Defending Against Gradient Inversion Attacks for Biomedical Images via Learnable Data Perturbation
Shiyi Jiang, Farshad Firouzi, Krishnendu Chakrabarty
TL;DR
Gradient inversion attacks threaten privacy in federated learning for biomedical images. The authors propose a latent-perturbation minimax defense that adds learnable Gaussian noise in the latent space and uses a decoder branch to constrain leakage while preserving utility. The method is evaluated on natural (CIFAR-10) and medical (BloodMNIST) datasets, outperforming DP-SGD and BiDO with a 12.5% reduction in attacker accuracy and over 12% increase in MSE at roughly 90% client accuracy. The study demonstrates a generalizable privacy-preserving approach for healthcare data and outlines avenues for stronger defenses and broader attack evaluations.
Abstract
The increasing need for sharing healthcare data and collaborating on clinical research has raised privacy concerns. Health information leakage due to malicious attacks can lead to serious problems such as misdiagnoses and patient identification issues. Privacy-preserving machine learning (PPML) and privacy-enhancing technologies, particularly federated learning (FL), have emerged in recent years as innovative solutions to balance privacy protection with data utility; however, they also suffer from inherent privacy vulnerabilities. Gradient inversion attacks constitute major threats to data sharing in federated learning. Researchers have proposed many defenses against gradient inversion attacks. However, current defense methods for healthcare data lack generalizability, i.e., existing solutions may not be applicable to data from a broader range of populations. In addition, most existing defense methods are tested using non-healthcare data, which raises concerns about their applicability to real-world healthcare systems. In this study, we present a defense against gradient inversion attacks in federated learning. We achieve this using latent data perturbation and minimax optimization, utilizing both general and medical image datasets. Our method is compared to two baselines, and the results show that our approach can outperform the baselines with a reduction of 12.5% in the attacker's accuracy in classifying reconstructed images. The proposed method also yields an increase of over 12.4% in Mean Squared Error (MSE) between the original and reconstructed images at the same level of model utility of around 90% client classification accuracy. The results suggest the potential of a generalizable defense for healthcare data.