Mjölnir: Breaking the Shield of Perturbation-Protected Gradients via Adaptive Diffusion

Authors

  • Xuan Liu Department of Electrical and Electronic Engineering, The Hong Kong Polytechnic University
  • Siqi Cai Hubei Key Laboratory of Transportation Internet of Things, Wuhan University of Technology
  • Qihua Zhou College of Computer Science and Software Engineering, Shenzhen University
  • Song Guo Department of Computer Science and Engineering, The Hong Kong University of Science and Technology
  • Ruibin Li Department of Computing, The Hong Kong Polytechnic University
  • Kaiwei Lin Hubei Key Laboratory of Transportation Internet of Things, Wuhan University of Technology

DOI:

https://doi.org/10.1609/aaai.v39i25.34829

Abstract

Perturbation-based mechanisms, such as differential privacy, mitigate gradient leakage attacks by introducing noise into the gradients, thereby preventing attackers from reconstructing clients' private data from the leaked gradients. However, can gradient perturbation protection mechanisms truly defend against all gradient leakage attacks? In this paper, we present the first attempt to break the shield of gradient perturbation protection in Federated Learning for the extraction of private information. We focus on common noise distributions, specifically Gaussian and Laplace, and apply our approach to DNN and CNN models. We introduce Mjölnir, a perturbation-resilient gradient leakage attack that is capable of removing perturbations from gradients without requiring additional access to the original model structure or external data. Specifically, we leverage the inherent diffusion properties of gradient perturbation protection to develop a novel diffusion-based gradient denoising model for Mjölnir. By constructing a surrogate client model that captures the structure of perturbed gradients, we obtain crucial gradient data for training the diffusion model. We further utilize the insight that monitoring disturbance levels during the reverse diffusion process can enhance gradient denoising capabilities, allowing Mjölnir to generate gradients that closely approximate the original, unperturbed versions through adaptive sampling steps. Extensive experiments demonstrate that Mjölnir effectively recovers the protected gradients and exposes the Federated Learning process to the threat of gradient leakage, achieving superior performance in gradient denoising and private data recovery.
AAAI-25 / IAAI-25 / EAAI-25 Proceedings Cover

Downloads

Published

2025-04-11

How to Cite

Liu, X., Cai, S., Zhou, Q., Guo, S., Li, R., & Lin, K. (2025). Mjölnir: Breaking the Shield of Perturbation-Protected Gradients via Adaptive Diffusion. Proceedings of the AAAI Conference on Artificial Intelligence, 39(25), 26308–26316. https://doi.org/10.1609/aaai.v39i25.34829

Issue

Vol. 39 No. 25: AAAI-25 Technical Tracks 25

Section

AAAI Technical Track on Philosophy and Ethics of AI