Federated learning allows distributed users to collaboratively train a model while keeping each user's data private. Recently, a growing body of work has demonstrated that an eavesdropping attacker can effectively recover image data from gradients transmitted during federated learning. However, little progress has been made in recovering text data. In this paper, we present a novel attack method FILM for federated learning of language models (LMs). For the first time, we show the feasibility of recovering text from large batch sizes of up to 128 sentences. Unlike image-recovery methods that are optimized to match gradients, we take a distinct approach that first identifies a set of words from gradients and then directly reconstructs sentences based on beam search and a prior-based reordering strategy. We conduct the FILM attack on several large-scale datasets and show that it can successfully reconstruct single sentences with high fidelity for large batch sizes and even multiple sentences if applied iteratively. We evaluate three defense methods: gradient pruning, DPSGD, and a simple approach to freeze word embeddings that we propose. We show that both gradient pruning and DPSGD lead to a significant drop in utility. However, if we fine-tune a public pre-trained LM on private text without updating word embeddings, it can effectively defend the attack with minimal data utility loss. Together, we hope that our results can encourage the community to rethink the privacy concerns of LM training and its standard practices in the future.
翻译:联邦学习允许分布式用户在保持每个用户的数据私密的同时合作培训模型。 最近, 越来越多的工作显示, 窃听攻击者能够有效地从联邦学习期间传输的梯度中恢复图像数据。 然而, 在恢复文本数据方面进展甚微。 在本文件中, 我们展示了用于联合学习语言模型的新颖攻击方法胶片。 我们第一次展示了从大批量的多达128个句子中回收文本的可行性。 与优化与梯度匹配的图像恢复方法不同, 我们采取了一种截然不同的方法, 首先从梯度中找出一组单词, 然后直接重建基于在联邦学习期间传输的梯度搜索和基于先前的重新排序战略的句子。 我们在几个大型数据集上进行胶片攻击, 并表明它能够以高度忠于大批量规模甚至多个句子(LM) 成功重整单句。 我们评估了三种防御方法: 梯度 prunning prunning, DPSGD, 以及一个简单的方法来冻结我们提出的嵌入词。 我们展示的是, 梯度的精度 prinking private private developmental developmental depress the we bedestrevation