DAGER: Exact Gradient Inversion for Large Language Models

OPEN ACCESS

Downloads

Full text (published version) (PDF, 812.15 KB)

Author / Producer

Petrov, Ivo Dimitrov, Dimitar I.

Date

2024

Publication Type

Conference Paper

ETH Bibliography

yes

Citations

Altmetric
OPEN ACCESS

Downloads

Full text (published version) (PDF, 812.15 KB)

Data

Rights / License

In Copyright - Non-Commercial Use Permitted north_east

Abstract

Federated learning works by aggregating locally computed gradients from multiple clients, thus enabling collaborative training without sharing private client data. However, prior work has shown that the data can actually be recovered by the server using so-called gradient inversion attacks. While these attacks perform well when applied on images, they are limited in the text domain and only permit approximate reconstruction of small batches and short input sequences. In this work, we propose DAGER, the first algorithm to recover whole batches of input text exactly. DAGER leverages the low-rank structure of self-attention layer gradients and the discrete nature of token embeddings to efficiently check if a given token sequence is part of the client data. We use this check to exactly recover full batches in the honest-but-curious setting without any prior on the data for both encoder- and decoder-based architectures using exhaustive heuristic search and a greedy approach, respectively. We provide an efficient GPU implementation of DAGER and show experimentally that it recovers full batches of size up to 128 on large language models (LLMs), beating prior attacks in speed (20x at same batch size), scalability (10x larger batches), and reconstruction quality (ROUGE-1/2 > 0.99).

Permanent link

https://doi.org/10.3929/ethz-b-000719966

Publication status

published

External links

https://neurips.cc/virtual/2024/poster/96118 north_east
https://papers.nips.cc/paper_files/paper/2024/hash/9ff1577a1f8308df1ccea6b4f64a103f-Abstract-Conference.html north_east

Editor

Globerson, Amir north_east Mackey, Lester north_east Belgrave, Danielle north_east

Book title

Advances in Neural Information Processing Systems 37

Journal / series

Volume

37

Pages / Article No.

87801 - 87830

Publisher

Curran

Event

38th Conference on Neural Information Processing Systems (NeurIPS 2024)

Edition / version

Methods

Software

Geographic location

Date collected

Date created

Subject

Machine Learning (cs.LG); Distributed, Parallel, and Cluster Computing (cs.DC); FOS: Computer and information sciences; I.2.7; I.2.11

Organisational unit

03948 - Vechev, Martin / Vechev, Martin check_circle

Notes

Poster presented on December 12, 2024

Funding

101070617 - European Lighthouse on Secure and Safe AI (SBFI)

Related publications and datasets

Is new version of: 10.48550/arXiv.2405.15586Is new version of: https://openreview.net/forum?id=CrADAX7h23

More

Show all metadata