Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Data Reconstruction Attacks and Defenses: A Systematic Evaluation

Sheng Liu, Zihan Wang, Yuxiao Chen, Qi Lei

TL;DR

This work reframes data reconstruction attacks as inverse problems in federated learning and provides both algorithmic upper bounds and information-theoretic lower bounds on reconstruction error for two-layer networks under various defenses. It couples theory with an empirically robust attack that combines gradient inversion with feature reconstruction to evaluate defense strength in a controlled, utility-aware manner. The paper introduces a rigorous defense evaluation metric and demonstrates that gradient pruning offers strong privacy protection with favorable utility costs, while DP-based approaches can be overly restrictive for data leakage problems. Overall, the framework enables systematic comparisons of defenses across strong attacks and guides future research toward more general architectures and practical privacy-utility tradeoffs.

Abstract

Reconstruction attacks and defenses are essential in understanding the data leakage problem in machine learning. However, prior work has centered around empirical observations of gradient inversion attacks, lacks theoretical grounding, and cannot disentangle the usefulness of defending methods from the computational limitation of attacking methods. In this work, we propose to view the problem as an inverse problem, enabling us to theoretically and systematically evaluate the data reconstruction attack. On various defense methods, we derived the algorithmic upper bound and the matching (in feature dimension and architecture dimension) information-theoretical lower bound on the reconstruction error for two-layer neural networks. To complement the theoretical results and investigate the utility-privacy trade-off, we defined a natural evaluation metric of the defense methods with similar utility loss among the strongest attacks. We further propose a strong reconstruction attack that helps update some previous understanding of the strength of defense methods under our proposed evaluation metric.

Data Reconstruction Attacks and Defenses: A Systematic Evaluation

TL;DR

This work reframes data reconstruction attacks as inverse problems in federated learning and provides both algorithmic upper bounds and information-theoretic lower bounds on reconstruction error for two-layer networks under various defenses. It couples theory with an empirically robust attack that combines gradient inversion with feature reconstruction to evaluate defense strength in a controlled, utility-aware manner. The paper introduces a rigorous defense evaluation metric and demonstrates that gradient pruning offers strong privacy protection with favorable utility costs, while DP-based approaches can be overly restrictive for data leakage problems. Overall, the framework enables systematic comparisons of defenses across strong attacks and guides future research toward more general architectures and practical privacy-utility tradeoffs.

Abstract

Reconstruction attacks and defenses are essential in understanding the data leakage problem in machine learning. However, prior work has centered around empirical observations of gradient inversion attacks, lacks theoretical grounding, and cannot disentangle the usefulness of defending methods from the computational limitation of attacking methods. In this work, we propose to view the problem as an inverse problem, enabling us to theoretically and systematically evaluate the data reconstruction attack. On various defense methods, we derived the algorithmic upper bound and the matching (in feature dimension and architecture dimension) information-theoretical lower bound on the reconstruction error for two-layer neural networks. To complement the theoretical results and investigate the utility-privacy trade-off, we defined a natural evaluation metric of the defense methods with similar utility loss among the strongest attacks. We further propose a strong reconstruction attack that helps update some previous understanding of the strength of defense methods under our proposed evaluation metric.
Paper Structure (55 sections, 34 theorems, 144 equations, 4 figures, 8 tables)

This paper contains 55 sections, 34 theorems, 144 equations, 4 figures, 8 tables.

Table of Contents

  1. Introduction
  2. Related Work
  3. Preliminary
  4. Theoretical Analysis
  5. Local aggregation
  6. Differential privacy stochastic gradient descent
  7. Secure aggregation
  8. Dropout
  9. Gradient pruning
  10. Empirical Analysis
  11. Attacks for Defense Methods Evaluation
  12. Description of the proposed attack algorithm
  13. Regularization on feature matching.
  14. Other regularizations.
  15. Experiments
  16. ...and 40 more sections

Key Result

Proposition 2.1

For a two-layer neural network with $m$ hidden nodes and random weights, we denote the gradient by $G$. Under mild assumptions, the randomized mechanism $\mathcal{M}=G+\mathcal{N}(0,\sigma^2I)$ is $(\epsilon, \delta)-$ DP for any $\epsilon,\delta>0$ if $\sigma^2=\Omega(\frac{m\log(1/\delta)}{\epsilo

Figures (4)

  • Figure 1: An illustration of the key components of data reconstruction studied in this paper.
  • Figure 2: Comparison of the reconstruction results from the gradient inversion method geiping2020inverting and our proposed attack method on different defenses with batch size equal to 4. Our method achieves more robust reconstruction across various defenses. Gradient pruning ($p=0.99$) makes reconstructions from both methods almost unrecognizable.
  • Figure 3: The relation between the strength of the defense and the utility loss, where we use the best RMSE and the final training loss of the original task respectively. Each dot represents a defense method with a different batch size and strength. For the same level of utility loss, gradient pruning has the best defending effect.
  • Figure 4: PSNR of reconstructed data using the method with and without feature matching. The difference indicates that feature matching improves robustness against defenses.

Theorems & Definitions (58)

  • Proposition 2.1: Short version of Proposition \ref{['prop:DP guarantee']}
  • Theorem 3.1: Informal, Theorem 5.1 in wang2023reconstructing
  • Theorem 3.2: Short version for Theorem \ref{['batchedmain']}
  • Proposition 3.1: Short version for Proposition \ref{['prop:twosteps']}
  • Proposition 3.2: Short version for Proposition \ref{['prop:aggre lower bound']}
  • Proposition 3.3: Short version for Proposition \ref{['prop:DP']}
  • Proposition 3.4: Short version for Proposition \ref{['prop:prune']}
  • Proposition A.1: Full version of Proposition \ref{['prop:DP guarantee short']}
  • Lemma A.2: Theorem 2 in abadi2016deep
  • proof : Proof of Proposition \ref{['prop:DP guarantee']}
  • ...and 48 more