Open access
Date
2022-11Type
- Journal Article
ETH Bibliography
yes
Altmetrics
Abstract
Recent attacks have shown that user data can be recovered from FedSGD updates, thus breaking privacy. However, these attacks are of limited practical relevance as federated learning typically uses the FedAvg algorithm. Compared to FedSGD, recovering data from FedAvg updates is much harder as: (i) the updates are computed at unobserved intermediate network weights, (ii) a large number of batches are used, and (iii) labels and network weights vary simultaneously across client steps. In this work, we propose a new optimization-based attack which successfully attacks FedAvg by addressing the above challenges. First, we solve the optimization problem using automatic differentiation that forces a simulation of the client's update that generates the unobserved parameters for the recovered labels and inputs to match the received client update. Second, we address the large number of batches by relating images from different epochs with a permutation invariant prior. Third, we recover the labels by estimating the parameters of existing FedSGD attacks at every FedAvg step. On the popular FEMNIST dataset, we demonstrate that on average we successfully recover >45% of the client's images from realistic FedAvg updates computed on 10 local epochs of 10 batches each with 5 images, compared to only <10% using the baseline. Our findings show many real-world federated learning implementations based on FedAvg are vulnerable. Show more
Permanent link
https://doi.org/10.3929/ethz-b-000593553Publication status
publishedExternal links
Journal / series
Transactions on Machine Learning ResearchPublisher
OpenReviewSubject
Federated learning; Gradient leakageOrganisational unit
03948 - Vechev, Martin / Vechev, Martin
02219 - ETH AI Center / ETH AI Center
More
Show all metadata
ETH Bibliography
yes
Altmetrics