GI-PIP: DO WE REQUIRE IMPRACTICAL AUXILIARY DATASET FOR GRADIENT INVERSION ATTACKS?

Yu Sun; Gaojian Xiong; Xianxun Yao; Kailang Ma; Jian Cui

doi:10.1109/ICASSP48485.2024.10445924

GI-PIP: DO WE REQUIRE IMPRACTICAL AUXILIARY DATASET FOR GRADIENT INVERSION ATTACKS?

Yu Sun
, Gaojian Xiong
, Xianxun Yao^*
, Kailang Ma
, Jian Cui

^*Corresponding author for this work

Beihang University

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

8 Scopus citations

Abstract

Deep gradient inversion attacks expose a serious threat to Federated Learning (FL) by accurately recovering private data from shared gradients. However, the state-of-the-art heavily relies on impractical assumptions to access excessive auxiliary data, which violates the basic data partitioning principle of FL. In this paper, a novel method, Gradient Inversion Attack using Practical Image Prior (GI-PIP), is proposed under a revised threat model. GI-PIP exploits anomaly detection models to capture the underlying distribution from fewer data, while GAN-based methods consume significant more data to synthesize images. The extracted distribution is then leveraged to regulate the attack process as Anomaly Score loss. Experimental results show that GI-PIP achieves a 16.12 dB PSNR recovery using only 3.8% data of ImageNet, while GAN-based methods necessitate over 70%. Moreover, GI-PIP exhibits superior capability on distribution generalization compared to GAN-based methods. Our approach significantly alleviates the auxiliary data requirement on both amount and distribution in gradient inversion attacks, hence posing more substantial threat to real-world FL. Our code is available at https://github.com/D1aoBoomm/GI-PIP.

Original language	English
Title of host publication	2024 IEEE International Conference on Acoustics, Speech, and Signal Processing, ICASSP 2024 - Proceedings
Publisher	Institute of Electrical and Electronics Engineers Inc.
Pages	4675-4679
Number of pages	5
ISBN (Electronic)	9798350344851
DOIs	https://doi.org/10.1109/ICASSP48485.2024.10445924
State	Published - 2024
Event	2024 IEEE International Conference on Acoustics, Speech, and Signal Processing, ICASSP 2024 - Seoul, Korea, Republic of Duration: 14 Apr 2024 → 19 Apr 2024

Publication series

Name	ICASSP, IEEE International Conference on Acoustics, Speech and Signal Processing - Proceedings
ISSN (Print)	1520-6149

Conference

Conference	2024 IEEE International Conference on Acoustics, Speech, and Signal Processing, ICASSP 2024
Country/Territory	Korea, Republic of
City	Seoul
Period	14/04/24 → 19/04/24

Keywords

Anomaly detection
Federated learning
Gradient inversion
Practical image prior
Privacy leakage

Access to Document

10.1109/ICASSP48485.2024.10445924

Cite this

Sun, Y., Xiong, G., Yao, X., Ma, K., & Cui, J. (2024). GI-PIP: DO WE REQUIRE IMPRACTICAL AUXILIARY DATASET FOR GRADIENT INVERSION ATTACKS? In 2024 IEEE International Conference on Acoustics, Speech, and Signal Processing, ICASSP 2024 - Proceedings (pp. 4675-4679). (ICASSP, IEEE International Conference on Acoustics, Speech and Signal Processing - Proceedings). Institute of Electrical and Electronics Engineers Inc.. https://doi.org/10.1109/ICASSP48485.2024.10445924

Sun, Yu ; Xiong, Gaojian ; Yao, Xianxun et al. / GI-PIP : DO WE REQUIRE IMPRACTICAL AUXILIARY DATASET FOR GRADIENT INVERSION ATTACKS?. 2024 IEEE International Conference on Acoustics, Speech, and Signal Processing, ICASSP 2024 - Proceedings. Institute of Electrical and Electronics Engineers Inc., 2024. pp. 4675-4679 (ICASSP, IEEE International Conference on Acoustics, Speech and Signal Processing - Proceedings).

