Local Model Reconstruction Attacks in Federated Learning and their Uses

Read original: arXiv:2210.16205 - Published 5/28/2024 by Ilias Driouich, Chuan Xu, Giovanni Neglia, Frederic Giroire, Eoin Thomas

📈

Overview

This paper explores a type of attack called "local model reconstruction" in the context of federated learning.
In federated learning, a central server coordinates the training of a shared model using data from many clients, without clients sharing their raw data.
The authors show that an eavesdropping adversary can reconstruct a client's personalized local model, which may leak more private information than the global model.
They also propose a new "attribute inference" attack that leverages the local model reconstruction to infer private attributes about clients.
The paper provides analytical and empirical results demonstrating the effectiveness of these attacks, especially when clients' datasets are diverse.

Plain English Explanation

In federated learning, a central server coordinates the training of a shared machine learning model using data from many different clients, without the clients having to share their raw data. This helps protect the privacy of the clients' data.

However, the authors of this paper show that there's a potential vulnerability in this setup. They explain that an eavesdropping "adversary" (or attacker) could intercept the messages sent between a targeted client and the server. The adversary could then use this information to reconstruct the client's own personalized "local" model, which may reveal more private details about the client's data than the final shared "global" model.

This local model reconstruction attack could then be used to trigger other types of attacks that are even more effective at revealing private information about the client. The paper also introduces a new kind of attack called "attribute inference," where the adversary tries to infer specific private attributes about the client based on the reconstructed local model.

Through analytical and experimental results, the authors demonstrate that these attacks can be quite effective, especially when the clients' datasets are diverse (i.e., the data from different clients varies a lot). This highlights an important privacy risk in federated learning that system designers will need to address.

Technical Explanation

The key technical contributions of this paper are:

Local Model Reconstruction Attack: The authors show how an eavesdropping "honest-but-curious" adversary can reconstruct a targeted client's local/personalized model by observing the messages exchanged between the client and the federated learning server. This local model reconstruction attack is more effective than attacks targeting the global model, as the local model is more closely tied to the client's private data.
Novel Attribute Inference Attack: Building on the local model reconstruction, the authors propose a new "model-based attribute inference attack" in federated learning. This allows the adversary to infer private attributes about the client from the reconstructed local model. The paper provides an analytical lower-bound for the accuracy of this attack.
Empirical Evaluation: The authors evaluate their attacks on real-world datasets, showing that the local reconstruction attack works well for both regression and classification tasks. They also benchmark the attribute inference attack against prior state-of-the-art attacks in federated learning, demonstrating higher reconstruction accuracy, especially when clients' datasets are heterogeneous.

The key insights from this work are that the local models in federated learning can leak more private information than the global model, and that adversaries can leverage this vulnerability to launch powerful and explainable attacks that quantify privacy risks. This expands on prior research on gradient leakage and label recovery attacks in federated learning.

Critical Analysis

The authors provide a thorough analysis of the local model reconstruction attack and the new attribute inference attack, with strong analytical and empirical support. However, some caveats and limitations are worth noting:

The threat model assumes a "honest-but-curious" adversary, which may not capture all real-world attack scenarios. More powerful adversaries could potentially exploit additional vulnerabilities.
The effectiveness of the attacks is shown to depend on the heterogeneity of clients' datasets. It's unclear how these attacks would perform in more homogeneous federated learning settings.
The paper does not discuss potential defenses against these attacks. Exploring mitigation strategies would be an important next step for this line of research.
While the attacks reveal significant privacy risks, the paper does not quantify the potential harm or provide a broader societal context around the implications of these privacy breaches in federated learning.

Overall, this work identifies an important vulnerability in federated learning systems and proposes novel attacks that should motivate further research into strengthening the privacy guarantees of federated learning.

Conclusion

This paper initiates the study of local model reconstruction attacks in federated learning, where an eavesdropping adversary can exploit the personalized local models of clients to launch powerful attacks that reveal more private information than attacks targeting the global model.

The authors demonstrate the effectiveness of these attacks, both analytically and empirically, and introduce a new attribute inference attack that leverages the local model reconstruction. Their results highlight a significant privacy risk in federated learning systems, especially when clients' datasets are heterogeneous.

This work contributes to the growing body of research on privacy attacks in federated learning and emphasizes the need for developing robust defenses to ensure the privacy and security of federated learning deployments.

