Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Differential Privacy: Gradient Leakage Attacks in Federated Learning Environments

Miguel Fernandez-de-Retana, Unai Zulaika, Rubén Sánchez-Corcuera, Aitor Almeida

TL;DR

This work probes how differential privacy mechanisms defend against gradient leakage in federated learning. By comparing DP-SGD and PDP-SGD across multiple vision architectures and datasets, it finds that DP-SGD substantially mitigates gradient leakage at the cost of some utility loss, while PDP-SGD preserves accuracy but fails to stop reconstruction attacks. The results underscore that theoretical privacy guarantees do not always translate to practical protection, particularly for specific attack vectors like gradient-based reconstructions. The findings advocate for empirical validation of privacy methods in distributed settings and tailored defense strategies aligned with real-world threat models.

Abstract

Federated Learning (FL) allows for the training of Machine Learning models in a collaborative manner without the need to share sensitive data. However, it remains vulnerable to Gradient Leakage Attacks (GLAs), which can reveal private information from the shared model updates. In this work, we investigate the effectiveness of Differential Privacy (DP) mechanisms - specifically, DP-SGD and a variant based on explicit regularization (PDP-SGD) - as defenses against GLAs. To this end, we evaluate the performance of several computer vision models trained under varying privacy levels on a simple classification task, and then analyze the quality of private data reconstructions obtained from the intercepted gradients in a simulated FL environment. Our results demonstrate that DP-SGD significantly mitigates the risk of gradient leakage attacks, albeit with a moderate trade-off in model utility. In contrast, PDP-SGD maintains strong classification performance but proves ineffective as a practical defense against reconstruction attacks. These findings highlight the importance of empirically evaluating privacy mechanisms beyond their theoretical guarantees, particularly in distributed learning scenarios where information leakage may represent an unassumable critical threat to data security and privacy.

Differential Privacy: Gradient Leakage Attacks in Federated Learning Environments

TL;DR

This work probes how differential privacy mechanisms defend against gradient leakage in federated learning. By comparing DP-SGD and PDP-SGD across multiple vision architectures and datasets, it finds that DP-SGD substantially mitigates gradient leakage at the cost of some utility loss, while PDP-SGD preserves accuracy but fails to stop reconstruction attacks. The results underscore that theoretical privacy guarantees do not always translate to practical protection, particularly for specific attack vectors like gradient-based reconstructions. The findings advocate for empirical validation of privacy methods in distributed settings and tailored defense strategies aligned with real-world threat models.

Abstract

Federated Learning (FL) allows for the training of Machine Learning models in a collaborative manner without the need to share sensitive data. However, it remains vulnerable to Gradient Leakage Attacks (GLAs), which can reveal private information from the shared model updates. In this work, we investigate the effectiveness of Differential Privacy (DP) mechanisms - specifically, DP-SGD and a variant based on explicit regularization (PDP-SGD) - as defenses against GLAs. To this end, we evaluate the performance of several computer vision models trained under varying privacy levels on a simple classification task, and then analyze the quality of private data reconstructions obtained from the intercepted gradients in a simulated FL environment. Our results demonstrate that DP-SGD significantly mitigates the risk of gradient leakage attacks, albeit with a moderate trade-off in model utility. In contrast, PDP-SGD maintains strong classification performance but proves ineffective as a practical defense against reconstruction attacks. These findings highlight the importance of empirically evaluating privacy mechanisms beyond their theoretical guarantees, particularly in distributed learning scenarios where information leakage may represent an unassumable critical threat to data security and privacy.

Paper Structure

This paper contains 18 sections, 3 theorems, 8 equations, 10 figures, 1 table, 3 algorithms.

Table of Contents

  1. Introduction
  2. Related Work
  3. Background
  4. Federated Learning (FL)
  5. Gradient Leakage Attacks (GLA)
  6. Differential Privacy (DP)
  7. Methodology
  8. Classification Using Differentially Private Models
  9. Reconstruction Attacks via Gradient Leakage
  10. Results & Discussion
  11. Evaluation Metrics
  12. Classification with Differentially Private Models
  13. Reconstruction Attacks via Gradient Leakage
  14. Conclusion
  15. Reconstruction Attack via Gradient Leakage
  16. ...and 3 more sections

Key Result

Theorem 3.2

An algorithm $\mathcal{A}\colon \mathcal{D} \to \mathcal{R}$ is $\varepsilon$-differentially private if, for every pair of neighboring datasets $D, D' \in \mathcal{D}$ and for any subset $E \subseteq \mathcal{R}$, it holds that:

Figures (10)

  • Figure 1: Conceptual Summary of the Three Pillars of This Work: Federated Learning (FL), Gradient Leakage Attacks (GLA), and Differential Privacy (DP)
  • Figure 2: Class Distribution in the Training and Test Splits
  • Figure 3: Examples of Training Images (Hot-Dog vs Not Hot-Dog)
  • Figure 6: Reconstruction Progression of a Training Example from Model Gradients (No Privacy)
  • Figure 7: Final Reconstruction of a Training Instance from the Leaked Model Gradients (From Left to Right: No Privacy vs DP-SGD vs PDP-SGD)
  • ...and 5 more figures

Theorems & Definitions (4)

  • Definition 3.1: Neighborhood in $\mathcal{D}$
  • Theorem 3.2: $\varepsilon$-Differential Privacy
  • Theorem 3.3: $(\varepsilon, \delta)$-Differential Privacy
  • Lemma 3.4: Group Differential Privacy