Training deep neural networks requires gradient estimation from data batches to update parameters. Gradients per parameter are averaged over a set of data and this has been presumed to be safe for privacy-preserving training in joint, collaborative, and federated learning applications. Prior work only showed the possibility of recovering input data given gradients under very restrictive conditions - a single input point, or a network with no non-linearities, or a small 32x32 px input batch. Therefore, averaging gradients over larger batches was thought to be safe. In this work, we introduce GradInversion, using which input images from a larger batch (8 - 48 images) can also be recovered for large networks such as ResNets (50 layers), on complex datasets such as ImageNet (1000 classes, 224x224 px). We formulate an optimization task that converts random noise into natural images, matching gradients while regularizing image fidelity. We also propose an algorithm for target class label recovery given gradients. We further propose a group consistency regularization framework, where multiple agents starting from different random seeds work together to find an enhanced reconstruction of original data batch. We show that gradients encode a surprisingly large amount of information, such that all the individual images can be recovered with high fidelity via GradInversion, even for complex datasets, deep networks, and large batch sizes.
翻译:深心神经网络的培训要求从数据批量中进行梯度估计,以便更新参数。 每个参数的梯度平均为一组数据, 并假定这在联合、 协作和联合学习应用程序中的隐私保护培训中是安全的。 先前的工作仅显示在非常严格的条件下恢复输入数据给定梯度的可能性 - 一个单一输入点, 或者一个没有非线性或小32x32 px 输入批量的网络。 因此, 人们认为, 大批量的平均梯度是安全的。 在这项工作中, 我们引入了“ 梯度 ” 转换, 使用较大批量( 8 - 48 图像) 的输入图像也可以在大型网络( ResNets ( 50 层) ) 中恢复。 在图像网络( 1 000 类, 224x224 px) 等复杂数据组中, 我们制定最优化的任务, 将随机噪音转换成自然图像, 匹配梯度, 同时调整图像忠诚度。 我们还提议一个目标类标签回收的梯度算法 。 我们进一步提议一个“ 一致性规范框架 ”, 其中多个代理器从不同的随机种子工作开始, 寻找更深的多个种子网络, 以找到更深的原型的原型的原型集, 数据组群分解。
相关内容
微信扫码咨询专知VIP会员