In federated learning (FL), data does not leave personal devices when they are jointly training a machine learning model. Instead, these devices share gradients with a central party (e.g., a company). Because data never "leaves" personal devices, FL is presented as privacy-preserving. Yet, recently it was shown that this protection is but a thin facade, as even a passive attacker observing gradients can reconstruct data of individual users. In this paper, we argue that prior work still largely underestimates the vulnerability of FL. This is because prior efforts exclusively consider passive attackers that are honest-but-curious. Instead, we introduce an active and dishonest attacker acting as the central party, who is able to modify the shared model's weights before users compute model gradients. We call the modified weights "trap weights". Our active attacker is able to recover user data perfectly and at near zero costs: the attack requires no complex optimization objectives. Instead, it exploits inherent data leakage from model gradients and amplifies this effect by maliciously altering the weights of the shared model. These specificities enable our attack to scale to models trained with large mini-batches of data. Where attackers from prior work require hours to recover a single data point, our method needs milliseconds to capture the full mini-batch of data from both fully-connected and convolutional deep neural networks. Finally, we consider mitigations. We observe that current implementations of differential privacy (DP) in FL are flawed, as they explicitly trust the central party with the crucial task of adding DP noise, and thus provide no protection against a malicious central party. We also consider other defenses and explain why they are similarly inadequate. A significant redesign of FL is required for it to provide any meaningful form of data privacy to users.
翻译:在联合学习(FL)中,当数据在联合培训机器学习模型时,数据不会留下个人装置。相反,这些装置与中央方(例如公司)共享梯度。由于数据从不“离开”个人装置,FL被作为隐私保护。然而,最近显示这种保护只是一个薄的表面,因为即使是被动攻击者观察梯度也可以重建个人用户的数据。在本文中,我们争辩说,以前的工作在很大程度上仍然低估了FL的脆弱性。这是因为以前的努力只考虑诚实但充满疑惑的被动攻击者。相反,我们引入了一个积极和不诚实的攻击者作为中央方,在用户计算模型梯度之前,他能够修改共享模型的重量。我们称之为“陷阱权重”。我们的主动攻击者能够完全恢复用户的数据,接近零成本:攻击不需要复杂的优化目标。相反,他们利用模型的差分度的内在数据渗漏,并通过恶意改变共享模型的重量来放大这一影响。相反,我们引入了一个活跃和不诚实的攻击者作为中央方,这些特性使得我们的攻击能够修改共同的模型的重量,因此,一个经过训练的中央方需要一个真正的模型,一个真正的模型,一个真正的模型,一个真正的模型,一个完整的模型需要一个完整的模型,一个完整的模型的模型的模型的模型,一个完整的模型,一个完整的模型需要另一个的模型的模型的模型的模型的模型的模型的模型的模型的模型的模型的模型, 需要另一个的模型的模型的模型的模型的模型的模型的模型的模型的模型的模型的模型, 需要另一个的模型的模型的完整的模型的模型的模型的模型的模型的模型的模型的模型的模型的模型, 。