QBI: Quantile-Based Bias Initialization for Efficient Private Data Reconstruction in Federated Learning

TL;DR

This paper proposes QBI, a novel bias initialization method that significantly enhances reconstruction capabilities by directly solving for bias values yielding sparse activation patterns, and proposes and evaluates AGGP, a defensive framework designed to prevent gradient sparsity attacks.

Abstract

Federated learning enables the training of machine learning models on distributed data without compromising user privacy, as data remains on personal devices and only model updates, such as gradients, are shared with a central coordinator. However, recent research has shown that the central entity can perfectly reconstruct private data from shared model updates by maliciously initializing the model's parameters. In this paper, we propose QBI, a novel bias initialization method that significantly enhances reconstruction capabilities. This is accomplished by directly solving for bias values yielding sparse activation patterns. Further, we propose PAIRS, an algorithm that builds on QBI. PAIRS can be deployed when a separate dataset from the target domain is available to further increase the percentage of data that can be fully recovered. Measured by the percentage of samples that can be perfectly reconstructed from batches of various sizes, our approach achieves significant improvements over previous methods with gains of up to 50% on ImageNet and up to 60% on the IMDB sentiment analysis text dataset. Furthermore, we establish theoretical limits for attacks leveraging stochastic gradient sparsity, providing a foundation for understanding the fundamental constraints of these attacks. We empirically assess these limits using synthetic datasets. Finally, we propose and evaluate AGGP, a defensive framework designed to prevent gradient sparsity attacks, contributing to the development of more secure and private federated learning systems.

Figures (7)

• Figure 1: Visualization of the passive data leakage of the first 20 neurons of a linear layer of size 200 (left) and the impact of our proposed client-side defense framework AGGP (right). Sparsely activated neurons are aggressively pruned, while the gradients of neurons with activation counts exceeding the cut-off threshold remain unaffected.
• Figure 2: True user data (left), a batch of 20 images from the ImageNet dataset and reconstructed user data (right), using a linear layer of size 200 that was maliciously initialized with our QBI approach. Fully black images denote data points that could not be recovered. Despite the small layer size, in this particular setting, our method achieves perfect reconstruction of around 82.5% of the original data points, on average.
• Figure 3: Visualization of the active data leakage of the first 20 neurons of a linear layer of size 200 (left), that was maliciously initialized using QBI, and the impact of AGGP (right). The artificially induced sparsity leads to aggressive gradient pruning across the entire layer.
• Figure 4: Performance of a benign CNN-based image model (\ref{['table:imageModel']}) on the CIFAR-10 dataset, using a batch size of 64. Comparing the unmodified version (Base) to one protected using AGGP. The experiment used the Adam optimizer kingma2014adam with a learning rate of 1e-5 and optimized the cross-entropy loss. Results are averaged across 10 runs using different seeds. The shaded regions correspond to the 95% confidence interval.
• Figure 5: A mini-batch of true user data from the ImageNet dataset, compared to the images that could be reconstructed when the QBI-initialized linear layer was preceded by a LayerNorm layer. Normalization was reversed using the publicly available ImageNet normalization parameters. The reversal of normalization with imperfect parameters introduces a slight shift to the images color and brightness, however detail and structure are preserved, leading to a high structural similarity index (SSIM), ranging from $0.82$ to $0.96$ for these samples.