Skip to main content
SpringerLink
Log in

Batch data recovery from gradients based on generative adversarial networks

  • Original Article
  • Published:
Neural Computing and Applications Aims and scope Submit manuscript

Abstract

In the federated learning scenario, the private data are kept local, and gradients are shared to train the global model. Because gradients are updated according to the private training data, the features of the data are encoded into gradients. Prior work proved the possibility of reconstructing the private training data based on gradients. However, only a small batch of images can be recovered, and the reconstruction quality, especially against the large batch size of images, is unsatisfactory. To improve the quality of reconstruction of a large batch of images, a generative gradient inversion attack based on a regulation term is designed, which is called fDLG. First, a regulation term that can avoid drastic variations within image regions is proposed, which is based on the cognition that changes between image pixels are gradual. The proposed regulation term encourages the synthesized dummy image to be piece-wise smooth. Second, generative adversarial networks are trained to improve the quality of the attack with the global model used as a discriminator. Simulation shows that large batches of images (128 images on CIFAR100, 256 images on MNIST) can be faithfully reconstructed at high resolution, and even large images from ImageNet can be reconstructed.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Fig. 3
Algorithm 1
Fig. 4
Fig. 5
Fig. 6
Fig. 7
Fig. 8
Fig. 9
Fig. 10
Fig. 11

Similar content being viewed by others

Data availability

The datasets generated during and/or analyzed during the current study are available from the corresponding author on reasonable request.

References

  1. Cai Y, Yao Z, Dong Z, Gholami A, Mahoney MW, Keutzer K (2020) Zeroq: a novel zero shot quantization framework. In: Proceedings of the IEEE/CVF conference on computer vision and pattern recognition, pp 13169–13178

  2. Chintala S (2021). soumith/dcgan.torch. https://github.com/soumith/dcgan.torch. original-date: 2015-12-02T02:52:08Z

  3. Dean J, Corrado G, Monga R, Chen K, Devin M, Mao M, Aurelio Ranzato M, Senior A, Tucker P, Yang K, Le Q, Ng A (2012) Large scale distributed deep networks. In: Advances in neural information processing systems, Curran Associates, Inc

  4. Fredrikson M, Jha S, Ristenpart T (2015) Model inversion attacks that exploit confidence information and basic countermeasures, In: Proceedings of the 22nd ACM SIGSAC conference on computer and communications security, pp 1322–1333

  5. Geiping J, Bauermeister H, Dröge H, Moeller M (2020) Inverting gradients - how easy is it to break privacy in federated learning?. In: Larochelle H, Ranzato M, Hadsell R, Balcan MF, Lin H (eds) Advances in neural information processing systems, Curran Associates, Inc. pp 16937–16947

  6. Goodfellow I.J, Pouget-Abadie J, Mirza M, Xu B, Warde-Farley D, Ozair S, Courville A, Bengio Y (2014) Generative adversarial networks. arXiv:1406.2661 [cs, stat]

  7. Gulrajani I, Ahmed F, Arjovsky M, Dumoulin V, Courville A, (2017) Improved training of wasserstein gans. In: Proceedings of the 31st international conference on neural information processing systems, Curran Associates Inc., Red Hook, NY, USA. pp 5769–5779

  8. Hayes J, Melis L, Danezis G, De Cristofaro E (2019) Logan: membership inference attacks against generative models. In: Proceedings on privacy enhancing technologies (PoPETs), De Gruyter. pp 133–152

  9. He Z, Zhang T, Lee RB (2019) Model inversion attacks against collaborative inference. In: Proceedings of the 35th annual computer security applications conference, pp 148–162

  10. Hitaj B, Ateniese G, Perez-Cruz F (2017). Deep models under the GAN: information leakage from collaborative deep learning, In: Proceedings of the 2017 ACM SIGSAC conference on computer and communications security, ACM, Dallas Texas USA. pp 603–618. https://doi.org/10.1145/3133956.3134012

  11. Jeon J, Kim j, Lee K, Oh S, Ok J (2021) Gradient inversion with generative image prior. In: Advances in neural information processing systems, Curran Associates, Inc. pp 29898–29908

  12. Karras T, Laine S, Aittala M, Hellsten J, Lehtinen J, Aila T (2020). Analyzing and improving the image quality of stylegan. In: Proceedings of the IEEE/CVF conference on computer vision and pattern recognition, pp 8110–8119

