In recent years, Federated Learning (FL) has developed into a well-respected distributed learning framework that promotes user privacy with high model performance. By design, FL authorizes collaborative training of a global model between millions of users without revealing any of their locally trained, private data. It is an iterative protocol where, in each round, a central server distributes the most up-to-date global model to an arbitrary subset of users that train locally and communicate their model updates back to the server. These model updates include the gradients that are calculated based on the global model and the local training data. The central server then averages these model updates to form a new global model to distribute in the next round.
With a disruptive privacy-centric design, FL has been regarded as an auspicious solution for applying machine learning to the healthcare sector, particularly in scenarios where sharing medical data between different sites is intractable due to strict privacy protection policies such as the Health Insurance Portability and Accountability Act (HIPAA) [1] and General Data Protection Regulation (GDPR) [2]. Numerous studies have proposed FL for medical image analysis, utilizing data such * These authors contributed equally to this work. as X-rays, MRIs, and PET scans from different hospital sites while complying with privacy laws [3]- [8]. This innovative approach is not limited to healthcare; FL is also making significant strides in industrial engineering. For instance, in urban environment image sensing, research has shown that FL makes it easier to perform a time-series analysis of industrial environment factors obtained from multiple sensors and unmanned aerial vehicles (UAVs) across different companies while maintaining confidential data privacy [9]- [12]. Beyond these applications, FL is also stimulating advancements in diverse domains such as control systems, autonomous vehicles, and smart manufacturing [13]- [15], showcasing the versatility and broad impact of a privacy-preserving learning framework.
However, the promise of privacy for clients in FL has been constantly challenged [16]. Recent work [17]- [24] has investigated a strong and practical threat model in which the server can be actively dishonest, such that it is capable of maliciously modifying the global model before dispatching it to the users. This threat model has instigated several active reconstruction attacks in which an FL server can perfectly reconstruct some data points in a users' training data [17], [18], [24]. These attacks exploit a fundamental concept that the gradients in the local model updates sent by users may contain complete and memorized individual data points. These gradients can later be inverted by the server to reveal such data points. As an actively dishonest adversary, the server can strategically manipulate the weights of the global model to maximize the number of individual data points that can be reconstructed from the users' gradients. For that reason, although the training data is said to never leave a users' device, it can still be reconstructed, thereby refuting the claim of privacy-preservation in FL.
Given such a strong adversary, defending against this class of active reconstruction attacks is challenging. Until now, a mitigation approach for FL-based attacks focused on obfuscating the gradients via a Differential Privacy (DP) mechanism, such as DPSGD [25], that formally bounds the privacy leakage by adding calibrated noise to the gradients. However, previous work [17], [18] has shown that to prevent an attacker from discerning the content of reconstructed data, the user must add a significant amount of DP noise to the gradients that unfortunately degrades the overall model performance.
In this paper, we propose a new defense, OASIS, to Offset this class of Active reconStructIon attackS. As there are different strategies to manipulate the global model for conducting this attack, it is imperative to figure out how to tackle the attack in principle so that the defense is robust regardless of the manipulation strategies. We first analyze the attack surface and determine the core vulnerability in the gradient updates that enables the memorization of individual training samples. By doing so, we generalize the existing attacks by discovering the conditions under which a dishonest server can conduct gradient inversion to reconstruct users' data. We then intuitively show how to undermine those conditions and mitigate the impact of the attacks.
