| Traditional deep learning methods typically train on centralized datasets using a single machine.However,in real-world scenarios,data silos prevent the exchange or sharing of data among multiple parties.Federated learning,an emerging distributed technology,is dedicated to protecting privacy,collaboratively building models,and enhancing performance.Although federated learning only involves gradient exchanges between users and servers,existing research shows that private data can still be reconstructed.Deep Leakage Gradient(DLG)is a typical gradient leakage attack method,yet it becomes ineffective in highly compressed scenarios.This is because,in federated learning,gradient compression is often employed to reduce communication overhead,resulting in significant information loss,which limits the effectiveness of gradient leakage attack methods,such as DLG,in practical federated learning applications.This thesis discusses gradient leakage attacks in the context of highly compressed gradients,building on previous studies and findings.The significance of this research lies in demonstrating the feasibility and effectiveness of gradient leakage attacks,which serves as a reminder to the federated learning community to propose more effective defense mechanisms to protect user data privacy and ensure adequate protection when providing data.In addition,this study can serve as a privacy audit tool by revealing how much private data an adversary can obtain under this defense setting of gradient compression,which can help in the design of future privacy mechanisms.This paper proposes four gradient leakage attack methods for gradient compression scenarios in the key technology research of federated learning:(1)Property inference-based gradient leakage attack: An adversary infers the specific properties of the original private training data from the shared gradient and uses this as prior information compensation for gradient leakage attacks?(2)Feature inference-based gradient leakage attack: When the attribute inference-based gradient leakage attack is ineffective,the adversary infers the low-dimensional vector representation of the original training data from the shared gradient and uses this as prior information compensation for gradient leakage attacks?(3)Feature generation-based gradient leakage attack: This method further improves the feature inference-based gradient leakage attack.After inferring the original data features from the shared gradient,the adversary uses this feature to generate an initial image,which is used as prior information compensation for gradient leakage attacks?(4)Gradient generation-based gradient leakage attack: In order to address the low reconstruction efficiency of the aforementioned three attack methods and their unsuitability for batch data reconstruction,this method enables the adversary to directly generate an image from the shared gradient using a generative network,which is used as the reconstruction result for private data.Experimental results demonstrate that the four gradient leakage attack methods proposed in this thesis are applicable to highly compressed gradient scenarios in federated learning.The reconstructed private image data obtained through these attack methods exhibit superior subjective visual effects and objective numerical performance compared to existing state-of-the-art methods.This study holds significant value in raising awareness and promoting practices related to data privacy protection in federated learning and provides valuable insights for designing more effective defense mechanisms in the future. |
PDF Full Text Request