  13. Keuper J, Preundt FJ (2016) Distributed training of deep neural networks: theoretical and practical limits of parallel scalability. In: 2016 2nd workshop on machine learning in HPC environments (MLHPC), pp 19–26. https://doi.org/10.1109/MLHPC.2016.006

  14. Konečnỳ J, McMahan HB, Yu FX, Richtárik P, Suresh AT, Bacon D, (2016) Federated learning: strategies for improving communication efficiency. arXiv preprint arXiv:1610.05492

  15. Long Y, Bindschaedler V, Wang L, Bu D, Wang X, Tang H, Gunter CA, Chen K (2018). Understanding Membership Inferences on Well-Generalized Learning Models. arXiv:1802.04889 [cs, stat]

  16. McMahan B, Moore E, Ramage D, Hampson S, y Arcas BA (2017) Communication-efficient learning of deep networks from decentralized data. In: Artificial intelligence and statistics, PMLR. pp 1273–1282

  17. McMahan B, Moore E, Ramage D, Hampson S, y Arcas BA (2017) Communication-efficient learning of deep networks from decentralized data. In: Artificial intelligence and statistics, PMLR. pp 1273–1282

  18. Melis L, Song C, De Cristofaro E, Shmatikov V (2019) Exploiting unintended feature leakage in collaborative learning. In: 2019 IEEE symposium on security and privacy (SP), IEEE. pp 691–706

  19. Miyato T, Kataoka T, Koyama M, Yoshida Y (2018) Spectral normalization for generative adversarial networks. arXiv preprint arXiv:1802.05957

  20. Mordvintsev A, Olah C, Tyka M (2015) Inceptionism: going deeper into neural networks. Google AI Blog

  21. Nasr M, Shokri R, Houmansadr A (2019) Comprehensive privacy analysis of deep learning: passive and active white-box inference attacks against centralized and federated learning, In: 2019 IEEE symposium on security and privacy (SP), IEEE, San Francisco, CA, USA. pp 739–753. https://doi.org/10.1109/SP.2019.00065

  22. Nguyen A, Clune J, Bengio Y, Dosovitskiy A, Yosinski J (2017) Plug and play generative networks: conditional iterative generation of images in latent space. In: Proceedings of the IEEE conference on computer vision and pattern recognition, pp 4467–4477

  23. Radford A, Metz L, Chintala S (2016) Unsupervised representation learning with deep convolutional generative adversarial networks. arXiv:1511.06434 [cs]

  24. Salem A, Zhang Y, Humbert M, Berrang P, Fritz M, Backes M (2018) ML-leaks: model and data independent membership inference attacks and defenses on machine learning models. arXiv:1806.01246 [Cs]

  25. Santurkar S, Tsipras D, Tran B, Ilyas A, Engstrom L, Mądry A (2019) Image synthesis with a single (robust) classifier. Curran Associates Inc., Red Hook

    Google Scholar 

  26. Shokri R, Shmatikov V (2015) Privacy-preserving deep learning. In: Proceedings of the 22nd ACM SIGSAC conference on computer and communications security - CCS ’15, ACM Press, Denver, Colorado, USA. pp 1310–1321. https://doi.org/10.1145/2810103.2813687

  27. Shokri R, Stronati M, Song C, Shmatikov V (2017) Membership inference attacks against machine learning models. In: 2017 IEEE symposium on security and privacy (SP), IEEE, pp 3–18

  28. Strom N (2015) Scalable distributed DNN training using commodity GPU cloud computing. In: Interspeech 2015, ISCA, pp 1488–1492. https://doi.org/10.21437/Interspeech.2015-354

  29. Wang Z, Song M, Zhang Z, Song Y, Wang Q, Qi H (2019) Beyond inferring class representatives: user-level privacy leakage from federated learning. In: IEEE INFOCOM 2019 - IEEE conference on computer communications, IEEE, Paris, France. pp 2512–2520. https://doi.org/10.1109/INFOCOM.2019.8737416

  30. Wang Z, Song M, Zhang Z, Song Y, Wang Q, Qi H (2019) Beyond inferring class representatives: user-level privacy leakage from federated learning. In: IEEE INFOCOM 2019-IEEE conference on computer communications, IEEE. pp 2512–2520