From the attack principle, we show that the users can preprocess their training data in a way that prevents the samples from being revealed via gradient inversion, effectively countering this class of active reconstruction attacks. A mechanism for such preprocessing is image augmentation [26], [27]. This includes adding augmented versions of an image, such as rotated, flipped, and sheared counterparts to the training data before computing the gradients. By doing this, OASIS aims to have the gradients memorize a linear combination of the original image and its augmented versions, instead of memorizing any individual images. As a result, inverting these gradients would reconstruct what appears to be an overlap of multiple images, thereby effectively preventing the server from discerning the content of the reconstructed images, as shown in Figure 1. Since image augmentation is used to improve model generalization [28], we safely maintain the performance of FL with this countermeasure. Our analysis shows that OASIS opens a new approach to protect users' data from gradient inversion without suffering the utility loss as in DP. Contributions. Our key contributions are as follows:
• We analyze the attack surface and determine the key principle behind gradient inversion that enables active reconstruction attacks. From that, we theoretically show how to tackle this class of attack, regardless of how the attacker manipulates the global model parameters. • Based on the attack principle, we present OASIS as a suite of image augmentations. To our knowledge, this mechanism stands as the first general and scalable defense against active reconstruction attacks via gradient inversion by actively dishonest servers in FL. • We thoroughly analyze the effectiveness of OASIS through experiments with respect to attack success rate and augmentation type. We also show how OASIS maintains model performance. Organization. The paper's structure is as follows: Section II provides a primer on FL, image augmentation, and the main augmentations used. Section III presents the threat model, attack principle, and our OASIS defense. Section IV presents an in-depth experimental analysis and results supporting our defense. Section V discusses related research on reconstruction attacks and existing defenses. Section VI concludes the paper, summarizing our key findings.
In this section, we summarize the FL process while also describing the benefits of image augmentation during training.
Depending on how training data is distributed among the participants, there are two main versions of FL: horizontal and vertical. In this paper, we focus on a horizontal setting in which different data owners hold the same set of features but different sets of samples. We denote f w : R d → R k as a k-class neural network model that is parameterized by a set of weights w. The goal of f w is to map a data point x ∈ R d to a vector of posterior probabilities f w (x i ) = Y over k classes.
FL is an iterative learning framework for training a global model f w on decentralized data owned by N different users {u j } N j=1 . A central server coordinates the training of f w by iteratively aggregating gradients computed locally by the users. Let t ∈ [0, T ] be the current iteration of the FL protocol, and w t be the set of parameters at iteration t. At iteration t = 0, the global w t is initialized at random by a central server. At every iteration t, a subset of M < N users is randomly selected to contribute to the training. Each of the selected users u j obtains f w t from the central server and calculates the gradients G t j for f w t using their local training batch D j . In specific, G t j = ∇ w t L(D j , w t ) where L is a loss function. Then, each u j uploads its gradients to the central server. With a learning rate η, the server averages these gradients to update the global model's parameters as follows:
The training continues until f w t converges.
Image augmentation is a very useful technique in deep learning that allows for the expansion of a training dataset with artificially generated data. Given a dataset of images, augmenting each image using rotation, shearing, or flipping yields a new expanded dataset for training. This added preprocessing helps increase model generalization and avoid overfitting by altering the makeup of data and adding it to the training set [26], [27]. With more data to train, the model is less prone to memorize the data, but generalize the pattern between the data. In turn, increased model generalization tends to lead to higher model performance. Image augmentation has been widely used in datasets like ImageNet [29] and CIFAR-10 [28].
Our work focuses on three main transformations: rotation, shearing, and flipping. In each augmentation scenario, we consider a 2D image I where I(i, j) denotes the pixel value at coordinates (i, j). Rotation includes tilting an image's pixels by an angle θ. We define major rotation angles as the maximum degrees of each respective quadrant in an x-y coordinate system (i.e., 90 • , 180 • , and 270 • ). Minor rotation angles are described as any angle < 90 • . More formally, an image I ′ can be constructed from I as follows:
where θ is the angle in which an image is rotated.
Flipping includes reflecting an image on its x-axis (vertical flip) or its y-axis (horizontal flip). A horizontally flipped image I ′ can be constructed from I as follows:
Similarly, a vertically flipped image I ′ can be constructed from I as follows:
Shearing is projecting a point or set of points within an image in a different direction. A sheared image I ′ can be constructed from I as follows:
where µ is the shear factor controlling the shearing intensity.
This section describes our proposed defense, OASIS, against active reconstruction attacks via gradient inversion in FL. In order to devise an effective defense, we analyze the attack surface to determine the core vulnerability of the system and how the attacks exploit it in principle. We then propose OASIS to prevent such exploitation, effectively tackling this class of attacks, regardless of how they are implemented.
