Saved in:
Bibliographic Details
Main Authors: Qian, Jin, Wei, Kaimin, Wu, Yongdong, Zhang, Jilian, Chen, Jipeng, Bao, Huan
Format: Preprint
Published: 2024
Subjects:
Online Access:https://arxiv.org/abs/2405.03516
Tags: Add Tag
No Tags, Be the first to tag this record!
_version_ 1866910436299898880
author Qian, Jin
Wei, Kaimin
Wu, Yongdong
Zhang, Jilian
Chen, Jipeng
Bao, Huan
author_facet Qian, Jin
Wei, Kaimin
Wu, Yongdong
Zhang, Jilian
Chen, Jipeng
Bao, Huan
contents Federated learning (FL) has emerged as a privacy-preserving machine learning approach where multiple parties share gradient information rather than original user data. Recent work has demonstrated that gradient inversion attacks can exploit the gradients of FL to recreate the original user data, posing significant privacy risks. However, these attacks make strong assumptions about the attacker, such as altering the model structure or parameters, gaining batch normalization statistics, or acquiring prior knowledge of the original training set, etc. Consequently, these attacks are not possible in real-world scenarios. To end it, we propose a novel Gradient Inversion attack based on Style Migration Network (GI-SMN), which breaks through the strong assumptions made by previous gradient inversion attacks. The optimization space is reduced by the refinement of the latent code and the use of regular terms to facilitate gradient matching. GI-SMN enables the reconstruction of user data with high similarity in batches. Experimental results have demonstrated that GI-SMN outperforms state-of-the-art gradient inversion attacks in both visual effect and similarity metrics. Additionally, it also can overcome gradient pruning and differential privacy defenses.
format Preprint
id arxiv_https___arxiv_org_abs_2405_03516
institution arXiv
publishDate 2024
record_format arxiv
spellingShingle GI-SMN: Gradient Inversion Attack against Federated Learning without Prior Knowledge
Qian, Jin
Wei, Kaimin
Wu, Yongdong
Zhang, Jilian
Chen, Jipeng
Bao, Huan
Machine Learning
Federated learning (FL) has emerged as a privacy-preserving machine learning approach where multiple parties share gradient information rather than original user data. Recent work has demonstrated that gradient inversion attacks can exploit the gradients of FL to recreate the original user data, posing significant privacy risks. However, these attacks make strong assumptions about the attacker, such as altering the model structure or parameters, gaining batch normalization statistics, or acquiring prior knowledge of the original training set, etc. Consequently, these attacks are not possible in real-world scenarios. To end it, we propose a novel Gradient Inversion attack based on Style Migration Network (GI-SMN), which breaks through the strong assumptions made by previous gradient inversion attacks. The optimization space is reduced by the refinement of the latent code and the use of regular terms to facilitate gradient matching. GI-SMN enables the reconstruction of user data with high similarity in batches. Experimental results have demonstrated that GI-SMN outperforms state-of-the-art gradient inversion attacks in both visual effect and similarity metrics. Additionally, it also can overcome gradient pruning and differential privacy defenses.
title GI-SMN: Gradient Inversion Attack against Federated Learning without Prior Knowledge
topic Machine Learning
url https://arxiv.org/abs/2405.03516