An Information-Theoretical and Empirical Study: Re-Evaluating Privacy in Federated Learning
An Information-Theoretical and Empirical Study: Re-Evaluating Privacy in Federated Learning
Embedded Files
Changlong Ji
Supervisors: Assi. Prof. Qiongxiu Li (Aalborg), Prof. Richard Heusdens (Delft)
Presentation: Slides
Arxiv (accepted by ICASSP 2025)
Our Findings
Our Findings
DFL Offers Stronger Privacy: Decentralized Federated Learning generally provides better privacy protection than Centralized Federated Learning, especially when there's no fully trusted server.
Mutual Information as a Measure: Using mutual information provides a rigorous way to quantify privacy leakage in federated learning.
Empirical Validation: Our experimental results support the theoretical analysis, showing reduced information leakage in DFL.
Critical Factors: Network topology, secure aggregation, and the choice of attack models significantly impact privacy assessments and should be carefully considered.
Research Problem
Decentralized Federated Learning (DFL) is believed to enhance privacy by decentralizing control of sensitive data compared to Centralized Federated Learning (CFL). However, recent studies suggest that DFL may not inherently improve privacy under certain conditions. We aim to investigate this issue through rigorous information-theoretical analysis and empirical experiments.
Our Method
We conducted an information-theoretical analysis using mutual information to quantify privacy leakage in Federated Learning (FL). We evaluated the effectiveness of Secure Aggregation (SA) in both CFL and DFL settings. Our empirical study involved:
Mutual Information Simulation: Using Monte Carlo simulations with Gaussian variables N(0,1), we computed mutual information for different FL protocols.
Attack Experiments: We performed gradient inversion attacks and membership inference attacks (MIAs) on four FL protocols: CFL without SA, CFL with SA, DFL without SA, DFL with SA
Our Results
Figure 1_Mutual Information Simulation Results: Information leakage in DFL is bounded between CFL without SA (upper bound) and CFL with SA (lower bound).
Impact of Network Density: In DFL with SA, information leakage decreases as the network becomes denser, approaching the lower bound when fully connected. In DFL without SA, information leakage increases with network density.
Figure 2_Gradient Inversion Attack Results: Reconstructed image quality deteriorates from top to bottom across protocols, indicating increased privacy protection.
Privacy Risks: CFL without SA shows the highest reconstruction quality, posing the greatest privacy risk. CFL with SA offers the strongest privacy protection with the lowest reconstruction quality. DFL protocols provide intermediate privacy protection.
Figure 3_Impact of Graph Density on Privacy: In DFL without SA, privacy risk increases with network density, approaching CFL without SA in fully connected networks. In DFL with SA, privacy protection improves with increasing network density, approaching CFL with SA when fully connected.
Figure 4_Membership Inference Attack Results: Different MIAs produced inconsistent results, highlighting that the choice of attack method significantly influences privacy risk assessment. Careful selection of attack strategies is crucial when evaluating privacy in FL systems.
If you're interested in our research projects, we'd be happy to discuss them with you!
If you're interested in our research projects, we'd be happy to discuss them with you!
Page updated
Google Sites
Report abuse