Threat Model. We examine a server that is dishonest and aims to reconstruct the private data of a targeted user. As discussed in previous work [17], [18], a dishonest server is capable of making malicious modifications to w before dispatching it to the users at any iterations. These modifications can include changing and/or adding model parameters. However, the modification should be minimal to avoid detection.
For this attack, the adversary places a malicious fullyconnected layer consisting of n attacked neurons in the neural network model f w , so that inverting the gradients of these neurons would recover the users' data. Generally, the attack becomes less effective when the layer is placed deeper in the neural network. For the purpose of devising a robust defense, we consider a strong adversary who can place the malicious layer directly right after the input layer. The layer is parameterized by a weight matrix W ∈ R n×d and a bias
j=1 as the local training data of a targeted user where B is the batch size, the goal of the attack is to reconstruct the data points in D via the malicious layer. Our defense, OASIS, aims to minimize the quality of reconstruction, regardless of how the malicious layer (W, b) is determined by the adversary. Attack Vector Analysis. We aim to generalize state-of-the-art active reconstruction attacks by deducing their core principle. Suppose that the malicious layer is updated based on one single-input x t ∈ R d , for each neuron i, the gradients of the loss with respect to the weights, and biases will be
where L t is shorthand for L(x t , (W, b)). All the gradients
are then uploaded to the server. As shown in [17], [18], [30], with a ReLU activation function, the server can perfectly reconstruct x t by dividing the gradients as follows:
where i is the index of a neuron that is activated by the input x t and ∂Lt ∂bi ̸ = 0. In other words, knowing the gradients ∂Lt ∂Wi , ∂Lt ∂bi of a particular input sample x t allows perfect reconstruction of that sample via gradient inversion.
However, in practical FL, when the malicious layer is updated based on a batched input D = {x j } B j=1 where B > 1, all derivatives are summed over the batch dimension. In particular, the gradients of the malicious layer that the server receives will instead be:
When the server performs the same inversion computation as Equation ( 6) on this summed gradient, it will reconstruct
which is proportional to a linear combination of the samples that activated neuron i. The coefficient for each sample in the linear combination depends on how much the sample contributes to the loss L. Reconstructing such a combination may not be able to reveal the content of each individual input sample, thereby hindering the impact of the attack.
To circumvent the problem of summed gradients, the CAH attack proposed by [17] chooses the parameters for (W, b) that maximize the likelihood that each attacked neuron is activated by only one sample in the batch. The rationale behind this is that if i is activated only by one data point x t , then
since ∂Lj ∂Wi = 0 and ∂Lj ∂bi = 0 for data points x j (j ̸ = t) that do not activate the neuron i. After obtaining ∂Lt ∂Wi , ∂Lt ∂bi , the server can reconstruct x t by Equation (6).
On the other hand, [18] proposes the RTF attack in which the reconstruction can be carried out by considering the difference between two successive neurons' gradients, with respect to some specific parameters (W, b). Specifically, the server can strategically choose (W, b) so that, given the gradients
, the difference between them can reveal the gradients ∂Lt ∂Wi , ∂Lt ∂bi of a particular sample x t that activates neuron i. With this, Equation ( 6) can perfectly reconstruct that sample x t .
From this analysis, we can observe the underlying principle of these attacks: as long as the gradients ∂Lt ∂Wi , ∂Lt ∂bi of one individual sample x t can be extracted from the summed gradients
with ∂Lt ∂bi ̸ = 0, that sample x t can be perfectly reconstructed by gradient inversion via Equation (6). Therefore, the attack strategies specifically involve choosing (W, b) that optimizes the chance of extraction, thus improving reconstruction quality. Defense Intuition. By this principle, to effectively defend against such attacks, it is essential to prevent the leaking of any individual data points' gradients from the summed gradients, regardless of how the parameters (W, b) are chosen. With this in mind, we establish the following proposition: Proposition 1. Given a sample x t ∈ D, if there exists an x ′ t ∈ D such that x t and x ′ t activate the same set of neurons in the malicious layer, then the adversary cannot extract
Proof. There are two cases in which the adversary is able to obtain ∂Lt ∂Wi , ∂Lt ∂bi
(1) There exists an i ∈ {1, 2, ..., n} s.t.
