[論文レビュー] Inverting Gradients -- How easy is it to break privacy in federated learning?
本論文は、フェデレーテッドラーニングにおいてモデル勾配から入力データを再構成できることを示し、勾配が複数の画像やエポックにわたって平均化されても再構成可能であること、そして全結合層の解析的回復と現代ネットワークに対する実践的な攻撃を分析している。
The idea of federated learning is to collaboratively train a neural network on a server. Each user receives the current weights of the network and in turns sends parameter updates (gradients) based on local data. This protocol has been designed not only to train neural networks data-efficiently, but also to provide privacy benefits for users, as their input data remains on device and only parameter gradients are shared. But how secure is sharing parameter gradients? Previous attacks have provided a false sense of security, by succeeding only in contrived settings - even for a single image. However, by exploiting a magnitude-invariant loss along with optimization strategies based on adversarial attacks, we show that is is actually possible to faithfully reconstruct images at high resolution from the knowledge of their parameter gradients, and demonstrate that such a break of privacy is possible even for trained deep networks. We analyze the effects of architecture as well as parameters on the difficulty of reconstructing an input image and prove that any input to a fully connected layer can be reconstructed analytically independent of the remaining architecture. Finally we discuss settings encountered in practice and show that even averaging gradients over several iterations or several images does not protect the user's privacy in federated learning applications in computer vision.
研究の動機と目的
- Assess whether input data can be recovered from parameter gradients in federated learning under realistic architectures and training regimes.
- Analyze how network architecture and training parameters affect gradient-based reconstructions.
- Provide practical reconstruction methods that outperform Euclidean-loss-based approaches.
- Examine multi-image and federated averaging scenarios to evaluate privacy risks in real-world FL deployments.
提案手法
- Propose a cosine-similarity based loss to reconstruct inputs from gradients, combined with image priors (total variation).
- Show that reconstructing the input to any fully connected layer is analytically possible, independent of surrounding architecture, under a nonzero-gradient condition.
- Compare the proposed cosine-based reconstruction to prior Euclidean-loss/L-BFGS methods across trained/untrained networks (e.g., LeNet, ResNet variants).
- Evaluate single-image reconstruction and extend to Federated Averaging with multi-image batches and multiple local epochs.
- Study the impact of architecture choices (convolutions vs. translational invariance, width/depth) on reconstruction quality.
- Demonstrate multi-image reconstruction from averaged gradients and several local updates (epochs, batch sizes).
実験結果
リサーチクエスチョン
- RQ1Can input data be recovered from gradients in realistic deep networks used in federated learning?
- RQ2How do network architecture and training state (trained vs untrained) influence gradient-based reconstructions?
- RQ3Is recovery possible when gradients are averaged over multiple images or across local training epochs in federated averaging?
- RQ4What factors (e.g., width, depth, padding strategy) affect the difficulty of gradient inversion?
- RQ5Do defenses like gradient averaging or data batching meaningfully protect privacy against gradient inversion attacks?
主な発見
- Reconstruction from gradients is feasible for realistic deep networks, including trained ResNet-152, using the proposed cosine-similarity attack.
- Analytically, the input to any fully connected layer can be reconstructed from gradients, independent of surrounding architecture, given nonzero gradient components.
- Cosine-based reconstruction with image priors yields recognizable images, outperforming Euclidean-loss/L-BFGS methods on trained networks.
- Even with federated averaging and multi-image batches (up to 100 images), some information about private data can be recovered, depending on image content and network, indicating privacy is not guaranteed by averaging alone.
- Increasing network width improves PSNR of reconstructions but also increases variance; depth has limited impact on attack effectiveness for many architectures.
- Translation-invariant padding reduces location leakage compared to zero-padding, linking architectural choices to privacy exposure.
より良い研究を、今すぐ始めましょう
論文設計から論文執筆まで、研究時間を劇的に削減しましょう。
クレジットカード登録不要
このレビューはAIが作成し、人間の編集者が確認しました。