论文标题
从表示的角度来看
Provable Defense against Privacy Leakage in Federated Learning from Representation Perspective
论文作者
论文摘要
联合学习(FL)是一个受欢迎的分布式学习框架,可以通过不明确共享私人数据来降低隐私风险。但是,最近的作品表明,共享模型更新使FL容易受到推理攻击的影响。在这项工作中,我们表明了我们的主要观察结果,即数据表示梯度泄漏是佛罗里达州隐私泄漏的基本原因。我们还提供了该观察结果的分析,以解释如何泄漏数据。基于这一观察结果,我们提出了针对FL中模型反转攻击的防御。我们辩护的关键思想是学习扰动数据表示形式,以便在保持FL性能的同时严重降低了重建数据的质量。此外,在应用我们的辩护后,我们还为FEDAVG提供了认证的鲁棒性保证,并向FedAvg提供了融合保证。为了评估我们的防御,我们对MNIST和CIFAR10进行实验,以防止DLG攻击和GS攻击。在没有牺牲准确性的情况下,结果表明,与基线防御方法相比,对于DLG攻击和GS攻击,重建数据和原始数据之间的平方平方误差均高达160倍以上。 FL系统的私密性大大改善。
Federated learning (FL) is a popular distributed learning framework that can reduce privacy risks by not explicitly sharing private data. However, recent works demonstrated that sharing model updates makes FL vulnerable to inference attacks. In this work, we show our key observation that the data representation leakage from gradients is the essential cause of privacy leakage in FL. We also provide an analysis of this observation to explain how the data presentation is leaked. Based on this observation, we propose a defense against model inversion attack in FL. The key idea of our defense is learning to perturb data representation such that the quality of the reconstructed data is severely degraded, while FL performance is maintained. In addition, we derive certified robustness guarantee to FL and convergence guarantee to FedAvg, after applying our defense. To evaluate our defense, we conduct experiments on MNIST and CIFAR10 for defending against the DLG attack and GS attack. Without sacrificing accuracy, the results demonstrate that our proposed defense can increase the mean squared error between the reconstructed data and the raw data by as much as more than 160X for both DLG attack and GS attack, compared with baseline defense methods. The privacy of the FL system is significantly improved.