核心概念
Ensuring privacy in Federated Learning against data reconstruction attacks is achievable by constraining transmitted information through controlled parameter channels and data space operations.
摘要
The article discusses defending against data reconstruction attacks in Federated Learning (FL) by constraining transmitted information. It introduces an information theory approach to ensure privacy guarantees under data reconstruction attacks. The core focus is on channel models, mutual information analysis, and methods to limit information leakage. The paper proposes algorithms to restrict transmitted information during local training rounds and validates the effectiveness of the methods through experiments.
-
Introduction
- FL protects privacy by exchanging parameters instead of raw data.
- Membership inference attacks and data reconstruction attacks pose privacy risks.
-
Background and Preliminary
- FL scenario communication through model parameters.
- Mutual information analysis for privacy protection.
-
Key Observation and Method Overview
- Establishing a formal correlation between transmitted information and reconstruction error.
- Developing methods to constrain information leakage in FL.
-
Channel Model of the Information Leakage
- Unfolding FL process into a time-dependent Markov Chain.
- Analyzing mutual information accumulation and its components.
-
Controlled Parameter Channel
- Proposing methods to limit channel capacity and information leakage.
- Transforming operations to constrain information in the data space.
-
Limiting Channel Capacity in Data Space
- Implementing Natural, White, and Personalized Channel methods.
- Visualizing the impact of different channel implementations on privacy protection.
統計資料
"The channel capacity C(t) is the maximum MI increment at round t."
"I(D; W) = 2, W(t) = 2, W(t + 1) = 6, Extra MI, Defense in data space, Defense in parameter space"
引述
"Federated Learning trains a black-box and high-dimensional model among different clients by exchanging parameters instead of direct data sharing."
"Our protecting goal is to decide the covariance matrix for the added noise according to a given data distribution DDD."