This means that the neuron i is activated only by x t , thus contradicting the fact that x t and x ′ t activate the same set of neurons.
(2) There exists a subset D ¦ D \ x t such that the adversary can determine
To be able to obtain
it must be that x t activates neuron i. This also means that x ′ t activates neuron i (since x t and x ′ t activate the same set of neurons) and that x ′ t ∈ D. But in order to get
there must be a neuron that is activated by samples in D, which includes x ′ t , and is not activated by x t . This contradicts the fact that x t and x ′ t activate the same set of neurons. Intuitively, suppose that for every x t ∈ D, we find a data point x ′ t such that x t and x ′ t always activate the same set of neurons, and then we add x ′ t to D. From Proposition 1, it can be inferred that the best that the attacker can do is extracting
Hence, it could only reconstruct a linear combination of x t and x ′ t . If the linear combination does not reveal the content of x t , then the proposed defense is successful.
From the previous attack principle and defense intuition, we devise a robust defense mechanism as follows. For every x t ∈ D, we find a set of data points X ′ t such that x t and every x ′ ∈ X ′ t activate the same set of neurons. Then, we construct a new local training dataset:
If D is labeled then the data points in X ′ t are given the same label as x t . The user will use D ′ instead of D for the FL process, so that an active reconstruction attack can only reconstruct a linear combination of x t and x ′ ∈ X ′ t . This mechanism is illustrated in Figure 1. The defense is considered effective if it satisfies two conditions: (1) using D ′ does not heavily reduce the training performance, and (2) a linear combination of x t and x ′ ∈ X ′ t does not reveal the content of x t .
To find X ′ t that activates the same set of neurons as x t , we propose using image augmentation [27] where X ′ t contains the transformations of x t , such as rotation, shearing, or flipping. As noted in [28], image augmentation can be used to teach a model about invariances in the data domain. For that reason, training with image augmentation makes the model invariant to the transformations of images. In other words, the model Furthermore, using image augmentation as a defense also satisfies the above-mentioned two conditions. First, using image augmentation maintains the training performance as it was originally designed to improve model generalization and reduce overfitting. Second, as we shall demonstrate in Section 4, a linear combination of an image x t and its transformations yields an unrecognizable image, thereby protecting the original content of x t .
This section evaluates the performance of our defense with various experiments to shed light on how OASIS can offset state-of-the-art active reconstruction attacks while still maintaining the model training performance.
We conduct two state-of-the-art active reconstruction attacks, namely Robbing the Fed (RTF) [18] and Curious Abandon Honesty (CAH) [17], against our OASIS defense on two datasets ImageNet [31] and CIFAR100 [32]. For these attacks, we adopt the implementation from https://github.com/ JonasGeiping/breaching. To capture how OASIS mitigates the success rate of the attacks, similar to previous work [18], [30], we use the Peak Signal-to-Noise Ratio (PSNR) value to measure the quality of a reconstructed image with respect to the original image. Higher PSNR values indicate better reconstruction quality, thus higher attack success rates. Figure 2 illustrates a visual representation of PSNR values. Our goal is to minimize the PSNR values of reconstructed images. Furthermore, we visually compare the reconstructed images when using OASIS against their respective original images to demonstrate how OASIS protects the content of the dataset. Finally, we measure model performance for each augmentation method on each dataset. OASIS is expected to impose a negligible trade-off on the performance of training models. For a fair evaluation, the attacks are first configured to have the highest success rate. As discussed in the threat model in Section III-A, the malicious layer is appended right after the input layer. Furthermore, the attack performance depends on the number of attacked neurons n, and the batch size B. Generally, it is straightforward that the reconstruction attacks perform worse with larger batch sizes. We experiment with two batch sizes: B = 8 for evaluating against strong attacks, and B = 64 for a more realistic training configuration. We conduct preliminary experiments to find the hyperparameters that result in the strongest attacks. Specifically, we test the attacks with various batch sizes and numbers of attacked neurons, and report the average PSNR value over the images reconstructed by RTF and CAH in Figures 3 and4, respectively. As previously stated, the reconstruction attacks perform worse with larger batch sizes, and that behavior is illustrated in Figures 3 and4. For each batch size, we choose the number of attacked neurons n that yields the highest average PSNR.