This summary was produced with help from an AI and may contain inaccuracies - check out the links to read the original source documents!

Follow @aimodelsfyi on 𝕏 →

Related Papers

📈

Local Model Reconstruction Attacks in Federated Learning and their Uses

Ilias Driouich, Chuan Xu, Giovanni Neglia, Frederic Giroire, Eoin Thomas

In this paper, we initiate the study of local model reconstruction attacks for federated learning, where a honest-but-curious adversary eavesdrops the messages exchanged between a targeted client and the server, and then reconstructs the local/personalized model of the victim. The local model reconstruction attack allows the adversary to trigger other classical attacks in a more effective way, since the local model only depends on the client's data and can leak more private information than the global model learned by the server. Additionally, we propose a novel model-based attribute inference attack in federated learning leveraging the local model reconstruction attack. We provide an analytical lower-bound for this attribute inference attack. Empirical results using real world datasets confirm that our local reconstruction attack works well for both regression and classification tasks. Moreover, we benchmark our novel attribute inference attack against the state-of-the-art attacks in federated learning. Our attack results in higher reconstruction accuracy especially when the clients' datasets are heterogeneous. Our work provides a new angle for designing powerful and explainable attacks to effectively quantify the privacy risk in FL.

5/28/2024

Understanding Data Reconstruction Leakage in Federated Learning from a Theoretical Perspective

Zifan Wang, Binghui Zhang, Meng Pang, Yuan Hong, Binghui Wang

Federated learning (FL) is an emerging collaborative learning paradigm that aims to protect data privacy. Unfortunately, recent works show FL algorithms are vulnerable to the serious data reconstruction attacks. However, existing works lack a theoretical foundation on to what extent the devices' data can be reconstructed and the effectiveness of these attacks cannot be compared fairly due to their unstable performance. To address this deficiency, we propose a theoretical framework to understand data reconstruction attacks to FL. Our framework involves bounding the data reconstruction error and an attack's error bound reflects its inherent attack effectiveness. Under the framework, we can theoretically compare the effectiveness of existing attacks. For instance, our results on multiple datasets validate that the iDLG attack inherently outperforms the DLG attack.

8/23/2024

Addressing Membership Inference Attack in Federated Learning with Model Compression

Gergely D'aniel N'emeth, Miguel 'Angel Lozano, Novi Quadrianto, Nuria Oliver

Federated Learning (FL) has been proposed as a privacy-preserving solution for machine learning. However, recent works have reported that FL can leak private client data through membership inference attacks. In this paper, we show that the effectiveness of these attacks on the clients negatively correlates with the size of the client's datasets and model complexity. Based on this finding, we study the capabilities of model-agnostic Federated Learning to preserve privacy, as it enables the use of models of varying complexity in the clients. To systematically study this topic, we first propose a taxonomy of model-agnostic FL methods according to the strategies adopted by the clients to select the sub-models from the server's model. This taxonomy provides a framework for existing model-agnostic FL approaches and leads to the proposal of new FL methods to fill the gaps in the taxonomy. Next, we analyze the privacy-performance trade-off of all the model-agnostic FL architectures as per the proposed taxonomy when subjected to 3 different membership inference attacks on the CIFAR-10 and CIFAR-100 vision datasets. In our experiments, we find that randomness in the strategy used to select the server's sub-model to train the clients' models can control the clients' privacy while keeping competitive performance on the server's side.

7/8/2024

🏋️

Attacks on fairness in Federated Learning

Joseph Rance, Filip Svoboda

Federated Learning is an important emerging distributed training paradigm that keeps data private on clients. It is now well understood that by controlling only a small subset of FL clients, it is possible to introduce a backdoor to a federated learning model, in the presence of certain attributes. In this paper, we present a new type of attack that compromises the fairness of the trained model. Fairness is understood to be the attribute-level performance distribution of a trained model. It is particularly salient in domains where, for example, skewed accuracy discrimination between subpopulations could have disastrous consequences. We find that by employing a threat model similar to that of a backdoor attack, an attacker is able to influence the aggregated model to have an unfair performance distribution between any given set of attributes. Furthermore, we find that this attack is possible by controlling only a single client. While combating naturally induced unfairness in FL has previously been discussed in depth, its artificially induced kind has been neglected. We show that defending against attacks on fairness should be a critical consideration in any situation where unfairness in a trained model could benefit a user who participated in its training.

7/29/2024