Enhancing Privacy of Spatiotemporal Federated Learning against Gradient Inversion Attacks
Lele Zheng, Yang Cao, Renhe Jiang, Kenjiro Taura, Yulong Shen, Sheng Li, Masatoshi Yoshikawa
TL;DR
The paper addresses privacy risks in spatiotemporal federated learning by introducing ST-GIA, a gradient inversion attack tailored to mobility data that reconstructs private locations from gradients. It proposes an adaptive privacy-preserving strategy comprising adaptive budget allocation and a personalized constraint-domain mechanism (PGEM) to mitigate attacks while preserving utility, leveraging road-network knowledge and dynamic perturbation. The approach is validated on three real-world datasets, showing ST-GIA's effectiveness and that the adaptive strategy yields superior privacy-utility trade-offs compared to existing differential privacy baselines. These contributions advance practical privacy protections for spatiotemporal FL in location-based services and lay groundwork for broader applications like traffic flow prediction.
Abstract
Spatiotemporal federated learning has recently raised intensive studies due to its ability to train valuable models with only shared gradients in various location-based services. On the other hand, recent studies have shown that shared gradients may be subject to gradient inversion attacks (GIA) on images or texts. However, so far there has not been any systematic study of the gradient inversion attacks in spatiotemporal federated learning. In this paper, we explore the gradient attack problem in spatiotemporal federated learning from attack and defense perspectives. To understand privacy risks in spatiotemporal federated learning, we first propose Spatiotemporal Gradient Inversion Attack (ST-GIA), a gradient attack algorithm tailored to spatiotemporal data that successfully reconstructs the original location from gradients. Furthermore, we design an adaptive defense strategy to mitigate gradient inversion attacks in spatiotemporal federated learning. By dynamically adjusting the perturbation levels, we can offer tailored protection for varying rounds of training data, thereby achieving a better trade-off between privacy and utility than current state-of-the-art methods. Through intensive experimental analysis on three real-world datasets, we reveal that the proposed defense strategy can well preserve the utility of spatiotemporal federated learning with effective security protection.