Federated learning is a paradigm that enables multiple clients to collaboratively train a global model without sharing raw data. To enhance privacy, secure aggregation has been widely adopted to conceal individual model updates. However, secure aggregation does not provide sufficient protection against membership inference attack. In this paper, we introduce FusionMIA, a novel membership inference attack that leverages spy clients and shadow models, systematically infer the privacy information of target training samples from aggregated updates. Contrary to the assumptions made by previous studies that secure aggregation offers sufficient protection against inference attacks, our research demonstrates that FusionMIA can effectively compromise the security of federated learning systems even in secure aggregation protected settings. FusionMIA successfully reconstructs membership information by leveraging the differential impact of individual client updates on the aggregated model. Extensive experiments on MNIST and CIFAR-10 demonstrate the effectiveness of this approach, achieving >90% AUC-score in most cases and exposing a significant vulnerability in federated learning systems. These findings underscore the pressing need for more robust privacy-preserving mechanisms in federated learning that extend beyond conventional aggregation-based defenses.

错误:搜索内容不能为空,请输入英文关键词
错误:关键词超出字数限制,请精简
高级检索

FusionMIA: Enhancing Membership Inference Attacks with Spy Clients and Shadow Models in Federated Learning

  • Xiang Lan,
  • Jiayin Li,
  • Zuobin Ying,
  • Xingshuo Han,
  • Shengmin Xu

摘要

Federated learning is a paradigm that enables multiple clients to collaboratively train a global model without sharing raw data. To enhance privacy, secure aggregation has been widely adopted to conceal individual model updates. However, secure aggregation does not provide sufficient protection against membership inference attack. In this paper, we introduce FusionMIA, a novel membership inference attack that leverages spy clients and shadow models, systematically infer the privacy information of target training samples from aggregated updates. Contrary to the assumptions made by previous studies that secure aggregation offers sufficient protection against inference attacks, our research demonstrates that FusionMIA can effectively compromise the security of federated learning systems even in secure aggregation protected settings. FusionMIA successfully reconstructs membership information by leveraging the differential impact of individual client updates on the aggregated model. Extensive experiments on MNIST and CIFAR-10 demonstrate the effectiveness of this approach, achieving >90% AUC-score in most cases and exposing a significant vulnerability in federated learning systems. These findings underscore the pressing need for more robust privacy-preserving mechanisms in federated learning that extend beyond conventional aggregation-based defenses.