Published July 21, 2024
| Version v1
Conference paper
Privacy Attacks in Decentralized Learning
Contributors
Others:
- Ecole Polytechnique Fédérale de Lausanne (EPFL)
- Machine Learning in Information Networks (MAGNET) ; Centre Inria de l'Université de Lille ; Institut National de Recherche en Informatique et en Automatique (Inria)-Institut National de Recherche en Informatique et en Automatique (Inria)-Centre de Recherche en Informatique, Signal et Automatique de Lille - UMR 9189 (CRIStAL) ; Centrale Lille-Université de Lille-Centre National de la Recherche Scientifique (CNRS)-Centrale Lille-Université de Lille-Centre National de la Recherche Scientifique (CNRS)
- Université de Lille
- Médecine de précision par intégration de données et inférence causale (PREMEDICAL) ; Centre Inria d'Université Côte d'Azur (CRISAM) ; Institut National de Recherche en Informatique et en Automatique (Inria)-Institut National de Recherche en Informatique et en Automatique (Inria)-Institut Desbrest d'Epidémiologie et de Santé Publique (IDESP) ; Institut National de la Santé et de la Recherche Médicale (INSERM)-Université de Montpellier (UM)-Institut National de la Santé et de la Recherche Médicale (INSERM)-Université de Montpellier (UM)
- Université de Montpellier (UM)
- Inria-FedMalin
- ANR-20-CE23-0015,PRIDE,Apprentissage automatique décentralisé et préservant la vie privée(2020)
- ANR-20-THIA-0014,AI_PhD@Lille,Programme de formation doctorale en IA à Lille(2020)
- ANR-22-PECY-0002,iPoP,interdisciplinary Project on Privacy(2022)
Description
Decentralized Gradient Descent (D-GD) allows a set of users to perform collaborative learning without sharing their data by iteratively averaging local model updates with their neighbors in a network graph. The absence of direct communication between non-neighbor nodes might lead to the belief that users cannot infer precise information about the data of others. In this work, we demonstrate the opposite, by proposing the first attack against D-GD that enables a user (or set of users) to reconstruct the private data of other users outside their immediate neighborhood. Our approach is based on a reconstruction attack against the gossip averaging protocol, which we then extend to handle the additional challenges raised by D-GD. We validate the effectiveness of our attack on real graphs and datasets, showing that the number of users compromised by a single or a handful of attackers is often surprisingly large. We empirically investigate some of the factors that affect the performance of the attack, namely the graph topology, the number of attackers, and their position in the graph.
Abstract
International audienceAdditional details
Identifiers
- URL
- https://hal.science/hal-04610652
- URN
- urn:oai:HAL:hal-04610652v1
Origin repository
- Origin repository
- UNICA