Table of Contents
Fetching ...

Nosy Layers, Noisy Fixes: Tackling DRAs in Federated Learning Systems using Explainable AI

Meghali Nandi, Arash Shaghaghi, Nazatul Haque Sultan, Gustavo Batista, Raymond K. Zhao, Sanjay Jha

TL;DR

DRArmor tackles Data Reconstruction Attacks in Federated Learning by treating the model as a white-box system and using Explainable AI to pinpoint malicious layers that drive data leakage. It combines Layer-wise Relevance Propagation, Deep Taylor Decomposition, and Wasserstein-distance analyses to detect anomalous gradient behavior and layer contributions, followed by targeted defenses such as per-layer DP noise, pixelation, or pruning. Across MNIST, CIFAR-10/100, ImageNet, and Cats vs. Dogs with up to 200 clients, DRArmor achieves high detection rates (TPR ≈ 0.91, TNR ≈ 0.89), maintains close to state-of-the-art accuracy (average around 87%), and reduces data leakage substantially (about 62.5% relative to baselines). The approach provides a scalable, privacy-preserving alternative to global defenses, enabling client-side mitigation with modest computational overhead and robustness to continuous or periodic poisoning.

Abstract

Federated Learning (FL) has emerged as a powerful paradigm for collaborative model training while keeping client data decentralized and private. However, it is vulnerable to Data Reconstruction Attacks (DRA) such as "LoKI" and "Robbing the Fed", where malicious models sent from the server to the client can reconstruct sensitive user data. To counter this, we introduce DRArmor, a novel defense mechanism that integrates Explainable AI with targeted detection and mitigation strategies for DRA. Unlike existing defenses that focus on the entire model, DRArmor identifies and addresses the root cause (i.e., malicious layers within the model that send gradients with malicious intent) by analyzing their contribution to the output and detecting inconsistencies in gradient values. Once these malicious layers are identified, DRArmor applies defense techniques such as noise injection, pixelation, and pruning to these layers rather than the whole model, minimizing the attack surface and preserving client data privacy. We evaluate DRArmor's performance against the advanced LoKI attack across diverse datasets, including MNIST, CIFAR-10, CIFAR-100, and ImageNet, in a 200-client FL setup. Our results demonstrate DRArmor's effectiveness in mitigating data leakage, achieving high True Positive and True Negative Rates of 0.910 and 0.890, respectively. Additionally, DRArmor maintains an average accuracy of 87%, effectively protecting client privacy without compromising model performance. Compared to existing defense mechanisms, DRArmor reduces the data leakage rate by 62.5% with datasets containing 500 samples per client.

Nosy Layers, Noisy Fixes: Tackling DRAs in Federated Learning Systems using Explainable AI

TL;DR

DRArmor tackles Data Reconstruction Attacks in Federated Learning by treating the model as a white-box system and using Explainable AI to pinpoint malicious layers that drive data leakage. It combines Layer-wise Relevance Propagation, Deep Taylor Decomposition, and Wasserstein-distance analyses to detect anomalous gradient behavior and layer contributions, followed by targeted defenses such as per-layer DP noise, pixelation, or pruning. Across MNIST, CIFAR-10/100, ImageNet, and Cats vs. Dogs with up to 200 clients, DRArmor achieves high detection rates (TPR ≈ 0.91, TNR ≈ 0.89), maintains close to state-of-the-art accuracy (average around 87%), and reduces data leakage substantially (about 62.5% relative to baselines). The approach provides a scalable, privacy-preserving alternative to global defenses, enabling client-side mitigation with modest computational overhead and robustness to continuous or periodic poisoning.

Abstract

Federated Learning (FL) has emerged as a powerful paradigm for collaborative model training while keeping client data decentralized and private. However, it is vulnerable to Data Reconstruction Attacks (DRA) such as "LoKI" and "Robbing the Fed", where malicious models sent from the server to the client can reconstruct sensitive user data. To counter this, we introduce DRArmor, a novel defense mechanism that integrates Explainable AI with targeted detection and mitigation strategies for DRA. Unlike existing defenses that focus on the entire model, DRArmor identifies and addresses the root cause (i.e., malicious layers within the model that send gradients with malicious intent) by analyzing their contribution to the output and detecting inconsistencies in gradient values. Once these malicious layers are identified, DRArmor applies defense techniques such as noise injection, pixelation, and pruning to these layers rather than the whole model, minimizing the attack surface and preserving client data privacy. We evaluate DRArmor's performance against the advanced LoKI attack across diverse datasets, including MNIST, CIFAR-10, CIFAR-100, and ImageNet, in a 200-client FL setup. Our results demonstrate DRArmor's effectiveness in mitigating data leakage, achieving high True Positive and True Negative Rates of 0.910 and 0.890, respectively. Additionally, DRArmor maintains an average accuracy of 87%, effectively protecting client privacy without compromising model performance. Compared to existing defense mechanisms, DRArmor reduces the data leakage rate by 62.5% with datasets containing 500 samples per client.
Paper Structure (21 sections, 3 equations, 13 figures, 6 tables)

This paper contains 21 sections, 3 equations, 13 figures, 6 tables.

Figures (13)

  • Figure 1: Gradient Analysis Across Datasets: Identifying Malicious Layers at the Start of the Model using LRP (Batch Sizes: 64, 128) with threshold value of 0.5.
  • Figure 2: Gradient Analysis in ImageNet: Identifying Malicious Layers at the Start of the Model using DTD with threshold value of 0.5.
  • Figure 3: Gradient Analysis: Identifying Malicious Layers Further in the Model by DRArmor (Batch Size 128) with threshold value of 0.5.
  • Figure 4: Data Reconstructed at the Server Using DP-Gaussian noise with $\sigma^2 = 0.2$ after Identification of the Malicious Layers.
  • Figure 5: Illustration of Reconstruction Results using DRArmor with Pixelation.
  • ...and 8 more figures