  31. Wei W, Liu L, Loper M, Chow KH, Gursoy ME, Truex S, Wu Y (2020) A framework for evaluating gradient leakage attacks in federated learning. arXiv:2004.10397 [cs, stat]

  32. Yang Q, Liu Y, Chen T, Tong Y (2019) Federated machine learning: concept and applications. ACM Trans Intell Syst Technol (TIST) 10:1–19

    Article  Google Scholar 

  33. Yang Z, Chang EC, Liang Z (2019) Adversarial neural network inversion via auxiliary knowledge alignment. arXiv preprint arXiv:1902.08552

  34. Yin H, Mallya A, Vahdat A, Alvarez JM, Kautz J, Molchanov P (2021) See through gradients: image batch recovery via gradinversion. In: Proceedings of the IEEE/CVF conference on computer vision and pattern recognition, pp 16337–16346

  35. Yin H, Molchanov P, Alvarez JM, Li Z, Mallya A, Hoiem D, Jha NK, Kautz J (2020) Dreaming to distill: data-free knowledge transfer via DeepInversion. In: 2020 IEEE/CVF conference on computer vision and pattern recognition (CVPR), IEEE, Seattle, WA, USA. pp 8712–8721. https://doi.org/10.1109/CVPR42600.2020.00874

  36. Zhang H, Goodfellow I, Metaxas D, Odena A (2019) Self-attention generative adversarial networks. In: International conference on machine learning, PMLR. pp 7354–7363

  37. Zhang Y, Jia R, Pei H, Wang W, Li B, Song D (2020) The secret revealer: generative model-inversion attacks against deep neural networks. In: Proceedings of the IEEE/CVF conference on computer vision and pattern recognition, pp 253–261

  38. Zhao B, Mopuri KR, Bilen H (2020). iDLG: improved deep leakage from gradients. arXiv:2001.02610 [cs, stat]

  39. Zhao Y, Li M, Lai L, Suda N, Civin D, Chandra V (2018) Federated learning with non-iid data. arXiv preprint arXiv:1806.00582

  40. Zhu L, Liu Z, Han S (2019) Deep leakage from gradients. In: Wallach H, Larochelle H, Beygelzimer A, d’Alché-Buc F, Fox E, Garnett R (eds) Advances in neural information processing systems. Curran Associates Inc

    Google Scholar 

Download references

Funding

This work is sponsored by the National Key R &D Program of China (2022YFB3103100). This work is sponsored by the R &D Program of Beijing Municipal Education Commission (KM202210005028). This work is also supported by National Natural Science Foundation of China (62302020) and the Major Research Plan of National Natural Science Foundation of China (92167102). This work is also supported by the Importation and Development of High-Caliber Talents Project of Beijing Municipal Institutions (CIT &TCD20190308) and the “Engineering Research Center of Intelligent Perception and Autonomous Control, Ministry of Education.”

Author information

Authors and Affiliations

  1. College of Computer Science, Beijing University of Technology, No. 100, Pingleyuan, Chaoyang District, Beijing, 100124, China

    Yunbo Huang, Yuwen Chen, Haiyang Yu & Zhen Yang

  2. Escuela Técnica Superior de Ingenierí­a y Sistemas de Telecomunicación (ETSIST), Technical University of Madrid, C/Nikola Tesla, s/n, 28031, Madrid, Spain

    José-Fernán Martí­nez-Ortega

Authors
  1. Yunbo Huang
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Yuwen Chen
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. José-Fernán Martí­nez-Ortega
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Haiyang Yu
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Zhen Yang
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Yuwen Chen.

Ethics declarations

Conflict of interest

The authors have no conflict of interest to declare that are relevant to the content of this article.

Human and animal rights statement

This article does not contain any studies with human participants or animals performed by any of the authors.

Additional information

Publisher's Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Rights and permissions

Springer Nature or its licensor (e.g. a society or other partner) holds exclusive rights to this article under a publishing agreement with the author(s) or other rightsholder(s); author self-archiving of the accepted manuscript version of this article is solely governed by the terms of such publishing agreement and applicable law.

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Huang, Y., Chen, Y., Martí­nez-Ortega, JF. et al. Batch data recovery from gradients based on generative adversarial networks. Neural Comput & Applic (2024). https://doi.org/10.1007/s00521-024-09870-0

Download citation

  • Received:

  • Accepted:

  • Published:

  • DOI: https://doi.org/10.1007/s00521-024-09870-0

Keywords

Search

Navigation