Federated Learning (FL) allows users to share and interact with multiple parties without directly uploading the original data, effectively reducing the risk of privacy leaks. However, existing research suggests that the adversary can still reconstruct raw data through shared gradient information. To further protect the privacy of federated learning, a deep shadow defense scheme of federated learning based on Generative Adversarial Network (GAN) was proposed. The original real data distribution features were learned by GAN and replaceable shadow data was generated. Then, the original model trained on real data was replaced by a shadow model trained on shadow data and was not directly accessible to the adversary. Finally, the real gradient was replaced by the shadow gradient generated by the shadow data in the shadow model and was not accessible to the adversary. Experiments were conducted on CIFAR10 and CIFAR100 datasets for comparison of the proposed scheme with the five defense schemes of adding noise, gradient clipping, gradient compression, representation perturbation and local regularization and sparsification. On CIFAR10 dataset, the Mean Square Error (MSE) and the Feature Mean Square Error (FMSE) of the proposed scheme were 1.18-5.34 and 4.46-1.03×107 times, and the Peak Signal-to-Noise Ratio (PSNR) of the proposed scheme was 49.9%-90.8%. On CIFAR100 dataset, the MSE and the FMSE of the proposed scheme were 1.04-1.06 and 5.93-4.24×103 times, and the PSNR of the proposed scheme was 96.0%-97.6%. Compared with the deep shadow defense method, the proposed scheme takes into account the actual attack capability of the adversary and the problems in shadow model training, and designs threat models and shadow model generation algorithms. It performs better in theory analysis and experiment result that of the comparsion schemes, and it can effectively reduce the risk of federated learning privacy leaks while ensuring accuracy.