As can be seen in Figure 3, the RTF attack's optimal settings for ImageNet with a batch of 8 occur with 900 attacked neurons yielding an average PSNR value of 127.9 dB. The optimal settings for a batch of 64 occur with 800 attacked neurons yielding an average PSNR value of 91.63 dB. For CIFAR100, we see the optimal settings for a batch of 8 and 64 are 500 and 600 attacked neurons yielding average PSNR values of 147.72 dB and 121.72 dB, respectively.
We test for the optimal settings of the CAH attack in a similar manner in Figure 4. For ImageNet, a batch of 8 with 100 attacked neurons produces an average PSNR value of 147.93 dB and a batch of 64 with 700 attacked neurons produces an average PSNR value of 97.38 dB. CIFAR100 was treated the same as before. A batch of 8 along with 300 attacked neurons results in an average PSNR value of 70.54 dB while a batch of 64 with 600 attacked neurons yields an average PSNR value of 40.02 dB. OASIS Implementation. As for constructing D ′ in Equation 7, we test with various methods of image augmentation, including rotation, shearing, and flipping, and observe how each of them impacts the performance of OASIS. We describe how the transformations are implemented as follows. In the case of major rotation, every image in D was rotated three different times at angles of 90 • , 180 • , and 270 • , following Equation 2, to generate three transformed images for D ′ . For minor rotation, we rotate each image three different times at angles of 30 • , 45 • , 60 • .
For flipping, we conduct both horizontal and vertical flipping using Equations 3 and 4, respectively. In regard to shearing, we follow Equation 5 and shear every image in D with three different shear factors of 0.55, 1.0, and 0.9 to generate three transformed images for D ′ . Each transformation is implemented with the official PyTorch Vision libraryfoot_0 and the Kornia libraryfoot_1 .
Figure 5 depicts the effectiveness of our defense in regard to reducing the reconstruction quality of the RTF attack. Five transformations are used in this experiment, and it can be seen from Figure 5 that each of them substantially reduce the PSNR values of the reconstructed images across all testing scenarios. Specifically, without OASIS, most of the images reconstructed by the RTF attack have PSNR ranging from 130 dB to 145 dB at batch size 8, indicating perfect reconstruction. Major rotation is the most robust transformation such that by adding rotations at major angles to each image in D, the resulting reconstruction by RTF only yields PSNR from 15 dB to 20 dB. Thus, the content of each image in D remains hidden.
To understand how the major rotation can invalidate the RTF attack, we note that the activation of attacked neurons in RTF depends on a scalar quantity of the input, such as the average of pixel values [18]. Major rotation imposes minimal change to this quantity (it does not change the average of pixel values). Hence, using this transformation for building X ′ t ensures that x t and X ′ t activate the same set of neurons, for all x t ∈ D. Furthermore, as we shall see in Section IV-C, a linear combination of an image and its rotations yields an unrecognizable image. We also note that flipping does not change the average of pixel values either, however, this transformation does not necessarily result in unrecognizable reconstruction (as shown later in Section IV-C), thus its PSNR is slightly higher than that of major rotation.
Figure 6 illustrates the performance of OASIS against the CAH attack. With batch size 64, we observe a similar result as the previous experiment against RTF in which the major rotation keeps the PSNR of reconstructed images low. However, for batch size 8, the major rotation fails to prevent many images from being perfectly reconstructed. The same behavior is exhibited through shearing. The core issue here is that these transformations alone are not enough to prevent several x t ∈ D from being the sole activation of certain attacked neurons in CAH, thus the content of those x t is revealed through reconstruction.
To tackle this issue, we attempt to integrate multiple transformations to increase the likelihood that x t and some images in X ′ t activate the same set of neurons in the malicious layer. In other words, the set X ′ t is constructed by more than one transformation. As shown in Figure 6, we experiment with integrating the two most robust transformations: major rotation and shearing. This integration is able to render the reconstruction by CAH unrecognizable with low PSNR. Specifically, with ImageNet (Figure 6a), it significantly decreases the PSNR of reconstructed images from above 125 dB to below 25 dB. The same effect is also exhibited with CIFAR100 (Figure 6b).
