Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

A New Federated Learning Framework Against Gradient Inversion Attacks

Pengxin Guo, Shuang Zeng, Wenhao Chen, Xiaodan Zhang, Weihong Ren, Yuyin Zhou, Liangqiong Qu

TL;DR

HyperFL tackles privacy leakage in federated learning under Gradient Inversion Attacks by replacing direct gradient sharing with hypernetwork-generated per-client feature extractors. The framework decomposes models into a shared hypernetwork-generated feature extractor and a private classifier head, uploading only hypernetwork parameters for aggregation, with adapters for large pretrained models (HyperFL-LPM) to enable scalability. Theoretical analysis shows an $O(1/\sqrt{T})$ convergence rate (with potential improvements under PL conditions), while experiments on EMNIST, Fashion-MNIST, CIFAR-10, and CINIC-10 demonstrate competitive accuracy and strong privacy against IG/ROG-style attacks, outperforming DP-based FL baselines. HyperFL offers a practical, scalable privacy-preserving FL paradigm that reduces leakage without heavy cryptographic overhead, making it attractive for heterogeneous and large-scale deployments.

Abstract

Federated Learning (FL) aims to protect data privacy by enabling clients to collectively train machine learning models without sharing their raw data. However, recent studies demonstrate that information exchanged during FL is subject to Gradient Inversion Attacks (GIA) and, consequently, a variety of privacy-preserving methods have been integrated into FL to thwart such attacks, such as Secure Multi-party Computing (SMC), Homomorphic Encryption (HE), and Differential Privacy (DP). Despite their ability to protect data privacy, these approaches inherently involve substantial privacy-utility trade-offs. By revisiting the key to privacy exposure in FL under GIA, which lies in the frequent sharing of model gradients that contain private data, we take a new perspective by designing a novel privacy preserve FL framework that effectively ``breaks the direct connection'' between the shared parameters and the local private data to defend against GIA. Specifically, we propose a Hypernetwork Federated Learning (HyperFL) framework that utilizes hypernetworks to generate the parameters of the local model and only the hypernetwork parameters are uploaded to the server for aggregation. Theoretical analyses demonstrate the convergence rate of the proposed HyperFL, while extensive experimental results show the privacy-preserving capability and comparable performance of HyperFL. Code is available at https://github.com/Pengxin-Guo/HyperFL.

A New Federated Learning Framework Against Gradient Inversion Attacks

TL;DR

HyperFL tackles privacy leakage in federated learning under Gradient Inversion Attacks by replacing direct gradient sharing with hypernetwork-generated per-client feature extractors. The framework decomposes models into a shared hypernetwork-generated feature extractor and a private classifier head, uploading only hypernetwork parameters for aggregation, with adapters for large pretrained models (HyperFL-LPM) to enable scalability. Theoretical analysis shows an convergence rate (with potential improvements under PL conditions), while experiments on EMNIST, Fashion-MNIST, CIFAR-10, and CINIC-10 demonstrate competitive accuracy and strong privacy against IG/ROG-style attacks, outperforming DP-based FL baselines. HyperFL offers a practical, scalable privacy-preserving FL paradigm that reduces leakage without heavy cryptographic overhead, making it attractive for heterogeneous and large-scale deployments.

Abstract

Federated Learning (FL) aims to protect data privacy by enabling clients to collectively train machine learning models without sharing their raw data. However, recent studies demonstrate that information exchanged during FL is subject to Gradient Inversion Attacks (GIA) and, consequently, a variety of privacy-preserving methods have been integrated into FL to thwart such attacks, such as Secure Multi-party Computing (SMC), Homomorphic Encryption (HE), and Differential Privacy (DP). Despite their ability to protect data privacy, these approaches inherently involve substantial privacy-utility trade-offs. By revisiting the key to privacy exposure in FL under GIA, which lies in the frequent sharing of model gradients that contain private data, we take a new perspective by designing a novel privacy preserve FL framework that effectively ``breaks the direct connection'' between the shared parameters and the local private data to defend against GIA. Specifically, we propose a Hypernetwork Federated Learning (HyperFL) framework that utilizes hypernetworks to generate the parameters of the local model and only the hypernetwork parameters are uploaded to the server for aggregation. Theoretical analyses demonstrate the convergence rate of the proposed HyperFL, while extensive experimental results show the privacy-preserving capability and comparable performance of HyperFL. Code is available at https://github.com/Pengxin-Guo/HyperFL.

Paper Structure

This paper contains 42 sections, 3 theorems, 48 equations, 8 figures, 5 tables.

Table of Contents

  1. Introduction
  2. Related Work
  3. Gradient Inversion Attacks.
  4. Privacy Protection in Federated Learning.
  5. Hypernetworks in Federated Learning.
  6. Method
  7. Problem Formulation
  8. Main Configuration HyperFL
  9. Local Training Procedure.
  10. Global Aggregation.
  11. HyperFL-LPM
  12. Analysis and Insights
  13. Privacy Protection Analysis
  14. Background: Gradient Inversion Attacks.
  15. Analysis on Proposed Leakage Defense.
  16. ...and 27 more sections

Key Result

Theorem 1

Let Assumptions assumption1, assumption2 and assumption3 hold and $L$, $M$, $\sigma_i$, $G$ be defined therein. Denote $\eta_{\min }=\min \left\{\eta_g, \frac{1}{2} \eta_h, \eta_v\right\}$ and $E$ as the number of local training iterations between two communication rounds. Then we have where $\mathcal{L}_i^0 - \mathcal{L}_i^* \leq D, \forall i$, and $\eta_g^2+\eta_v^2+(E-1) \eta_h^2+\frac{E-1}{L}

Figures (8)

  • Figure 1: Left. Existing methods mainly explore defenses mechanisms on the shared gradients. Such mechanisms, including SMC, HE, and DP, inherently involve substantial privacy-utility trade-offs. Right. A novel FL framework that “breaks the direct connection” between the shared parameters and the local private data is proposed to achieve a favorable privacy-utility trade-off.
  • Figure 2: The proposed HyperFL framework. HyperFL decouples each client’s network into the former feature extractor $f(; \theta_i)$ and the latter classifier head $g(;{\phi _i})$. An auxiliary hypernetwork $h(;{\varphi _i})$ is introduced to generate local clients’ feature extractor $f(; \theta_i)$ using the client’s private embedding vector $\mathbf{v}_i$, i.e., ${\theta _i} = h({{\bf{v}}_i};{\varphi _i})$. These generated parameters are then used to extract features from the input ${x}_i$, which are subsequently fed into the classifier to obtain the output $\hat{y}_i$, expressed as $\hat{y}_i = g( f({x}_i; \theta_i); \phi_i)$. Throughout the FL training, only the hypernetwork $\varphi_i$ is shared, while all other components are kept private, thus effectively mitigating potential privacy leakage concerns.
  • Figure 3: The proposed HyperFL-LPM framework within each client. In this framework, the weights of the pre-trained model are fixed, while only the classifier, hypernetwork, and client embedding are trainable. Note that $\theta$ here represents the parameters of the adapters.
  • Figure 4: (a) Average training loss of different methods on the EMNIST dataset with 20 clients. (b) Parameter difference of the generated feature extractor of one client between adjacent training round on the EMNIST dataset with 20 clients.
  • Figure 5: Reconstructed images of IG.
  • ...and 3 more figures

Theorems & Definitions (6)

  • Theorem 1
  • Corollary 1
  • proof
  • proof
  • Theorem 2
  • proof