In collaborative learning, clients keep their data private and communicate only the computed gradients of the deep neural network being trained on their local data. Several recent attacks show that one can still extract private information from the shared network's gradients compromising clients' privacy. In this paper, to quantify the private information leakage from gradients we adopt usable information theory. We focus on two types of private information: original information in data reconstruction attacks and latent information in attribute inference attacks. Furthermore, a sensitivity analysis over the gradients is performed to explore the underlying cause of information leakage and validate the results of the proposed framework. Finally, we conduct numerical evaluations on six benchmark datasets and four well-known deep models. We measure the impact of training hyperparameters, e.g., batches and epochs, as well as potential defense mechanisms, e.g., dropout and differential privacy. Our proposed framework enables clients to localize and quantify the private information leakage in a layer-wise manner, and enables a better understanding of the sources of information leakage in collaborative learning, which can be used by future studies to benchmark new attacks and defense mechanisms.
翻译:在合作学习中,客户保持其数据私密,并只交流正在接受当地数据培训的深神经网络的计算梯度。最近几次袭击表明,人们仍然可以从共享网络的梯度中提取私人信息,损害客户隐私。在本文中,我们采用可用信息理论,对梯度中的私人信息泄漏进行量化。我们侧重于两类私人信息:数据重建攻击中的原始信息,以及因应推理攻击而隐蔽的信息。此外,对梯度进行了敏感度分析,以探讨信息泄漏的根本原因,并验证拟议框架的结果。最后,我们对六个基准数据集和四个众所周知的深层模型进行数字评估。我们衡量培训超参数(例如,批数和小区)以及潜在防御机制(例如,辍学和隐私差别)的影响。我们提议的框架使客户能够以层化方式将私人信息泄漏的地方化和量化,并更好地了解合作学习中的信息渗漏来源,这些来源可以在今后的研究中用于为新的攻击和防御机制基准。