Skip to yearly menu bar Skip to main content


In-Person Poster presentation / poster accept

Decepticons: Corrupted Transformers Breach Privacy in Federated Learning for Language Models

Liam H Fowl · Jonas Geiping · Steven Reich · Yuxin Wen · Wojciech Czaja · Micah Goldblum · Tom Goldstein

MH1-2-3-4 #66

Keywords: [ federated learning ] [ privacy ] [ transformers ] [ attack ] [ Gradient Inversion ] [ Deep Learning and representational learning ]


Abstract:

Privacy is a central tenet of Federated learning (FL), in which a central server trains models without centralizing user data. However, gradient updates used in FL can leak user information. While the most industrial uses of FL are for text applications (e.g. keystroke prediction), the majority of attacks on user privacy in FL have focused on simple image classifiers and threat models that assume honest execution of the FL protocol from the server. We propose a novel attack that reveals private user text by deploying malicious parameter vectors, and which succeeds even with mini-batches, multiple users, and long sequences. Unlike previous attacks on FL, the attack exploits characteristics of both the Transformer architecture and the token embedding, separately extracting tokens and positional embeddings to retrieve high-fidelity text. We argue that the threat model of malicious server states is highly relevant from a user-centric perspective, and show that in this scenario, text applications using transformer models are much more vulnerable than previously thought.

Chat is not available.