@inproceedings{8598ada1455543efaaad687224ad18c6,

title = "GI-PIP: DO WE REQUIRE IMPRACTICAL AUXILIARY DATASET FOR GRADIENT INVERSION ATTACKS?",

abstract = "Deep gradient inversion attacks expose a serious threat to Federated Learning (FL) by accurately recovering private data from shared gradients. However, the state-of-the-art heavily relies on impractical assumptions to access excessive auxiliary data, which violates the basic data partitioning principle of FL. In this paper, a novel method, Gradient Inversion Attack using Practical Image Prior (GI-PIP), is proposed under a revised threat model. GI-PIP exploits anomaly detection models to capture the underlying distribution from fewer data, while GAN-based methods consume significant more data to synthesize images. The extracted distribution is then leveraged to regulate the attack process as Anomaly Score loss. Experimental results show that GI-PIP achieves a 16.12 dB PSNR recovery using only 3.8\% data of ImageNet, while GAN-based methods necessitate over 70\%. Moreover, GI-PIP exhibits superior capability on distribution generalization compared to GAN-based methods. Our approach significantly alleviates the auxiliary data requirement on both amount and distribution in gradient inversion attacks, hence posing more substantial threat to real-world FL. Our code is available at https://github.com/D1aoBoomm/GI-PIP.",

keywords = "Anomaly detection, Federated learning, Gradient inversion, Practical image prior, Privacy leakage",

author = "Yu Sun and Gaojian Xiong and Xianxun Yao and Kailang Ma and Jian Cui",

note = "Publisher Copyright: {\textcopyright} 2024 IEEE.; 2024 IEEE International Conference on Acoustics, Speech, and Signal Processing, ICASSP 2024 ; Conference date: 14-04-2024 Through 19-04-2024",

year = "2024",

doi = "10.1109/ICASSP48485.2024.10445924",

language = "英语",

series = "ICASSP, IEEE International Conference on Acoustics, Speech and Signal Processing - Proceedings",

publisher = "Institute of Electrical and Electronics Engineers Inc.",

pages = "4675--4679",

booktitle = "2024 IEEE International Conference on Acoustics, Speech, and Signal Processing, ICASSP 2024 - Proceedings",

address = "美国",

}

Sun, Y, Xiong, G, Yao, X, Ma, K & Cui, J 2024, GI-PIP: DO WE REQUIRE IMPRACTICAL AUXILIARY DATASET FOR GRADIENT INVERSION ATTACKS? in 2024 IEEE International Conference on Acoustics, Speech, and Signal Processing, ICASSP 2024 - Proceedings. ICASSP, IEEE International Conference on Acoustics, Speech and Signal Processing - Proceedings, Institute of Electrical and Electronics Engineers Inc., pp. 4675-4679, 2024 IEEE International Conference on Acoustics, Speech, and Signal Processing, ICASSP 2024, Seoul, Korea, Republic of, 14/04/24. https://doi.org/10.1109/ICASSP48485.2024.10445924

GI-PIP: DO WE REQUIRE IMPRACTICAL AUXILIARY DATASET FOR GRADIENT INVERSION ATTACKS? / Sun, Yu; Xiong, Gaojian; Yao, Xianxun et al.
2024 IEEE International Conference on Acoustics, Speech, and Signal Processing, ICASSP 2024 - Proceedings. Institute of Electrical and Electronics Engineers Inc., 2024. p. 4675-4679 (ICASSP, IEEE International Conference on Acoustics, Speech and Signal Processing - Proceedings).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

TY - GEN

T1 - GI-PIP

T2 - 2024 IEEE International Conference on Acoustics, Speech, and Signal Processing, ICASSP 2024

