Reveal Your Images: Gradient Leakage Attack Against Unbiased Sampling-Based Secure Aggregation
Yilong Yang, Zhuo Ma, Bin Xiao, Yang Liu, Teng Li, Junwei Zhang
Abstract
Recently, some Unbiased Gradient Sampling-based (UGS) methods have been proposed to enhance the security and efficiency of federated learning through crafted unbiased random transformation and sampling, such as MinMax Sampling in SIGMOD ’22. In this paper, we propose a novel attack, GLAUS, to show that UGS is not as secure as claimed in these works and is still vulnerable to the gradient leakage attack (GLA). Specifically, we demonstrate an idea to approximately infer the gradient for GLA in the context of the UGS scenario where the real gradient is not available. Once the gradient is approximately obtained, the security of the UGS frameworks is downgraded to that of the original federated learning. The approximate gradient is refined by the following steps: 1) <italic xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">narrow the gradient searching range</i> to the finite set; 2) <italic xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">obtain the magnitude</i> of each gradient value approximately; 3) <italic xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">revise the gradient signs</i> . Versus the failure of existing attacks, extensive experiments on six datasets show that our attack is effective in reconstructing private datapoints with pixel-wise accuracy on four network sizes and three image resolutions. Finally, we show how to defend against GLAUS while maintaining the high efficiency of UGS and only introducing an additional step to hide the sampled gradient indices.