부산대학교 도서관

Federated learning (FL) is a distributed learning framework that can reduce privacy risks by not directly sharing private data. However, recent works have shown that the adversary can launch data reconstruction attacks utilizing the gradients or model updates shared by clients. Existing defenses either fail to provide sufficient privacy guarantee or incur significant drop in model accuracy. To achieve a good privacy-utility tradeoff, we propose a novel block-wise pruning method. It mitigates the privacy leakage by locating and quantifying the privacy risk of a model at a finer-grained level. Specifically, we define the sensitivity metric to calculate the gradient sensitivity w.r.t the input to quantify privacy leakage risk of each block. Then we divide the entire model into same-sized blocks and sort them based on the sensitivity metrics. We select part of the blocks with least sensitivity values as the pruned model to be communicated during the client-server interaction. To evaluate the effectiveness and efficiency of our defense, we conduct experiments on MNIST and CIFAR10 for defending against the DLG attack and GS attack. Results demonstrate that our proposed method can significantly mitigate gradient leakage against both DLG attack and GS attack with as much as 20× mean squared errors between the reconstructed data and the raw data with only modest accuracy drop, compared with baseline defenses. Meanwhile, the communication cost between the server and clients is also reduced.