Adversarial Training (AT) is crucial for obtaining deep neural networks that are robust to adversarial attacks, yet recent works found that it could also make models more vulnerable to privacy attacks. In this work, we further reveal this unsettling property of AT by designing a novel privacy attack that is practically applicable to the privacy-sensitive Federated Learning (FL) systems. Using our method, the attacker can exploit AT models in the FL system to accurately reconstruct users' private training images even when the training batch size is large. Code is available at https://github.com/zjysteven/PrivayAttack_AT_FL.
翻译:反versarial Traination(AT)对于获得能够抵御对抗性攻击的深层神经网络至关重要,但最近的工程发现,它也可能使模型更容易受到隐私攻击。在这项工作中,我们进一步通过设计一种适用于隐私敏感联邦学习(FL)系统的新的隐私攻击来揭示AT的不稳定特性。攻击者可以使用我们的方法,利用FL系统中的AT模型来准确重建用户的私人培训图像,即使培训批量大小很大。代码可在https://github.com/zjysteven/PrivayAttack_AT_FL上查阅。
相关内容
微信扫码咨询专知VIP会员