: Average PSNR over the images reconstructed by the RTF attack w.r.t the batch size and the number of attacked neurons on ImageNet and CIFAR100.
  • Figure 4: Average PSNR over the images reconstructed by the CAH attack w.r.t the batch size and the number of attacked neurons on ImageNet and CIFAR100.
  • Figure 5: PSNR values of images reconstructed by the RTF attack w.r.t different transformations and different batch sizes on ImageNet and CIFAR100. The green triangle denotes the average PSNR over all reconstructed images. (WO = Without OASIS, MR = Major Rotation, mR = Minor Rotation, SH = Shearing, HFlip = Horizontal Flip, and VFlip = Vertical Flip)
  • ...and 9 more figures

Theorems & Definitions (2)

  • Proposition 1
  • proof