Reviews 2

[Koukyosyumei]

reviews

[Koukyosyumei]

Reviewer Yydy

Summary:

The paper studies the private data reconstruction problem under the distillation-based federated learning setting. The paper introduces a new attack that features feasibility and distinctiveness. Their empirical result demonstrates that ``exposing logit only'' still reveals private information.

Strengths And Weaknesses: ~I like the intuition of using confidence gaps (obtained through logits only) to approximate the original private model, but there shall be more details about the inversion model G. My understanding is: That G takes both the public data and the predictions of the global model and local model on public data. By minimizing equation 10, G can approximate the original private model and could be further used for data reconstruction through model inversion. Could the authors provide more explanations here?~

The related work section is not well organized. The authors shall carefully place their work in the literature. For example, ~why `federated learning with knowledge distillation' is an important federated learning setting to consider?~ ~The authors may briefly discuss other solutions to prevent information leakage of federated learning.~ ~Moreover, the connection between model inversion attack variants (2.2.1 - 2.2.3) shall be discussed.~

~The problem setting is not clear to me. I suggest the authors include a detailed preliminary in the next version. For example, the distribution of private and public data shall be specified; what does {j_u} mean? The set of private data to be reconstructed?~

~Some citations are missing or misused. For example, DP-FL, FedMD, and FedGEMS were not cited in the experiment (Sec 4.1.2).~ ~Thus, I am confused about the difference between these three schemes. FedKD first appeared in the Introduction without a citation.~

Questions: See the question above.

[Koukyosyumei]

Reviewer jNiz

Summary:

This paper considers an attack on Federated Learning with Knowledge Distillation (FedKD). FedKD is a FL framework where the clients learn a task on a public and private data and share the logit ouputs on the public data to a central server. The central server leverage this information to enhance its own model on a task on the public data.

The family of attacks consider in this paper is whether the logit outputs of the client private models on the public data, can leak information on the private datasets. In particular, can the central server reconstruct samples of the private dataset from this information?

The authors introduce a new attack framework, that is the only one to achieve both feasibility (i.e. it works in practise), and Distinctiveness (i.e. the attacker can know whether the reconstructed image is drawn from the private dataset). This attacks relies on training a ML model , that takes into input the logit ouputs of both the client private model and the server model, and provide the reconstructed input . The model is trained during the FedKD training. During the attack, the attacker creates fakes input using eq. (7) and forward them in the model . Eq (11) is then used, to pick up the best reconstructed images for each label.

The paper illustrates the performance of their attack on two datasets: LAG and LFW. They show that their approach (PTBI) outperforms previous the approach TBI for three settings of FedKD (FEDMD, FEdGEMS, DSFL).

Strengths And Weaknesses: Originality The authors clearly cite previous work of the field. The most related work (which is cited) is: "Neural network inversion in adversarial setting via background knowledge alignment" by Yang et al. Compared to that work, the contribution of this paper is:

Applying the attack from Yang et al. to FedKD Adding the output logits of the server model to train (i.e. going from TBO to PTBI) Applying the input of eq. 7 during the attacks Post-processing the samples reconstructed with equation 11.

While these contributions are original and new, there are still relatively incremental compare to previous work. ~Also, could you state more explicitly whether the different terms in equation 5 and 11 are an original contribution, or whether other papers also consider this kind of terms (in particular the use of in equation 5 and the use of SSIM and TV in equation 11).~ ~For example, TV is often used as a regularizer in the loss of reconstruction attacks, so the author should state explicitly if its use in such a constitute a contribution of their own, or just a re-use of a well-known techniques.~

Quality The quality of the paper is sound, and the paper is well-written. I did not check the proofs in appendix, but they look sound.

Clarity The paper is overall well-written and clear. However, the following point could be clarify:

~The first time we read the section 3.2.2 we don't understand the goal of this section, and the role of the equations 7-8-9. It is only once I had read all the paper that I understood that the goal of section 3.2.2 was to generate fake input that will be forwarded to the model during the attack.~ ~It would be better to state explicitly that FEDMD, FEdGEMS, DSFL pseudo-codes are provided in the appendix. The reader might not know what are these algorithms.~ The setup of the examples is not clear at all. In particular: ~What are the training tasks considered by the clients, and which loss are there using?~ ~The data that is in the public dataset is not clear. In the case of LAG, the central server has young picture of all the labels and the young and adulte picture of part of the labels? Does the central server exploit in any way the young pictures of the labels for when the adult counterpart is not in the public dataset? How? Same question in the FLW case. The figure S-1 in appendix seems to imply that is it the case: the central server has the picture of all the celebrities masked.~ ~What is in the Figure 4?~

Significance For me, the significance of the results is limited. However, I would like to point out, that this is not my main domain of expertise, and I'm not confident on my judgement about the significance of the paper.

