Bayesian Framework for Gradient Leakage
Authors: Mislav Balunovic, Dimitar Iliev Dimitrov, Robin Staab, Martin Vechev
ICLR 2022 | Conference PDF | Archive PDF | Plain Text | LLM Run Details
| Reproducibility Variable | Result | LLM Response |
|---|---|---|
| Research Type | Experimental | Our experiments confirm the effectiveness of the Bayes optimal adversary when it has knowledge of the underlying distribution. Further, our experimental evaluation shows that several existing heuristic defenses are not effective against stronger attacks, especially early in the training process. |
| Researcher Affiliation | Academia | Department of Computer Science ETH Zurich {mislav.balunovic,dimitar.dimitrov, robin.staab,martin.vechev}@inf.ethz.ch |
| Pseudocode | Yes | Algorithm 1 Approximate Bayes optimal adversary |
| Open Source Code | Yes | We make our code publicly available at https://github.com/eth-sri/ bayes-framework-leakage. |
| Open Datasets | Yes | on the CIFAR-10 dataset (Krizhevsky, 2009). |
| Dataset Splits | No | The paper uses standard datasets like CIFAR-10 and MNIST but does not explicitly provide specific training, validation, and test dataset splits (e.g., percentages or exact sample counts) for reproducibility, beyond mentioning using the "training set" for certain experiments. |
| Hardware Specification | No | The paper does not explicitly describe the specific hardware (e.g., GPU models, CPU types, cloud computing resources) used to conduct the experiments. |
| Software Dependencies | No | The paper mentions using the Adam optimizer and implies the use of a deep learning framework, but it does not specify exact version numbers for software dependencies like PyTorch, TensorFlow, or Python. |
| Experiment Setup | Yes | For all attacks, we use the Adam optimizer (Kingma & Ba, 2015) with a learning rate of 0.1, a total variation regularization of 10^-5 for ATS and 4 * 10^-4 for Soteria, as well as 2000 and 4000 attack iterations respectively. We perform the attack on both networks using batch size 1. For training, we used a batch size of 32. For all attacks, we use anisotropic total variation image prior, and we initialize the images with random Gaussian noise. We optimize the loss using Adam (Kingma & Ba, 2015) with exponential learning rate decay. We use grid search that selects the optimal parameters for each of them individually. In particular, for all attacks we tune their initial learning rates and learning rate decay factors as well as the weighting parameter β. |