Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

FedMIA: An Effective Membership Inference Attack Exploiting "All for One" Principle in Federated Learning

Gongxi Zhu, Donghao Li, Hanlin Gu, Yuan Yao, Lixin Fan, Yuxing Han

TL;DR

This work addresses privacy risks in federated learning by showing that membership inference can be greatly empowered by exploiting updates from non-target clients, not just the target client's updates. The authors formulate a one-tailed likelihood-ratio test and develop FedMIA, a three-step attack that uses a low-dimensional measurement based on gradient similarity, per-round distribution estimation of non-member updates, and aggregation across communication rounds to infer membership. The approach is theoretically justified and empirically validated across classification and generative tasks, consistently outperforming six baselines and proving robust to several defenses and non-IID settings. The findings highlight a critical privacy leakage channel in FL and suggest that defenses must address cross-client information sharing, potentially via secure aggregation or stronger cryptographic protections, to prevent such attacks.

Abstract

Federated Learning (FL) is a promising approach for training machine learning models on decentralized data while preserving privacy. However, privacy risks, particularly Membership Inference Attacks (MIAs), which aim to determine whether a specific data point belongs to a target client's training set, remain a significant concern. Existing methods for implementing MIAs in FL primarily analyze updates from the target client, focusing on metrics such as loss, gradient norm, and gradient difference. However, these methods fail to leverage updates from non-target clients, potentially underutilizing available information. In this paper, we first formulate a one-tailed likelihood-ratio hypothesis test based on the likelihood of updates from non-target clients. Building upon this formulation, we introduce a three-step Membership Inference Attack (MIA) method, called FedMIA, which follows the "all for one"--leveraging updates from all clients across multiple communication rounds to enhance MIA effectiveness. Both theoretical analysis and extensive experimental results demonstrate that FedMIA outperforms existing MIAs in both classification and generative tasks. Additionally, it can be integrated as an extension to existing methods and is robust against various defense strategies, Non-IID data, and different federated structures. Our code is available in https://github.com/Liar-Mask/FedMIA.

FedMIA: An Effective Membership Inference Attack Exploiting "All for One" Principle in Federated Learning

TL;DR

This work addresses privacy risks in federated learning by showing that membership inference can be greatly empowered by exploiting updates from non-target clients, not just the target client's updates. The authors formulate a one-tailed likelihood-ratio test and develop FedMIA, a three-step attack that uses a low-dimensional measurement based on gradient similarity, per-round distribution estimation of non-member updates, and aggregation across communication rounds to infer membership. The approach is theoretically justified and empirically validated across classification and generative tasks, consistently outperforming six baselines and proving robust to several defenses and non-IID settings. The findings highlight a critical privacy leakage channel in FL and suggest that defenses must address cross-client information sharing, potentially via secure aggregation or stronger cryptographic protections, to prevent such attacks.

Abstract

Federated Learning (FL) is a promising approach for training machine learning models on decentralized data while preserving privacy. However, privacy risks, particularly Membership Inference Attacks (MIAs), which aim to determine whether a specific data point belongs to a target client's training set, remain a significant concern. Existing methods for implementing MIAs in FL primarily analyze updates from the target client, focusing on metrics such as loss, gradient norm, and gradient difference. However, these methods fail to leverage updates from non-target clients, potentially underutilizing available information. In this paper, we first formulate a one-tailed likelihood-ratio hypothesis test based on the likelihood of updates from non-target clients. Building upon this formulation, we introduce a three-step Membership Inference Attack (MIA) method, called FedMIA, which follows the "all for one"--leveraging updates from all clients across multiple communication rounds to enhance MIA effectiveness. Both theoretical analysis and extensive experimental results demonstrate that FedMIA outperforms existing MIAs in both classification and generative tasks. Additionally, it can be integrated as an extension to existing methods and is robust against various defense strategies, Non-IID data, and different federated structures. Our code is available in https://github.com/Liar-Mask/FedMIA.
Paper Structure (24 sections, 2 theorems, 18 equations, 6 figures, 3 tables, 1 algorithm)

This paper contains 24 sections, 2 theorems, 18 equations, 6 figures, 3 tables, 1 algorithm.

Table of Contents

  1. Introduction
  2. Related work
  3. Federated Learning
  4. Membership Inference Attack
  5. An Effective MIA in FL
  6. Setting
  7. One-tailed Likelihood-Ratio Test in FL
  8. The Proposed Method: FedMIA
  9. Experimental Result
  10. Experimental Setup
  11. FedMIA vs Others
  12. Robustness
  13. Discussion and Conclusion
  14. Appendix
  15. Dataset and Training Details
  16. ...and 9 more sections

Key Result

Theorem 1

Given the threshold $\delta$, let $\mathbb{V}_t$ be the member sets estimated by $\hat{\Lambda}^t$ and $\delta$ in communication round $t$. Let $\Tilde\mathbb{V}$ be the member sets estimated by $\Tilde\Lambda$ and $\delta$. Then we have

Figures (6)

  • Figure 1: The distributions of member and non-member samples of FedMIA (the second row: FedMIA-I (ours) and FedMIA-II (ours)) and other MIAs (the first row: Grad-Cosine li2022effective, Loss-Series gu2022cs) on ResNet-CIFAR100. It shows the obvious gap between the mean of the member and non-member ($\mu_{mem}-\mu_{non}$) for the proposed FedMIA compared to other methods.
  • Figure 2: Overview of FedMIA including three steps: 1) Computing the low-dimensional measurement; 2) Estimating the distribution of updates without being trained on target data; 3) Building the one-tailed LRT test and Inferring the membership.
  • Figure 3: Original training images and generated images based on uploaded embeddings via latent diffusion model.
  • Figure 4: This set of figures shows the attack effects (TPR@FPR=0.1%) of various attacks (Blackbox-Lossyeom2018privacy, Grad-Cosineli2022effective, Loss-Seriesgu2022cs, Avg-Cosineli2022effective, FedMIA-I and FedMIA-II) on AlexNet and ResNet18 (the first and second row respectively) under IID and three Non-IID settings.
  • Figure 5: This set of figures shows the attack effects (TPR@FPR=0.1%) of various attacks (blue line: Loss-series gu2022cs, green line: Avg-Cosine li2022effective and red line: FedMIA-II) on AlexNet and ResNet18 (the first and second row respectively) under four settings. The four columns of the graph group show the results of different communication rounds, client numbers, data volumes and local epochs settings respectively.
  • ...and 1 more figures

Theorems & Definitions (7)

  • Remark 1
  • Remark 2
  • Theorem 1
  • Remark 3
  • Definition 1: Hypervolume Indicator
  • Theorem 2
  • proof