Federated Learning (FL) enables collaborative training of Machine Learning (ML) models across multiple clients while preserving their privacy. Rather than sharing raw data, federated clients transmit locally computed updates to train the global model. Although this paradigm should provide stronger privacy guarantees than centralized ML, client updates remain vulnerable to privacy leakage. Adversaries can exploit them to infer sensitive properties about the training data or even to reconstruct the original inputs via Gradient Inversion Attacks (GIAs). Under the honest-butcurious threat model, GIAs attempt to reconstruct training data by reversing intermediate updates using optimizationbased techniques. We observe that these approaches usually reconstruct noisy approximations of the original inputs, whose quality can be enhanced with specialized denoising models. This paper presents Gradient Update Inversion with DEnoising (GUIDE), a novel methodology that leverages diffusion models as denoising tools to improve image reconstruction attacks in FL. GUIDE can be integrated into any GIAs that exploits surrogate datasets, a widely adopted assumption in GIAs literature. We comprehensively evaluate our approach in two attack scenarios that use different FL algorithms, models, and datasets. Our results demonstrate that GUIDE integrates seamlessly with two state-ofthe- art GIAs, substantially improving reconstruction quality across multiple metrics. Specifically, GUIDE achieves up to 46% higher perceptual similarity, as measured by the DreamSim metric.
翻译:联邦学习(FL)使得多个客户端能够在保护隐私的前提下协作训练机器学习(ML)模型。联邦客户端并非共享原始数据,而是传输本地计算的更新来训练全局模型。尽管这一范式本应比集中式ML提供更强的隐私保证,但客户端更新仍然容易遭受隐私泄露。攻击者可以利用这些更新推断训练数据的敏感属性,甚至通过梯度反演攻击(GIAs)重建原始输入。在诚实但好奇的威胁模型下,GIAs试图通过基于优化的技术反转中间更新来重建训练数据。我们观察到,这些方法通常重建的是原始输入的带噪近似,其质量可以通过专门的去噪模型来提升。本文提出了基于去噪的梯度更新反演(GUIDE),这是一种利用扩散模型作为去噪工具以改进FL中图像重建攻击的新方法。GUIDE可以集成到任何利用代理数据集的GIAs中,这是GIA文献中广泛采用的假设。我们在使用不同FL算法、模型和数据集的两种攻击场景中全面评估了我们的方法。结果表明,GUIDE能够无缝集成到两种最先进的GIAs中,在多项指标上显著提升重建质量。具体而言,根据DreamSim度量,GUIDE实现了高达46%的感知相似度提升。