Research on a Federated Privacy Enhancement Method against GAN Attacks

doi:10.3969/j.issn.1671-1122.2026.01.004

Abstract

Abstract:

Federated learning mitigates the risks of centralized data storage through distributed training, yet remains vulnerable to malicious clients exploiting GAN attacks to steal private data. Traditional defense methods such as differential privacy and encryption mechanisms suffer from challenges in balancing model performance and privacy effectiveness or incur high computational costs. To address the threat of GAN attacks in federated learning for image recognition tasks, this paper proposes a privacy enhancement method based on Rényi differential privacy (RDP) to improve data privacy. The serial composition mechanism of Rényi differential privacy enables the privacy budget growth rate in multi-round iterations to transition from the linear scaling of traditional differential privacy to sublinear scaling, effectively reducing the amount of noise added. Thus, the method leverages the tight noise composition properties of RDP by incorporating gradient clipping based on weight equilibrium and optimized Gaussian noise injection into client-side gradient updates. This approach enables differential privacy-preserving computations, effectively reducing privacy leakage risks while balancing model utility. Experiments show that the method realizes local data privacy protection and enhances the privacy protection ability of the model under the premise that the degree of impact on the model’s global accuracy remains acceptable, so as to effectively resist GAN attacks and ensure the privacy of image data.

Key words: federated learning, GAN attacks, differential privacy, privacy enhancement

CLC Number:

TP309

SHI Yinsheng, BAO Yang, PANG Jingjing. Research on a Federated Privacy Enhancement Method against GAN Attacks[J]. Netinfo Security, 2026, 26(1): 49-58.

