Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

adding the GroupRegistration regularization term for "See through gradients" attack #1

Closed
philipjk opened this issue Aug 21, 2022 · 2 comments
Closed

adding the GroupRegistration regularization term for "See through gradients" attack #1

philipjk opened this issue Aug 21, 2022 · 2 comments

Comments

@philipjk
Copy link

philipjk commented Aug 21, 2022
edited

Problem and context

As I am working on extending gradient inversion attacks, I came across this wonderful library. In an attempt to reproduce Yin. et al paper, I found out about the missing regularization term (as per title) in the final Notes of the breaching/examples/See through gradients [...].ipynb. I would like to try and reproduce the results of Yin et al. in order to provide baselines for comparison against other regularization metrics. The main obstacle in implementing this term seems to be a cluttered description of it in Section 3.4 of the above mentioned paper.

Steps towards solution

Regardless of the actual value of \alpha_{group} (not disclosed by the authors, as far as I know) I believe a possible implementation of the GroupRegistration regularization term can be achieved in the following few steps:

  1. Create a dummy image x_g, for all g in G
  2. Compute the per-pixel average over |G| and call it target image x_t
  3. Compute the registration F(x_g, x_t), i.e. the linear transformation that matches certain features of x_g with x_t. Do it for every g in G. The feature matching/transformation function F is based on RANSAC-flow.
  4. Average all the F(x_g, x_t) over g in G and call it E[x_g]
  5. Compute the 2-norm of the difference between x_g and E[x_g].

To my understanding, this is the meaning of Section 3.4 and the plot in Figure 3 of the above mentioned paper.

Additional comments

My research would benefit from having this component implemented, and I believe it could have a broader impact in giving the possibility to reproduce one of the SOTA results in gradient inversion attacks to other researchers as well. For this reason I would like to take on this issue. Disclaimer: This would be my first contribution to a public, research repository.
@JonasGeiping
Copy link
Owner

JonasGeiping commented Aug 23, 2022
edited

Hi Philip,

I agree with these steps, this is also my (rough) understanding of how this regularizer should work. From a code perspective, the main obstacle is that the group regularizer circumvents the existing code in optimization_based_attack.py, which is written to run sequential trials that each recover a batch of images, but not simultaneous recovery of a group of batches of images.

Work on this issue would be greatly appreciated and I would be very interested in merging it into the main branch. You would probably want to subclass optimization_based_attack.py and replace the tooling in _run_trial to add support for this regularizer.

Best,
Jonas

JonasGeiping added a commit that referenced this issue Sep 15, 2022
@JonasGeiping
Merge pull request #1 from JonasGeiping/add-license-1
be2ad33 
Create LICENSE
@JonasGeiping
Copy link
Owner

Closing this for now, but feel free to reopen this with more questions, or open a pull-request with an implementation suggestion for group sparsity regularization!

Best,
Jonas

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@philipjk @JonasGeiping