Evaluating Gradient Inversion Attacks and Defenses in Federated Learning
Authors: Yangsibo Huang, Samyak Gupta, Zhao Song, Kai Li, Sanjeev Arora
NeurIPS 2021 | Conference PDF | Archive PDF | Plain Text | LLM Run Details
| Reproducibility Variable | Result | LLM Response |
|---|---|---|
| Research Type | Experimental | This paper evaluates existing attacks and defenses. We find that some attacks make strong assumptions about the setup. Relaxing such assumptions can substantially weaken these attacks. We then evaluate the benefits of three proposed defense mechanisms against gradient inversion attacks. We show the trade-offs of privacy leakage and data utility of these defense methods, and find that combining them in an appropriate manner makes the attack less effective, even under the original strong assumptions. We also estimate the computation cost of end-to-end recovery of a single image under each evaluated defense. |
| Researcher Affiliation | Collaboration | Yangsibo Huang Princeton University Princeton, NJ 08540 yangsibo@princeton.edu Samyak Gupta Princeton University Princeton, NJ 08540 samyakg@cs.princeton.edu Zhao Song Adobe Research San Jose, CA 95110 zsong@adobe.com Kai Li Princeton University Princeton, NJ 08540 li@cs.princeton.edu Sanjeev Arora Princeton University Princeton, NJ 08540 arora@cs.princeton.edu |
| Pseudocode | No | The paper describes mathematical formulations and algorithms but does not provide pseudocode or a clearly labeled algorithm block. |
| Open Source Code | No | The paper provides a link to an external implementation of a prior work that it evaluates (footnote 1: "The official implementation of [Geiping et al., 2020]: https://github.com/JonasGeiping/invertinggradients.") but does not provide concrete access to the authors' own source code for their methodology. |
| Open Datasets | Yes | We evaluate following defenses on CIFAR-10 dataset [Krizhevsky et al., 2009] with Res Net-18 architecture [He et al., 2016]. ... a single Image Net [Deng et al., 2009] image from gradient |
| Dataset Splits | No | The paper mentions using CIFAR-10 and ImageNet datasets, but does not explicitly state the specific training, validation, and test splits used for its experiments. |
| Hardware Specification | Yes | If the attacker uses a single NVIDIA Ge Force RTX 2080 Ti GPU as his computation resource, and runs gradient inversion with 10,000 iterations of optimization, then t, the running time for attacking a single batch is ~0.25 GPU hours (batch size b has little impact on the attack s running time, but a larger b makes the attack less effective). |
| Software Dependencies | No | The paper mentions using "Adam [Kingma and Ba, 2015]" as an optimizer, but does not list specific software dependencies with version numbers (e.g., Python, PyTorch, TensorFlow versions). |
| Experiment Setup | Yes | We tune αBN and present the best result in Figure 1.c and 1.g (see results of different αBN s in Appendix A). As shown, for a batch of low-resolution images, BNinfer gives a much better reconstruction result than BNproxy, but still cannot recover some details of the private batch when compared with BNexact. The result for a single high-resolution image is worse: the attacker fails to return a recognizable reconstruction with BNinfer. This suggests not having access to Batch Norm statistics of the private batch already weakens the state-of-the-art gradient inversion attack. ... We search αTV in {0, 0.001, 0.005, 0.01, 0.05, 0.1, 0.5} for all defenses, and apply the best choice for each defense: 0.05 for Grad Prune, 0.1 for Mix Up, and 0.01 for Intra-Insta Hide. We apply αBN = 0.001 for all defenses after searching it in {0, 0.0005, 0.001, 0.01, 0.05, 0.01}. We optimize the attack for 10, 000 iterations using Adam [Kingma and Ba, 2015], with initial learning rate 0.1. We decay the learning rate by a factor of 0.1 at 3/8, 5/8, 7/8 of the optimization. |