AU - Sun, Yu

AU - Xiong, Gaojian

AU - Yao, Xianxun

AU - Ma, Kailang

AU - Cui, Jian

PY - 2024

Y1 - 2024

N2 - Deep gradient inversion attacks expose a serious threat to Federated Learning (FL) by accurately recovering private data from shared gradients. However, the state-of-the-art heavily relies on impractical assumptions to access excessive auxiliary data, which violates the basic data partitioning principle of FL. In this paper, a novel method, Gradient Inversion Attack using Practical Image Prior (GI-PIP), is proposed under a revised threat model. GI-PIP exploits anomaly detection models to capture the underlying distribution from fewer data, while GAN-based methods consume significant more data to synthesize images. The extracted distribution is then leveraged to regulate the attack process as Anomaly Score loss. Experimental results show that GI-PIP achieves a 16.12 dB PSNR recovery using only 3.8% data of ImageNet, while GAN-based methods necessitate over 70%. Moreover, GI-PIP exhibits superior capability on distribution generalization compared to GAN-based methods. Our approach significantly alleviates the auxiliary data requirement on both amount and distribution in gradient inversion attacks, hence posing more substantial threat to real-world FL. Our code is available at https://github.com/D1aoBoomm/GI-PIP.

AB - Deep gradient inversion attacks expose a serious threat to Federated Learning (FL) by accurately recovering private data from shared gradients. However, the state-of-the-art heavily relies on impractical assumptions to access excessive auxiliary data, which violates the basic data partitioning principle of FL. In this paper, a novel method, Gradient Inversion Attack using Practical Image Prior (GI-PIP), is proposed under a revised threat model. GI-PIP exploits anomaly detection models to capture the underlying distribution from fewer data, while GAN-based methods consume significant more data to synthesize images. The extracted distribution is then leveraged to regulate the attack process as Anomaly Score loss. Experimental results show that GI-PIP achieves a 16.12 dB PSNR recovery using only 3.8% data of ImageNet, while GAN-based methods necessitate over 70%. Moreover, GI-PIP exhibits superior capability on distribution generalization compared to GAN-based methods. Our approach significantly alleviates the auxiliary data requirement on both amount and distribution in gradient inversion attacks, hence posing more substantial threat to real-world FL. Our code is available at https://github.com/D1aoBoomm/GI-PIP.

KW - Anomaly detection

KW - Federated learning

KW - Gradient inversion

KW - Practical image prior

KW - Privacy leakage

UR - https://www.scopus.com/pages/publications/85195413914

U2 - 10.1109/ICASSP48485.2024.10445924

DO - 10.1109/ICASSP48485.2024.10445924

M3 - 会议稿件

AN - SCOPUS:85195413914

T3 - ICASSP, IEEE International Conference on Acoustics, Speech and Signal Processing - Proceedings

SP - 4675

EP - 4679

BT - 2024 IEEE International Conference on Acoustics, Speech, and Signal Processing, ICASSP 2024 - Proceedings

PB - Institute of Electrical and Electronics Engineers Inc.

Y2 - 14 April 2024 through 19 April 2024

ER -

Sun Y, Xiong G, Yao X, Ma K, Cui J. GI-PIP: DO WE REQUIRE IMPRACTICAL AUXILIARY DATASET FOR GRADIENT INVERSION ATTACKS? In 2024 IEEE International Conference on Acoustics, Speech, and Signal Processing, ICASSP 2024 - Proceedings. Institute of Electrical and Electronics Engineers Inc. 2024. p. 4675-4679. (ICASSP, IEEE International Conference on Acoustics, Speech and Signal Processing - Proceedings). doi: 10.1109/ICASSP48485.2024.10445924

GI-PIP: DO WE REQUIRE IMPRACTICAL AUXILIARY DATASET FOR GRADIENT INVERSION ATTACKS?

Abstract

Publication series

Conference

Keywords

Access to Document

Other files and links

Fingerprint

Cite this