We visually demonstrate the resulting reconstruction from the attacks. The goal is to show that, with our OASIS defense, the attacks indeed reconstruct a linear combination of an image and its transformations, effectively confirming the claims in Section III-B. Moreover, it shows that the linear combination yields the reconstructed image unrecognizable, protecting the content of the input images. Rotation. Figures 7 and8 illustrate the reconstruction from the RTF attack with major rotation and minor rotation being used as augmentations from OASIS, respectively. We can see that the reconstructed images are an overlap of the original images and their respective rotations. As previously discussed in Figure 5, major rotation is the most effective transformation with the lowest PSNR for reconstruction, and we can see in Figure 7 that the reconstructed images are unrecognizable. Although the reconstruction with minor rotation has higher PSNR, Figure 8 shows that it is still challenging to discern the original images from the reconstructed ones. Shearing. Figure 9 presents the reconstruction from the RTF attack with shearing being used as augmentation for OASIS. We can see that the original image and its sheared version overlap one another in the reconstruction, thereby hindering the attacker from making out the original. This also explains the low PSNR of shearing in Figure 5. Flipping. Figures 10 and 11 illustrate the reconstruction from the RTF attack with horizontal flipping and vertical flipping being used as augmentation for OASIS, respectively. We can see that they did not defend as well against the attack compared to rotation and shearing. A linear combination of an original image and its horizontally or vertically flipped version only generates a reflection of the original, thus the original image is still revealed in the reconstruction. Figures 10 and11 show that some images are reflected in the reconstruction. This means that flipping, when used alone, is not the best suited transformation to defend against this class of attacks. However, using flipping in combination with a strong transformation such as rotation or shearing may yield better results. Integrating Major Rotation and Shearing. As previously discussed in Figure 6, an integration of multiple transformations is needed to counter the CAH attack. Figure 12 illustrates the reconstruction from CAH when both major rotation and shearing are used in OASIS. It can be seen that all the reconstructed images are unrecognizable and it is impossible to identify any original image from them. This behavior is consistent with the results in Figure 6.
In summary, major rotation and an integration of major rotation and shearing result in the strongest defense against the RTF and CAH attacks, respectively. Additionally, OASIS has been shown to be scalable as it maintains low PSNR on reconstructed images for both small and large batch sizes. We further note that it is not trivial to extract the original image from such an overlap of multiple transformed images without any prior knowledge about certain characteristics of the original image. Although the server might know about certain augmentations being used as a defense, it does not know the specific parameters of the transformations (e.g., shearing intensity). Previous research has shown that, even with a mild blurry image, it is very challenging to practically reconstruct the original image without knowing the blurring kernel and padding [33], while our defense uses far more complicated and multiple transformations.
In addition to the RTF [18] and CAH [17] attacks, we evaluate our OASIS defense against a reconstruction attack on linear models that was discussed in [18], [30]. The attack assumes a very restrictive setting where the model is a singlelayer and is trained with a logistic regression loss function. Furthermore, the images in each training batch D are assumed to have unique labels. As users upload their local model updates, the server simply inverts the gradient of each neuron to reconstruct the training images.
Figure 13 illustrates the effectiveness of our OASIS defense in reducing the reconstruction quality of this attack. Since this is a single-layer model, adding transformed images to the training batch guarantees that x t and X ′ t activate the same neuron, for all x t ∈ D. Hence, each reconstructed image will be a linear combination of x t and X ′ t . Moreover, such a linear combination hides the content of the original image (as discussed in Section IV). Therefore, Figure 13 shows that all five transformations yield reconstruction with low PSNR for both datasets and both batch sizes. We can also see that rotation and shearing have better defensive performance than flipping, corroborating our findings in Section IV.
We measure the effect of using OASIS on the training models as it alters the input dataset for training. For this experiment, we train ResNet-18 models [34] I.
For ImageNet [31], we extract a subset of 10 classes: tench, English springer, cassette player, chain saw, church, French horn, garbage truck, gas pump, golf ball, and parachute 3 . Then, we evaluate the model performance on classifying those 10 classes. Using our ResNet-18 architecture, we train for 100 epochs with an Adam optimizer at a learning rate of 0.001 and weight decay of 10 -5 .
