Decaf: Data Distribution Decompose Attack against Federated Learning
Zhiyang Dai, Chunyi Zhou, Anmin Fu
TL;DR
This paper introduces Decaf, a data distribution decomposition attack against federated learning that passively infers a victim’s local class proportions by analyzing gradient changes, particularly in the last-layer. It addresses two core challenges—identifying null classes and decomposing remaining non-null classes—via formal proofs and a four-step pipeline: Gradient Change Extraction, Null Classes Removal, Gradient Bases Construction, and Remaining Classes Decomposition, underpinned by an optimization framework. Empirical evaluation across five datasets and multiple model architectures shows high accuracy in null-class detection and robust per-class proportion recovery for both IID and non-IID data, with minimal impact on global model performance and low attack overhead. The findings highlight a novel privacy vulnerability in FL and underscore the need for countermeasures, as standard defenses like dropout have limited efficacy while differential privacy and encryption-based approaches trade off utility or practicality.
Abstract
In contrast to prevalent Federated Learning (FL) privacy inference techniques such as generative adversarial networks attacks, membership inference attacks, property inference attacks, and model inversion attacks, we devise an innovative privacy threat: the Data Distribution Decompose Attack on FL, termed Decaf. This attack enables an honest-but-curious FL server to meticulously profile the proportion of each class owned by the victim FL user, divulging sensitive information like local market item distribution and business competitiveness. The crux of Decaf lies in the profound observation that the magnitude of local model gradient changes closely mirrors the underlying data distribution, including the proportion of each class. Decaf addresses two crucial challenges: accurately identify the missing/null class(es) given by any victim user as a premise and then quantify the precise relationship between gradient changes and each remaining non-null class. Notably, Decaf operates stealthily, rendering it entirely passive and undetectable to victim users regarding the infringement of their data distribution privacy. Experimental validation on five benchmark datasets (MNIST, FASHION-MNIST, CIFAR-10, FER-2013, and SkinCancer) employing diverse model architectures, including customized convolutional networks, standardized VGG16, and ResNet18, demonstrates Decaf's efficacy. Results indicate its ability to accurately decompose local user data distribution, regardless of whether it is IID or non-IID distributed. Specifically, the dissimilarity measured using $L_{\infty}$ distance between the distribution decomposed by Decaf and ground truth is consistently below 5\% when no null classes exist. Moreover, Decaf achieves 100\% accuracy in determining any victim user's null classes, validated through formal proof.