High-Fidelity Gradient Inversion in Distributed Learning

Authors

  • Zipeng Ye School of Computer Science and Technology, Harbin Institute of Technology, Shenzhen Guangdong Provincial Key Laboratory of Novel Security Intelligence Technologies
  • Wenjian Luo School of Computer Science and Technology, Harbin Institute of Technology, Shenzhen Guangdong Provincial Key Laboratory of Novel Security Intelligence Technologies Peng Cheng Laboratory
  • Qi Zhou School of Computer Science and Technology, Harbin Institute of Technology, Shenzhen Guangdong Provincial Key Laboratory of Novel Security Intelligence Technologies
  • Yubo Tang School of Computer Science and Technology, Harbin Institute of Technology, Shenzhen Guangdong Provincial Key Laboratory of Novel Security Intelligence Technologies

DOI:

https://doi.org/10.1609/aaai.v38i18.29975

Keywords:

PEAI: Privacy & Security, PEAI: Safety, Robustness & Trustworthiness

Abstract

Distributed learning frameworks aim to train global models by sharing gradients among clients while preserving the data privacy of each individual client. However, extensive research has demonstrated that these learning frameworks do not absolutely ensure the privacy, as training data can be reconstructed from shared gradients. Nevertheless, the existing privacy-breaking attack methods have certain limitations. Some are applicable only to small models, while others can only recover images in small batch size and low resolutions, or with low fidelity. Furthermore, when there are some data with the same label in a training batch, existing attack methods usually perform poorly. In this work, we successfully address the limitations of existing attacks by two steps. Firstly, we model the coefficient of variation (CV) of features and design an evolutionary algorithm based on the minimum CV to accurately reconstruct the labels of all training data. After that, we propose a stepwise gradient inversion attack, which dynamically adapts the objective function, thereby effectively and rationally promoting the convergence of attack results towards an optimal solution. With these two steps, our method is able to recover high resolution images (224*224 pixel, from ImageNet and Web) with high fidelity in distributed learning scenarios involving complex models and larger batch size. Experiment results demonstrate the superiority of our approach, reveal the potential vulnerabilities of the distributed learning paradigm, and emphasize the necessity of developing more secure mechanisms. Source code is available at https://github.com/MiLab-HITSZ/2023YeHFGradInv.
AAAI-24 / IAAI-24 / EAAI-24 Proceedings Cover

Downloads

Published

2024-03-24

How to Cite

Ye, Z., Luo, W., Zhou, Q., & Tang, Y. (2024). High-Fidelity Gradient Inversion in Distributed Learning. Proceedings of the AAAI Conference on Artificial Intelligence, 38(18), 19983-19991. https://doi.org/10.1609/aaai.v38i18.29975

Issue

Vol. 38 No. 18: AAAI-24 Technical Tracks 18

Section

AAAI Technical Track on Philosophy and Ethics of AI