A Theoretical and Empirical Analysis on Reconstruction Attacks and Defenses

• Lack of related works.

  • Notable recent model inversion attacks [1-5], especially those focusing on model/weight modifications, are absent.
  • The literature review also misses out on discussing recent defenses [6-9].

• Unconvincing results.

  • Experiments are limited on CIFAR10 using ResNet18, and the maximum batch size explored is 32. This limited scope is concerning as many robust attack methods have proven efficacy in more challenging settings. Even the two methods considered in this paper for comparison have been demonstrated to work on the more complex ImageNet dataset, utilizing larger networks and batch size exceeding 128.
  • Only two optimization-based attack methods are considered for comparison. A broader comparative study, especially with the latest attack strategies [1-5] like those that modify model architectures, would have added more depth and credibility to the findings.
  • The research could have been enriched by considering and evaluating the effectiveness against recent defenses [6-9] designed to combat model inversion attacks.

[1] Franziska Boenisch, Adam Dziedzic, Roei Schuster, Ali Shahin Shamsabadi, Ilia Shumailov, and Nicolas Papernot. When the curious abandon honesty: Federated learning is not private. arXiv, 2021.

[2] Liam H. Fowl, Jonas Geiping, Wojciech Czaja, Micah Goldblum, and Tom Goldstein. Robbing the fed: Directly obtaining private data in federated learning with modified models. ICLR, 2022.

[3] Mislav Balunovic, Dimitar Iliev Dimitrov, Robin Staab, and Martin T. Vechev. Bayesian framework for gradient leakage. ICLR, 2022.

[4] Dario Pasquini, Danilo Francati, and Giuseppe Ateniese. Eluding secure aggregation in federated learning via model inconsistency. CCS, 2022.

[5] Yuxin Wen, Jonas Geiping, Liam Fowl, Micah Goldblum, and Tom Goldstein. Fishing for user data in large-batch federated learning via gradient magnification. ICML, 2022.

[6] Sun, Jingwei, et al. "Soteria: Provable defense against privacy leakage in federated learning from representation perspective." CVPR, 2021.

[7] Gao, Wei, et al. "Privacy-preserving collaborative learning with automatic transformation search." CVPR, 2021.

[8] Scheliga, Daniel, Patrick Mäder, and Marco Seeland. "Precode-a generic model extension to prevent deep gradient leakage." WACV, 2022.

[9] Huang, Yangsibo, et al. "Instahide: Instance-hiding schemes for private distributed learning." International conference on machine learning. PMLR, 2020.

1. The new reconstruction method proposed in this paper is Eq.(2). However, compared with the method in [r1], the only difference of Eq.(2) is that it introduces a new regularization term $\mathcal R_{\mathrm{feature}}(\hat x)$ without explaining why this regularization term can improve the performance of data reconstruction. So I think the novelty of the proposed method is limited.

2. Eq.(5) in Theorem 3.2 is very strange. Specifically, to calculate Eq.(5), one needs to reconstruct a $\hat x_i$ for any given ground truth $x_i$. However, to the best of my knowledge, in data reconstruction attacks it is usually not able to "reconstruct a specific training data" but can only "reconstruct a random data point from the training dataset", unless with some special assumptions. Unfortunately, I do not see such special assumptions in Theorem 3.2. Please comment.

3. One of the main contributions of this paper is the data reconstruction upper-bound proposed in Theorem 3.2. However, similar data reconstruction upper bounds have already been proposed in [r2], an ICML paper in 2022. Compared with Theorem 3.2 in this paper, the results in [r2] seem better in various aspects: (1) the bound in [r2] does not depend on model architectures, while Theorem 3.2 only applies to one-hidden-layer neural networks; and (2) the bound in [r2] does not depend on specific reconstruction algorithms, while Theorem 3.2 only applies to gradient-based reconstruction attacks. So I think the authors need to explain the advantages of Theorem 3.2 compared with [r2].

4. In Section 3.3, before presenting Theorem 3.2, the authors wrote that "We adopt the tensor-based reconstruction method proposed by (Wang et al., 2023)". Does this mean that Theorem 3.2 only applies to such a "tensor-based reconstruction method" but not the new reconstruction method proposed by the authors? If yes, then I think the contribution of this paper will be further shrunk since the proposed new attack (or say empirical results) has no relevance to the theoretical results of this paper.

5. In Section 4.5, the authors explain why gradient pruning is suitable for defending against reconstruction attacks. However, such an explanation is too casual since it is full of intuitive arguments. I think the authors should at least show how gradient pruning could increase the reconstruction upper bound in Theorem 3.2 to justify their claim.

References:

[r1] Geiping et al. "Inverting Gradients - How easy is it to break privacy in federated learning?" NeurIPS 2020.

[r2] Guo et al. "Bounding Training Data Reconstruction in Private (Deep) Learning." ICML 2022.

1. The methodologies employed in this paper are not technically novel. Tensor-based reconstruction methods were previously proposed in [1], and the effectiveness of optimizing generator parameters (in this study, U-Net parameters) instead of the original image space was demonstrated in previous gradient leakage research [2].

2. The paper dedicates a significant portion to error bounds analysis, primarily focusing on reconstructing input for a two-layer MLP, which addresses the feature reconstruction aspect. However, the experiments are conducted using a ResNet-18 network, which is substantially more complex than a two-layer MLP. This raises doubts about the relevance of these error bounds in the context of deeper and more intricate neural networks, which may easily violate the assumptions (e.g., 1-Lipschitzness). Additionally, the defense methods are applied to gradients across the entire network, not exclusively to the final linear layers. As a result, error bounds analysis specific to defenses for only the final fully-connected layers may not provide meaningful insights.

3. The experimental setup does not convincingly demonstrate the effectiveness of this work. (2.1) Authors only report their attack results on a limited subset of 50 CIFAR-10 images, without disclosing the criteria used for selecting these 50 images, which could introduce bias. (2.2) To facilitate feature reconstruction, the authors introduce an additional linear layer into the ResNet-18 architecture, which may appear artificial. In practical scenarios, federated learning participants might question the adoption of such an unusual architectural modification due to its dubious nature.

4. Conflict information: In Appendix D, the second paragraph states that the victim network is a ResNet-18 trained for only one epoch; however, in the third paragraph, it is mentioned that the ResNet-18 was trained for 200 epochs.

========================================================================== [1] Wang, Zihan, Jason Lee, and Qi Lei. "Reconstructing Training Data from Model Gradient, Provably." International Conference on Artificial Intelligence and Statistics. PMLR, 2023. [2] Jeon, Jinwoo, Kangwook Lee, Sewoong Oh, and Jungseul Ok. "Gradient inversion with generative image prior." Advances in neural information processing systems 34 (2021): 29898-29908.