Indeed, I don't think the paper brings much more than "Neural network inversion in adversarial setting via background knowledge alignment" by Yang et al.. In particular, if the server have access (and use) the young pictures and the masked pictures of everyone, this limits significantly the impact of such an attack. I think that choosing another examples or experimental settings would have provided a better impact.

To be more precise, I think these paper contains two main contributions: 1 - Adapting a known attacks (TBI) to FedKD setting 2 - Modifying the attacks (going from TBI to PTBI) to make it more efficient (as shown by the numerical experiment)

~I think that the second contributions (2) is not related to FedKD, as the author could have claimed that using a public auxiliary dataset improve the TBI attacks. The first contribution is a natural incremental extension of the TBI attacks in another setting.~

~Last but not least, the attacks work here if (i) the sever know the list of the labels and (ii) there is no label overlap between centers. The significance of the papers would increase if the authors could provide examples of real-world FedKD settings where such a situation might occur.~

Questions: My main questions are the one listed in the Clarity section of the previous part:

~Does the server use in anyway the masked/young picture of the labels corresponding to the private datasets?~ ~What are the tasks/loss of the models trained by the clients?~ ~What is in the Figure 4?~

Out of curiosity, I would like to know whether have considered presenting their work following another narrative, by first claiming that using an auxiliary datasets and PTBI can improve TBI attacks, and then showing that such a framework naturally applies in FedKD?

Limitations: ~The paper do not consider possible defenses and mitigations against such an attack. Although I don't think that numerical examples on such defenses is required, it would be nice to list the mitigations that might be interesting to study in further works;~ Also, a suggestion would be maybe to stress more the restrictive setting of their numerical examples, and to justify more whether such a setting might be present in real-world application.

[Koukyosyumei]

SprQ

Summary: This paper show a previously unknown vulnerability of Federated Learning with Knowledge Distillation to Model Inversion attacks. The authors argue that a malicious server can reconstruct private class representations from output logits of the public dataset. They then design a new attack which can exploit the class representations of the private dataset via the output logits of the public dataset.

Strengths And Weaknesses: Strengths:

This paper focuses on the model inversion attack in FL, an interesting but less explored topic. The presentation is clear. The paper is easy to follow. The experiment shows solid performance improvement over TBI. Weaknesses: I have some concerns as follows:

~The authors claim that they focus on privacy in Distillation-based Federated Learning. They only conduct experiments on logits-based distillation with public dataset, but ignores the comparison with distillation methods that do not require public datasets (see paper[1,2]). The authors should compare with these methods.~ ~Considering privacy policies and the difficulty of acquiring training data, using public datasets to support FL training is extremely unfeasible.~ ~Besides, logits-based distillation with public dataset still performs poorly in FL compared with methods like FedAvg, FedProx, which makes this approach ineffective.~ Experimental results are not very convincing. ~The authors should show results on more datasets.~ Also, if the domain gap between the public dataset and the private dataset increases, what will be the outcome of your method? It would be better if the authors included an experiment to discuss the impact of the domain gap. In the experiments, ~the authors set the number of clients to 1 or 10~, ~and set the number of communication round to 5. I am not sure if this is reasonable. In traditional federated learning, there are a large number of client and communication rounds. Could the author provide an explanation as to why this is set this way?~ ~There is only one baseline method TBI. It's not fair. I suggest that the author add more methods for comparison. For example, DeepInversion[3] seems to be a very interesting method.~

[1] Wu C, Wu F, Liu R, et al. Fedkd: Communication efficient federated learning via knowledge distillation[J]. arXiv preprint arXiv:2108.13323, 2021. [2] Lin T, Kong L, Stich S U, et al. Ensemble distillation for robust model fusion in federated learning[J]. Advances in Neural Information Processing Systems, 2020, 33: 2351-2363. [3] Yin H, Molchanov P, Alvarez J M, et al. Dreaming to distill: Data-free knowledge transfer via deepinversion[C]//Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition. 2020: 8715-8724.

Questions: ~In the experiments, the authors set the number of clients to 1 or 10, and set the number of communication round to 5. I am not sure if this is reasonable. In traditional federated learning, there are a large number of client and communication rounds. Could the author provide an explanation as to why this is set this way?~