Layer-wise Characterization of Latent Information Leakage in Federated Learning
This work addresses privacy risks in federated learning for users by providing a formal quantification method, though it is incremental as it builds on prior attack demonstrations.
The paper tackles the problem of quantifying private information leakage from gradients in federated learning, proposing two metrics based on empirical V-information and Jacobian sensitivity analysis to localize leakage layer-wise, and evaluates them on three real-world datasets with benchmark models.
Training deep neural networks via federated learning allows clients to share, instead of the original data, only the model trained on their data. Prior work has demonstrated that in practice a client's private information, unrelated to the main learning task, can be discovered from the model's gradients, which compromises the promised privacy protection. However, there is still no formal approach for quantifying the leakage of private information via the shared updated model or gradients. In this work, we analyze property inference attacks and define two metrics based on (i) an adaptation of the empirical $\mathcal{V}$-information, and (ii) a sensitivity analysis using Jacobian matrices allowing us to measure changes in the gradients with respect to latent information. We show the applicability of our proposed metrics in localizing private latent information in a layer-wise manner and in two settings where (i) we have or (ii) we do not have knowledge of the attackers' capabilities. We evaluate the proposed metrics for quantifying information leakage on three real-world datasets using three benchmark models.