Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

GI-SMN: Gradient Inversion Attack against Federated Learning without Prior Knowledge

Jin Qian, Kaimin Wei, Yongdong Wu, Jilian Zhang, Jipeng Chen, Huan Bao

TL;DR

The paper tackles privacy risks in federated learning posed by gradient inversion attacks that do not assume powerful attackers or idealized priors. It introduces GI-SMN, a gradient inversion attack based on a Style Migration Network that optimizes a low-dimensional latent code and leverages auxiliary regularization to improve gradient matching. By using StyleGAN-XL pre-trained on ImageNet and a latent code of size 64, GI-SMN substantially reduces the optimization space and delivers higher reconstruction fidelity, even under defenses like gradient pruning and differential privacy. Experimental results across CIFAR-10, TinyImageNet, FFHQ, and ImageNet demonstrate that GI-SMN outperforms state-of-the-art attacks in visual quality and similarity metrics, underscoring the ongoing privacy vulnerabilities in FL and the need for stronger defenses.

Abstract

Federated learning (FL) has emerged as a privacy-preserving machine learning approach where multiple parties share gradient information rather than original user data. Recent work has demonstrated that gradient inversion attacks can exploit the gradients of FL to recreate the original user data, posing significant privacy risks. However, these attacks make strong assumptions about the attacker, such as altering the model structure or parameters, gaining batch normalization statistics, or acquiring prior knowledge of the original training set, etc. Consequently, these attacks are not possible in real-world scenarios. To end it, we propose a novel Gradient Inversion attack based on Style Migration Network (GI-SMN), which breaks through the strong assumptions made by previous gradient inversion attacks. The optimization space is reduced by the refinement of the latent code and the use of regular terms to facilitate gradient matching. GI-SMN enables the reconstruction of user data with high similarity in batches. Experimental results have demonstrated that GI-SMN outperforms state-of-the-art gradient inversion attacks in both visual effect and similarity metrics. Additionally, it also can overcome gradient pruning and differential privacy defenses.

GI-SMN: Gradient Inversion Attack against Federated Learning without Prior Knowledge

TL;DR

The paper tackles privacy risks in federated learning posed by gradient inversion attacks that do not assume powerful attackers or idealized priors. It introduces GI-SMN, a gradient inversion attack based on a Style Migration Network that optimizes a low-dimensional latent code and leverages auxiliary regularization to improve gradient matching. By using StyleGAN-XL pre-trained on ImageNet and a latent code of size 64, GI-SMN substantially reduces the optimization space and delivers higher reconstruction fidelity, even under defenses like gradient pruning and differential privacy. Experimental results across CIFAR-10, TinyImageNet, FFHQ, and ImageNet demonstrate that GI-SMN outperforms state-of-the-art attacks in visual quality and similarity metrics, underscoring the ongoing privacy vulnerabilities in FL and the need for stronger defenses.

Abstract

Federated learning (FL) has emerged as a privacy-preserving machine learning approach where multiple parties share gradient information rather than original user data. Recent work has demonstrated that gradient inversion attacks can exploit the gradients of FL to recreate the original user data, posing significant privacy risks. However, these attacks make strong assumptions about the attacker, such as altering the model structure or parameters, gaining batch normalization statistics, or acquiring prior knowledge of the original training set, etc. Consequently, these attacks are not possible in real-world scenarios. To end it, we propose a novel Gradient Inversion attack based on Style Migration Network (GI-SMN), which breaks through the strong assumptions made by previous gradient inversion attacks. The optimization space is reduced by the refinement of the latent code and the use of regular terms to facilitate gradient matching. GI-SMN enables the reconstruction of user data with high similarity in batches. Experimental results have demonstrated that GI-SMN outperforms state-of-the-art gradient inversion attacks in both visual effect and similarity metrics. Additionally, it also can overcome gradient pruning and differential privacy defenses.
Paper Structure (24 sections, 9 equations, 7 figures, 2 tables, 1 algorithm)

This paper contains 24 sections, 9 equations, 7 figures, 2 tables, 1 algorithm.

Table of Contents

  1. Introduction
  2. Related Work
  3. Gradient Inversion Attacks Based On Iterative Optimization
  4. Gradient Inversion Attacks Based On Analytical Inference
  5. GI-SMN
  6. Gradient Inversion Problem
  7. The Workflow of GI-SMN
  8. Attacker
  9. Trained Generative Model
  10. Auxiliary Regularization
  11. Performance Evaluation
  12. Experimental Setup
  13. Datasets description.
  14. Evaluation metrics.
  15. Implementation details.
  16. ...and 9 more sections

Figures (7)

  • Figure 1: An example of gradient inversion attack. The attacker reconstructs the original user data by utilizing the obtained gradient information.
  • Figure 2: An overview of GI-SMN. GI-SMN optimizes the latent code and employs regularization terms to enhance gradient matching during training.
  • Figure 3: A comparison of images reconstructed by GI-SMN and state-of-the-art gradient inversion attacks with a batch size of four on FFHQ. The left column represents images from FFHQ, and the rest denote images constructed by different gradient inversion attacks.
  • Figure 4: Effects of reconstructing images of different sizes in PSNR similarity and visual comparison.
  • Figure 5: The effect of different batch sizes and loss functions on gradient inversion. GI-SMN utilizes an optimal loss function that enables efficient batch reconstruction of images.
  • ...and 2 more figures