Federated Learning (FL) allows for the training of Machine Learning models in a collaborative manner without the need to share sensitive data. However, it remains vulnerable to Gradient Leakage Attacks (GLAs), which can reveal private information from the shared model updates. In this work, we investigate the effectiveness of Differential Privacy (DP) mechanisms - specifically, DP-SGD and a variant based on explicit regularization (PDP-SGD) - as defenses against GLAs. To this end, we evaluate the performance of several computer vision models trained under varying privacy levels on a simple classification task, and then analyze the quality of private data reconstructions obtained from the intercepted gradients in a simulated FL environment. Our results demonstrate that DP-SGD significantly mitigates the risk of gradient leakage attacks, albeit with a moderate trade-off in model utility. In contrast, PDP-SGD maintains strong classification performance but proves ineffective as a practical defense against reconstruction attacks. These findings highlight the importance of empirically evaluating privacy mechanisms beyond their theoretical guarantees, particularly in distributed learning scenarios where information leakage may represent an unassumable critical threat to data security and privacy.
翻译:联邦学习(FL)允许以协作方式训练机器学习模型,而无需共享敏感数据。然而,它仍然容易受到梯度泄露攻击(GLAs)的影响,这些攻击可能从共享的模型更新中揭示私有信息。在本研究中,我们探讨了差分隐私(DP)机制——特别是DP-SGD及其基于显式正则化的变体(PDP-SGD)——作为对抗GLAs防御措施的有效性。为此,我们评估了在简单分类任务中,于不同隐私级别下训练的几种计算机视觉模型的性能,并在模拟的FL环境中分析了从截获梯度中获得的私有数据重建质量。我们的结果表明,DP-SGD显著降低了梯度泄露攻击的风险,尽管在模型效用上存在适度的权衡。相比之下,PDP-SGD保持了强大的分类性能,但被证明无法作为对抗重建攻击的有效实际防御手段。这些发现强调了在理论保证之外对隐私机制进行实证评估的重要性,尤其是在分布式学习场景中,信息泄露可能对数据安全和隐私构成不可忽视的严重威胁。