Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

SPEAR++: Scaling Gradient Inversion via Sparsely-Used Dictionary Learning

Alexander Bakarsky, Dimitar I. Dimitrov, Maximilian Baader, Martin Vechev

TL;DR

This paper tackles the privacy risk in Federated Learning posed by gradient inversion attacks by scaling exact inversions for linear layers with ReLU activations. It reframes gradient leakage as a Sparsely-Used Dictionary Learning problem, replacing the prior exponential subproblem with scalable dictionary-learning-based search and a sampling-based rounding step. The authors demonstrate that SPEAR++ achieves much higher batch-size scalability (about 10x) while preserving robustness to DP noise and FedAvg aggregation, providing a practical attack with strong reconstruction performance. The work highlights a stronger privacy vulnerability in real-world FL deployments and offers a concrete methodology for attackers and a framework for evaluating defenses.

Abstract

Federated Learning has seen an increased deployment in real-world scenarios recently, as it enables the distributed training of machine learning models without explicit data sharing between individual clients. Yet, the introduction of the so-called gradient inversion attacks has fundamentally challenged its privacy-preserving properties. Unfortunately, as these attacks mostly rely on direct data optimization without any formal guarantees, the vulnerability of real-world systems remains in dispute and requires tedious testing for each new federated deployment. To overcome these issues, recently the SPEAR attack was introduced, which is based on a theoretical analysis of the gradients of linear layers with ReLU activations. While SPEAR is an important theoretical breakthrough, the attack's practicality was severely limited by its exponential runtime in the batch size b. In this work, we fill this gap by applying State-of-the-Art techniques from Sparsely-Used Dictionary Learning to make the problem of gradient inversion on linear layers with ReLU activations tractable. Our experiments demonstrate that our new attack, SPEAR++, retains all desirable properties of SPEAR, such as robustness to DP noise and FedAvg aggregation, while being applicable to 10x bigger batch sizes.

SPEAR++: Scaling Gradient Inversion via Sparsely-Used Dictionary Learning

TL;DR

This paper tackles the privacy risk in Federated Learning posed by gradient inversion attacks by scaling exact inversions for linear layers with ReLU activations. It reframes gradient leakage as a Sparsely-Used Dictionary Learning problem, replacing the prior exponential subproblem with scalable dictionary-learning-based search and a sampling-based rounding step. The authors demonstrate that SPEAR++ achieves much higher batch-size scalability (about 10x) while preserving robustness to DP noise and FedAvg aggregation, providing a practical attack with strong reconstruction performance. The work highlights a stronger privacy vulnerability in real-world FL deployments and offers a concrete methodology for attackers and a framework for evaluating defenses.

Abstract

Federated Learning has seen an increased deployment in real-world scenarios recently, as it enables the distributed training of machine learning models without explicit data sharing between individual clients. Yet, the introduction of the so-called gradient inversion attacks has fundamentally challenged its privacy-preserving properties. Unfortunately, as these attacks mostly rely on direct data optimization without any formal guarantees, the vulnerability of real-world systems remains in dispute and requires tedious testing for each new federated deployment. To overcome these issues, recently the SPEAR attack was introduced, which is based on a theoretical analysis of the gradients of linear layers with ReLU activations. While SPEAR is an important theoretical breakthrough, the attack's practicality was severely limited by its exponential runtime in the batch size b. In this work, we fill this gap by applying State-of-the-Art techniques from Sparsely-Used Dictionary Learning to make the problem of gradient inversion on linear layers with ReLU activations tractable. Our experiments demonstrate that our new attack, SPEAR++, retains all desirable properties of SPEAR, such as robustness to DP noise and FedAvg aggregation, while being applicable to 10x bigger batch sizes.

Paper Structure

This paper contains 21 sections, 4 theorems, 6 equations, 1 figure, 4 tables, 6 algorithms.

Table of Contents

  1. Introduction
  2. Federated Learning
  3. Gradient Inversion Attacks
  4. This Work: Gradient Inversion via Sparsely-Used Dictionary Learning
  5. Main Contributions:
  6. Prior Work
  7. Background
  8. Threat model
  9. Exact Gradient Inversion for Batches
  10. Leveraging Sparsely-Used Dictionary Learning for Gradient Leakage
  11. Initial Decomposition
  12. Disaggregation Matrix Search as Dictionary Learning
  13. Filtering of False Candidates
  14. Rounding via Sampling
  15. Final algorithm
  16. ...and 6 more sections

Key Result

Theorem 3.1

The network's gradient w.r.t. the weights $\textbf{W}$ can be represented as the matrix product:

Figures (1)

  • Figure 1: All car images from a successfully reconstructed batch of size $b=210$ from CIFAR10 on network with width $m=4000$, reconstructed using SPEAR++ with $\ell_1$ loss and RAdam (top) compared to the ground truth (bottom). As seen, the reconstructions are indistinguishable from the original images by humans.

Theorems & Definitions (5)

  • Theorem 3.1: DBLP:conf/nips/DimitrovBMV24
  • Theorem 3.2: DBLP:conf/nips/DimitrovBMV24
  • Theorem 3.3: DBLP:conf/nips/DimitrovBMV24
  • Definition 3.4: DBLP:conf/nips/DimitrovBMV24
  • Theorem 4.1