[논문 리뷰] Evaluating Gradient Inversion Attacks and Defenses in Federated Learning
본 논문은 연합 학습에서의 그래디언트 역공격 및 방어를 체계적으로 평가하고, 강한 공격자 가정을 완화하면 공격이 약해지며 방어를 결합하면 데이터 유용성을 보존하면서 프라이버시 누출을 줄일 수 있음을 보인다.
Gradient inversion attack (or input recovery from gradient) is an emerging threat to the security and privacy preservation of Federated learning, whereby malicious eavesdroppers or participants in the protocol can recover (partially) the clients' private data. This paper evaluates existing attacks and defenses. We find that some attacks make strong assumptions about the setup. Relaxing such assumptions can substantially weaken these attacks. We then evaluate the benefits of three proposed defense mechanisms against gradient inversion attacks. We show the trade-offs of privacy leakage and data utility of these defense methods, and find that combining them in an appropriate manner makes the attack less effective, even under the original strong assumptions. We also estimate the computation cost of end-to-end recovery of a single image under each evaluated defense. Our findings suggest that the state-of-the-art attacks can currently be defended against with minor data utility loss, as summarized in a list of potential strategies. Our code is available at: https://github.com/Princeton-SysML/GradAttack.
연구 동기 및 목표
- Assess the risks of gradient inversion attacks under realistic threat models.
- Evaluate existing defense mechanisms and quantify privacy leakage vs. data utility.
- Investigate whether combining defenses improves protection with acceptable model performance.
- Estimate end-to-end computational cost of recovering a single image under different defenses.
제안 방법
- Review and formalize state-of-the-art gradient inversion attacks, focusing on Geiping et al. (2020).
- Identify and relax two strong assumptions: Knowledge of BatchNorm statistics and private labels.
- Re-design attacks under relaxed assumptions to measure impact on reconstruction quality.
- Systematically evaluate defenses including GradPrune, MixUp, and Intra-InstaHide against the strongest attack.
- Analyze combinations of defenses and measure privacy leakage using LPIPS and test accuracy.
- Provide time costs for end-to-end recovery under different defenses.
실험 결과
연구 질문
- RQ1What are the critical assumptions underlying gradient inversion attacks and how does removing them affect attack efficacy?
- RQ2How do existing defenses perform in terms of privacy leakage and data utility against the strongest gradient inversion attack?
- RQ3Can combining defenses yield better privacy-utility trade-offs than individual defenses?
- RQ4What is the computational cost of recovering a single image under various defenses?
- RQ5Do higher batch sizes and secure configurations mitigate gradient inversion risks?
주요 결과
- Relaxing assumptions about BatchNorm statistics and private labels substantially weakens gradient inversion attacks, especially for high-resolution data.
- GradPrune alone is insufficient against the strongest attack unless pruning is extremely aggressive (p ≥ 0.999), which incurs sizable accuracy loss.
- MixUp and Intra-InstaHide provide limited leakage reduction when used alone, particularly for small batch sizes.
- Combining defenses (e.g., Intra-InstaHide with gradient pruning) can markedly reduce privacy leakage with moderate accuracy costs, especially at batch size 32.
- End-to-end recovery time estimates show InstaHide can greatly increase attacker cost, making recovery impractical for medium-to-large datasets.
- Best practice suggestions include avoiding sharing BatchNorm statistics, using larger batch sizes, and combining defenses for improved security with acceptable utility loss.
더 나은 연구,지금 바로 시작하세요
연구 설계부터 논문 작성까지, 연구 시간을 획기적으로 줄여보세요.
카드 등록 없음 · 무료 플랜 제공
이 리뷰는 AI가 만들고, 인간 에디터가 검토했습니다.