Figures/Tables 15

References 25

[1]	MCMAHAN H B, MOORE E, RAMAGE D, et al. Communication-Efficient Learning of Deep Networks from Decentralized Data[C]// AISTATS. The 20th International Conference on AISTATS 2017. Indio: AISTATS, 2017: 1273-1282.
[2]	HITAJ B, ATENIESE G, PEREZ-CRUZ F. Deep Models under the GAN: Information Leakage from Collaborative Deep Learning[C]// ACM. Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security. New York: ACM, 2017: 603-618.
[3]	YIN Xuefei, ZHU Yanming, HU Jiankun. A Comprehensive Survey of Privacy-Preserving Federated Learning: A Taxonomy, Review, and Future Directions[J]. ACM Computing Surveys (CSUR), 2021, 54(6): 1-36.
[4]	DWORK C, MCSHERRY F, NISSIM K, et al. Calibrating Noise to Sensitivity in Private Data Analysis[C]// Springer. Theory of Cryptography. Heidelberg: Springer, 2006: 265-284.
[5]	MCSHERRY F, TALWAR K. Mechanism Design via Differential Privacy[C]// IEEE. The 48th Annual IEEE Symposium on Foundations of Computer Science (FOCS 2007). New York: IEEE, 2007: 94-103.
[6]	NIKOLOV A, TALWAR K, ZHANG Li. The Geometry of Differential Privacy: The Sparse and Approximate Cases[C]// ACM. The Forty-Fifth Annual ACM Symposium on Theory of Computing. New York: ACM, 2013: 351-360.
[7]	WU Xiang, ZHANG Yongting, SHI Minyu, et al. An Adaptive Federated Learning Scheme with Differential Privacy Preserving[J]. Future Generation Computer Systems, 2022, 127: 362-372. doi: 10.1016/j.future.2021.09.015 URL
[8]	TRUEX S, LIU Ling, CHOW K H, et al. LDP-Fed: Federated Learning with Local Differential Privacy[C]// ACM. The Third ACM International Workshop on Edge Systems, Analytics and Networking. New York: ACM, 2020: 61-66.
[9]	WEI Kang, LI Jun, DING Ming, et al. Federated Learning with Differential Privacy: Algorithms and Performance Analysis[J]. IEEE Transactions on Information Forensics and Security, 2020, 15: 3454-3469. doi: 10.1109/TIFS.2020.2988575 URL
[10]	YU Da, ZHANG Huishuai, CHEN Wei, et al. Gradient Perturbation Is Underrated for Differentially Private Convex Optimization[C]// ACM. The Twenty-Ninth International Conference on International Joint Conferences on Artificial Intelligence. New York: ACM, 2021: 3117-3123.
[11]	XU Ruzhi, TONG Yumeng, DAI Lipeng. Research on Federated Learning Adaptive Differential Privacy Method Based on Heterogeneous Data[J]. Netinfo Security, 2025, 25(1): 63-77.
	徐茹枝, 仝雨蒙, 戴理朋. 基于异构数据的联邦学习自适应差分隐私方法研究[J]. 信息网络安全, 2025, 25(1): 63-77.
[12]	XU Runhua, BARACALDO N, ZHOU Yi, et al. HybridAlpha: An Efficient Approach for Privacy-Preserving Federated Learning[C]// ACM. The 12th ACM Workshop on Artificial Intelligence and Security. New York: ACM, 2019: 13-23.
[13]	JIN Weizhao, YAO Yuhang, HAN Shanshan, et al. FedML-HE: An Efficient Homomorphic-Encryption-Based Privacy-Preserving Federated Learning System[EB/OL](2024-06-17)[2025-11-01]. https://doi.org/10.48550/arXiv.2303.10837
[14]	YU Feng, LIN Hui, WANG Xiaoding, et al. Communication-Efficient Personalized Federated Meta-Learning in Edge Networks[J]. IEEE Transactions on Network and Service Management, 2023, 20(2): 1558-1571. doi: 10.1109/TNSM.2023.3263831 URL
[15]	YIN Lihua, FENG Jiyuan, XUN Hao, et al. A Privacy-Preserving Federated Learning for Multiparty Data Sharing in Social IoTs[J]. IEEE Transactions on Network Science and Engineering, 2021, 8(3): 2706-2718. doi: 10.1109/TNSE.2021.3074185
[16]	RIVEST R L, SHAMIR A, ADLEMAN L. A Method for Obtaining Digital Signatures and Public-Key Cryptosystems[J]. Communications of the ACM. 1983, 26(1): 96-99. doi: 10.1145/357980.358017 URL
[17]	ZHANG Li, XU Jianbo, VIJAYAKUMAR P, et al. Homomorphic Encryption-Based Privacy-Preserving Federated Learning in IoT-Enabled Healthcare System[J]. IEEE Transactions on Network Science and Engineering, 2023, 10(5): 2864-2880. doi: 10.1109/TNSE.2022.3185327 URL
[18]	ZHENG Chengbo, YAN Haonan, FU Caili, et al. Double Layer Federated Security Learning Architecture for Artificial Intelligence of Things[J]. Journal of Network and Information Security, 2024, 10(6): 71-80.
	郑诚波, 闫皓楠, 傅彩利, 等. 面向智能物联网的双层级联邦安全学习架构[J]. 网络与信息安全学报, 2024, 10(6): 71-80.
[19]	LAI Chengzhe, ZHAO Yining, ZHENG Dong. A Privacy Protection and Verifiable Federated Learning Scheme Based on Homomorphic Encryption[J]. Netinfo Security, 2024, 24(1): 93-105.
	赖成喆, 赵益宁, 郑东. 基于同态加密的隐私保护与可验证联邦学习方案[J]. 信息网络安全, 2024, 24(1): 93-105.
[20]	YAO Pan, ZHENG Chao, WANG He, et al. FedSHE: Privacy Preserving and Efficient Federated Learning with Adaptive Segmented CKKS Homomorphic Encryption[EB/OL](2024-07-04)[2025-11-01]. https://doi.org/10.1186/s42400-024-00232-w.
[21]	ZHANG Zehui, LI Qingdan, FU Yao, et al. Adaptive Federated Deep Learning with Non-IID Data[J]. Acta Automatica Sinica, 2023, 49(12): 2493-2506.
	张泽辉, 李庆丹, 富瑶, 等. 面向非独立同分布数据的自适应联邦深度学习算法[J]. 自动化学报, 2023, 49(12): 2493-2506.
[22]	DWORK C, KENTHAPADI K, MCSHERRY F, et al. Our Data, Ourselves: Privacy via Distributed Noise Generation[C]// Springer. Advances in Cryptology-EUROCRYPT 2006. Heidelberg: Springer, 2006: 486-503.
[23]	MIRONOV I. Rényi Differential Privacy[C]// IEEE. 2017 IEEE 30th Computer Security Foundations Symposium (CSF). New York: IEEE, 2017: 263-275.
[24]	ABADI M, CHU A, GOODFELLOW I, et al. Deep Learning with Differential Privacy[C]// ACM. The 2016 ACM SIGSAC Conference on Computer and Communications Security. New York: ACM, 2016: 308-318.
[25]	LI Wenling, YU Ping, CHENG Yanan, et al. Efficient and Privacy-Enhanced Federated Learning Based on Parameter Degradation[J]. IEEE Transactions on Services Computing, 2024, 17(5): 2304-2319. doi: 10.1109/TSC.2024.3399659 URL

对比实验参数	实验一	实验二	实验三
客户端数量	10	10	10
数据集	MNIST	MNIST	MNIST
隐私保护算法	无	Rényi差分隐私	近似差分隐私
是否施加GAN攻击	是	是	是
聚合方法	FedAvg	FedAvg	FedAvg
epoch数量	400	400	400

对比实验参数	实验四	实验五	实验六
客户端数量	10	10	10
数据集	CIFAR-10	CIFAR-10	CIFAR-10
隐私保护算法	无	Rényi差分隐私	近似差分隐私
是否施加GAN攻击	是	是	是
聚合方法	FedAvg	FedAvg	FedAvg
epoch数量	400	400	400