Bayesian Framework for Gradient Leakage

Balunović, Mislav; Dimitrov, Dimitar; Staab, Robin; Vechev, Martin

doi:10.48550/arxiv.2111.04706

Cited by 2 publications

(7 citation statements)

References 7 publications

(16 reference statements)

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Moreover, recent work achieved near-perfect image reconstruction from gradients (Geiping et al, 2020;Yin et al, 2021;Jeon et al, 2021). Interestingly, prior work showed that an auxiliary model (Jeon et al, 2021) or prior information (Balunović et al, 2021) can significantly improve reconstruction quality. Finally, Huang et al (2021) recently noticed that gradient leakage attacks often make strong assumptions, namely that batch normalization statistics and ground truth labels are known.…”

Section: Related Workmentioning

confidence: 99%

“…Finally, there have been several works attempting to protect against gradient leakage. Works based on heuristics (Sun et al, 2021;Scheliga et al, 2021) lack privacy guarantees and have been shown ineffective against stronger attacks (Balunović et al, 2021), while those based on differential privacy do train models with formal privacy guaran-tees (Abadi et al, 2016), but this typically hurts the accuracy of the trained models as it requires adding noise to the gradients. We remark that in our work we also evaluate our attack on defended networks and demonstrate its effectiveness.…”

Section: Related Workmentioning

confidence: 99%

“…First, unlike prior work, we also evaluate batch sizes bigger than 1 to investigate whether we can reconstruct some of the sequences in this more challenging setting. Second, we evaluate attacks after the model has already been fine-tuned for 2 epochs on each task (following Devlin et al (2018)), as Balunović et al (2021) showed that in the vision domain it is significantly more difficult to attack already trained networks. For both baselines and our attacks, for simplicity we assume the lengths of sequences are known, as otherwise an adversary can simply run the attack for all possible lengths.…”

Section: Main Experimentsmentioning

confidence: 99%

See 2 more Smart Citations

LAMP: Extracting Text from Gradients with Language Model Priors

Dimitrov¹,

Balunović²,

Jovanović³

et al. 2022

Preprint

Self Cite

View full text Add to dashboard Cite

Recent work shows that sensitive user data can be reconstructed from gradient updates, breaking the key privacy promise of federated learning. While success was demonstrated primarily on image data, these methods do not directly transfer to other domains such as text. In this work, we propose LAMP, a novel attack tailored to textual data, that successfully reconstructs original text from gradients. Our key insight is to model the prior probability of the text with an auxiliary language model, utilizing it to guide the search towards more natural text. Concretely, LAMP introduces a discrete text transformation procedure that minimizes both the reconstruction loss and the prior text probability, as provided by the auxiliary language model. The procedure is alternated with a continuous optimization of the reconstruction loss, which also regularizes the length of the reconstructed embeddings. Our experiments demonstrate that LAMP reconstructs the original text significantly more precisely than prior work: we recover 5x more bigrams and 23% longer subsequences on average. Moreover, we are first to recover inputs from batch sizes larger than 1 for textual models. These findings indicate that gradient updates of models operating on textual data leak more information than previously thought.

show abstract

Section: Related Workmentioning

confidence: 99%

Section: Related Workmentioning

confidence: 99%

Section: Main Experimentsmentioning

confidence: 99%

See 1 more Smart Citation

LAMP: Extracting Text from Gradients with Language Model Priors

Dimitrov¹,

Balunović²,

Jovanović³

et al. 2022

Preprint

Self Cite

View full text Add to dashboard Cite

show abstract

“…Recently proposed gradient leakage attack methods [34,6,28,2] have shown that a malicious attacker is capable of reconstructing clients' local data by exploiting the shared gradients or model updates. For example, the work [34] searches input data samples which have gradients with minimal Euclidean distance to the true gradients shared by clients.…”

Section: Related Workmentioning

confidence: 99%

“…Specifically, our method is motivated by [11,26], which study the prediction mechanism of Deep Neural Networks (DNNs). In specific, for image classification, these studies find that DNNs tend to use two main kinds of features in images for prediction: (1) features which are obviously comprehensible by human eyes, such as the presence of "a tail" or "ears" in the images of "cat"; as well as (2) features which are incomprehensible to human but also very helpful for DNNs prediction. Both types of features make a great contribution for DNN models to make correct predictions.…”

Section: Introductionmentioning

confidence: 99%

Defense Against Gradient Leakage Attacks via Learning to Obscure Data

Wan¹,

Han²,

Liu³

et al. 2022

Preprint

View full text Add to dashboard Cite

Federated learning is considered as an effective privacy-preserving learning mechanism that separates the client's data and model training process. However, federated learning is still under the risk of privacy leakage because of the existence of attackers who deliberately conduct gradient leakage attacks to reconstruct the client data. Recently, popular strategies such as gradient perturbation and input encryption have been proposed to defend against gradient leakage attacks. Nevertheless, these defenses can either greatly sacrifice the model performance, or be evaded by more advanced attacks. In this paper, we propose a new defense method to protect the privacy of clients' data by learning to obscure data. Our defense method can generate synthetic samples that are totally distinct from the original samples, but they can also maximally preserve their predictive features and guarantee the model performance. Furthermore, our defense strategy makes the gradient leakage attack and its variants extremely difficult to reconstruct the client data. Through extensive experiments, we show that our proposed defense method obtains better privacy protection while preserving high accuracy compared with state-of-the-art methods.Recently, federated learning [22,18,3,13] has been considered as an efficient and effective privacypreserving machine learning framework, which has greatly relieved people's concern about privacy leakage. In federated learning, the clients can keep their private data in their local devices without sharing their data with other parties. They only need to train the model in their local devices and share the model update or gradient with a central server. The server aggregates these updates to construct a Preprint. Under review.

show abstract

Bayesian Framework for Gradient Leakage

Cited by 2 publications

References 7 publications

LAMP: Extracting Text from Gradients with Language Model Priors

LAMP: Extracting Text from Gradients with Language Model Priors

Defense Against Gradient Leakage Attacks via Learning to Obscure Data

Contact Info

Product

Resources

About