English

Do Gradient Inversion Attacks Make Federated Learning Unsafe?

Machine Learning 2023-02-01 v3 Cryptography and Security Computer Vision and Pattern Recognition Distributed, Parallel, and Cluster Computing

Abstract

Federated learning (FL) allows the collaborative training of AI models without needing to share raw data. This capability makes it especially interesting for healthcare applications where patient and data privacy is of utmost concern. However, recent works on the inversion of deep neural networks from model gradients raised concerns about the security of FL in preventing the leakage of training data. In this work, we show that these attacks presented in the literature are impractical in FL use-cases where the clients' training involves updating the Batch Normalization (BN) statistics and provide a new baseline attack that works for such scenarios. Furthermore, we present new ways to measure and visualize potential data leakage in FL. Our work is a step towards establishing reproducible methods of measuring data leakage in FL and could help determine the optimal tradeoffs between privacy-preserving techniques, such as differential privacy, and model accuracy based on quantifiable metrics. Code is available at https://nvidia.github.io/NVFlare/research/quantifying-data-leakage.

Keywords

Cite

@article{arxiv.2202.06924,
  title  = {Do Gradient Inversion Attacks Make Federated Learning Unsafe?},
  author = {Ali Hatamizadeh and Hongxu Yin and Pavlo Molchanov and Andriy Myronenko and Wenqi Li and Prerna Dogra and Andrew Feng and Mona G. Flores and Jan Kautz and Daguang Xu and Holger R. Roth},
  journal= {arXiv preprint arXiv:2202.06924},
  year   = {2023}
}

Comments

Revised version; Accepted to IEEE Transactions on Medical Imaging; Improved and reformatted version of https://www.researchsquare.com/article/rs-1147182/v2; Added NVFlare reference

R2 v1 2026-06-24T09:35:56.782Z