Label is the culprit: Defending Gradient Attack On Privacy
Federated learning is widely studied to protect local privacy by exchanging model parameters rather than raw data among clients. However, a Gradient Attack (i.e., GA) makes an emissary client or parameter server of Federated learning infer the local data of other clients only based on the model parameters exchanged. In the framework and process of federated learning, what features provide heuristic information to infer raw data, and how to defend against GA? So far, this is still an urgent question for the academic community to answer. We demonstrate that the labels of input samples play a key in the success of GA by analyzing the rank of the coefficient matrix of the nonhomogeneous linear equation about gradients and input samples. And we propose a new approach that performs special operations on the repetition and order of labels, which can achieve a better defense effect against gradient attacks without using any differential privacy framework. Our experimental results show that GA fails (i.e., without leaking any valid information about local data) during the whole training process of a deep convolutional network in FL, and the accuracy of its network is less affected than differential privacy. The code is available at https://github.com/zhaohuali/Label-based-Defense.
ray=1.9.1
pytorch=1.10.1
torchvision=0.11.2
matplotlib=3.5.0
prettytable=2.5.0
apex: https://github.com/NVIDIA/apex
The specific content of the defense scheme involved can be viewed in the paper
python training/main_pytorch.py --scheme [defense schemes] --data [imagenet-folder with train] --result-root [path of checkpoints]
where --scheme [defense schemes]
represents the selected defense scheme, the optional schemes are: pure
RA
DP-SGD
GH
. --result-root [path of checkpoints]
is the path to store the trained model parameters. For example, we chose the scheme GH of our paper and placed the trained model in the test folder:
python training/main_pytorch.py --scheme GH --data /data/imagenet/train --result-root /data/test
By obtaining the corresponding gradient on the specified model parameters and settings, this gradient can be used in the following GIA.
Assume that the GPU with serial number 0 is used for gradient calculation
python training/get_gradients.py --gpu 0 [training settings] --data [imagenet-folder with train] --results [path of results] --pretrained [checkpoint of trained model (.tar) or parameters of model (.pth)]
Among them, [training settings]
can input specific gradient calculation settings, which involves the choice of defense means. The specific settings can be seen below. --pretrained [checkpoint of trained model (.tar) or parameters of model (.pth)]
indicates the path of the trained model parameters(.pth) or checkpoint(.tar).
The number of available GPUs can be adjusted by setting os.environ["CUDA_VISIBLE_DEVICES"]
in the file training/get_gradients.py
. We use 4 GPUs by default to compute gradients.
python training/get_gradients.py [training settings] --data [imagenet-folder with train] --results [path of results] --pretrained [checkpoint of trained model (.tar) or parameters of model (.pth)] --multiprocessing-distributed --dist-url tcp://127.0.0.1:10023 --dist-backend nccl --world-size 1 --rank 0
The contents that can be filled in [training settings]
are listed in detail here.
- GA-based defense scheme:
--kernel-size-of-maxpool 19 --ra
- Add noise to the gradient (DP-SGD):
--enable-dp --sigma 0.01 --max-per-sample-grad_norm 1 --delta 1e-5
- Use synchronous BatchNorm (default uses asynchronous BatchNorm):
--syncbn
. Only makes sense in a multi-GPU environment - Set the number of local iterations:
--epochs [the number of local iterations]
, A single iteration is--epochs 1
- Simulated duplicate labels (each label has 4 duplicates, batch size must be 32):
--duplicate-label
- Set batch size (default is 32):
-b [batch size]
. set 79:-b 79
- Dropout: We use the model VGG11 to test the impact of Dropout. The function of Dropout is enabled by default. If you want to close it, you need to add
--model-eval
to the command line. For example, get the gradient when Dropout is inactive:--arch vgg11 --model-eval
python main_run.py --gpu 0 --checkpoint [path of the gradients(.tar)] --min-grads-loss --metric
The number of available GPUs can be adjusted by setting os.environ["CUDA_VISIBLE_DEVICES"]
in the file main_run.py
. We use 4 GPUs by default to compute gradients.
python main_run.py --gpu 0 --checkpoint [path of the gradients(.tar)] --min-grads-loss --metric --world-size 1 --rank 0 --dist-url tcp://127.0.0.1:10036 --dist-backend nccl --multiprocessing-distributed