With regard to CIFAR100 [32], we use its original classification task with 100 classes. Again, using our ResNet-18 architecture, we train for 120 epochs with an Adam optimizer at a learning rate of 0.001 and weight decay of 10 -2 . Across all the transformations, OASIS does not impose any major degradation on the model accuracy. The accuracy is still maintained over 90% on ImageNet, and drops at most 1.5% on CIFAR100. The reason for this is that image augmentation methods are originally developed for improving the generalization and reducing overfitness of ML models. From this, the claims made in Section IV-A are confirmed.
V. RELATED WORK Data Reconstruction Attacks. Reconstruction attacks have been one of the main topics of interest in ML security and privacy. Over the decade, various kinds of reconstruction attacks have been proposed, including class-wise representation-based attacks [35]- [37] and optimization-based attacks [38]- [40]. However, in the context of FL, most of these attacks are not able to exploit the full capability of dishonest servers. Recent work [17], [18] devises a new class of active reconstruction attacks that has been shown to significantly outperform prior attacks by having the dishonest server manipulate the global model parameters to its advantage. For that reason, this new class of attack remains a critical and practical threat for FL. Our work focuses on devising a general defense that effectively protects user data against these attacks. From analyzing the underlying principle of gradient inversion, our defense OASIS is designed to minimize reconstruction quality. Current Defenses. Presently, there is no existing defense that can defend against active reconstruction attacks via dishonest servers. In general, previous defenses utilize a threat model with an honest-but-curious server that is substantially weaker than our threat model which includes an actively dishonest server. Several defense mechanisms have been proposed to tackle data reconstruction attacks in general, but they remain ineffective in countering the versions presented in this paper. Through gradient compression and sparsification methods, the work in [37], [38] pruned gradients with negligible magnitudes to zero. Nonetheless, even in a case where the majority of the gradients are pruned, data extracted is still recognizable [17].
Gao et al. [41] leverage image augmentation in their proposed defense, but it can only tackle optimization-based attacks. In particular, the defense replaces each image in the dataset with a transformed image so that the objective function of the attacks becomes more difficult to solve. However, it fails to counter the active reconstruction attacks since their principle (Section III-A) still applies: if an attacked neuron is activated only by one transformed image, the image would be reconstructed. To support this claim, we conduct an experiment in which we launch the RTF attack [18] against this defense and illustrate the resulting reconstruction in Figure 14 (we adopt the implementation of [41] from https://github.com/ gaow0007/ATSPrivacy). As can be seen, the reconstruction reveals the content of the original input images. Therefore, defenses against optimization-based reconstruction attacks are not robust against these active reconstruction attacks if they do not address the attack principle of gradient inversion.
In [17], [18], the authors evaluate the use of DP as a defense, and show that it imposes a major degradation on the model accuracy and the reconstructed images are still recognizable. Our OASIS defense is proven to effectively counter this new class of attacks as it tackles the core attack principle. Moreover, OASIS imposes minimal impact on model performance.
In this paper, we have revealed the key principle behind active reconstruction attacks in Federated Learning (FL) and have theoretically shown how to tackle this class of attacks. With machine learning foundations in data preprocessing, we have proposed OASIS, a novel method to augment images in a way such that an actively dishonest server is unable to memorize individual gradient parameters, but a linear combination of an image and its augmented counterparts. In doing so, we offset the active reconstruction attacks, rendering reconstructions unrecognizable. To address FL's promise of maintaining model performance, we also demonstrate that the expansion of a labeled dataset through augmentation preserves and, in some cases, improves model performance. From our evaluation, OASIS stands as a general, viable, and scalable solution to truly promote and reinforce the guarantees of FL. Although the use of image augmentation makes OASIS confined to the image domain, we note that the attack principle that we uncover in Section III-A is not limited to any data types. Future work will focus on finding alternative methods besides image augmentation to implement an effective defense for tabular and textual data.
https:// github.com/ pytorch/ vision.git
https:// github.com/ kornia/ kornia.git