Accuracy-Privacy Trade-off in the Mitigation of Membership Inference Attack in Federated Learning

TL;DR

The paper tackles the problem of how privacy and accuracy interact under Membership Inference Attacks in Federated Learning, questioning whether confidence-based metrics from deep ensembles translate to FL. It analyzes threat models, compares aggregation strategies, and conducts extensive experiments across multiple datasets and architectures, revealing a clear accuracy–privacy trade-off that does not monotonically depend on the number of clients. It shows that confidence-based fusion methods that help in deep ensembles do not fully break the trade-off in FL, and that aggregation schemes favoring privacy often reduce accuracy unless data are ample. The results highlight the practical tension between maintaining strong privacy and preserving ensemble-derived accuracy in FL, guiding future research toward privacy improvements that avoid compromising performance.

Abstract

Over the last few years, federated learning (FL) has emerged as a prominent method in machine learning, emphasizing privacy preservation by allowing multiple clients to collaboratively build a model while keeping their training data private. Despite this focus on privacy, FL models are susceptible to various attacks, including membership inference attacks (MIAs), posing a serious threat to data confidentiality. In a recent study, Rezaei \textit{et al.} revealed the existence of an accuracy-privacy trade-off in deep ensembles and proposed a few fusion strategies to overcome it. In this paper, we aim to explore the relationship between deep ensembles and FL. Specifically, we investigate whether confidence-based metrics derived from deep ensembles apply to FL and whether there is a trade-off between accuracy and privacy in FL with respect to MIA. Empirical investigations illustrate a lack of a non-monotonic correlation between the number of clients and the accuracy-privacy trade-off. By experimenting with different numbers of federated clients, datasets, and confidence-metric-based fusion strategies, we identify and analytically justify the clear existence of the accuracy-privacy trade-off.

Figures (6)

• Figure 1: Accuracy-privacy correlation in FL: Training EfficientNet on CIFAR10. Each curve illustrates the evolution of accuracy and privacy over the training period. Notably, the test accuracy consistently rises while privacy decreases, demonstrating independence from the number of FL clients.
• Figure 2: Distinguishability between training and testing by measuring the agreement among FL clients on correct classifications: The relative agreement among the $10$ FL clients in CIFAR10 using EfficientNet demonstrates a clearly apparent distributional shift between training and testing.
• Figure 3: Contrasting Confidence Between Correct and Incorrect Predictions: The distribution of model predictions confidence on the CIFAR100 dataset highlights that models show high confidence when predictions are correct, whereas the confidence is significantly lower for incorrect predictions.
• Figure 4: Correlation of Accuracy and Privacy Across Datasets and Model Architecture: Variation of accuracy and privacy with respect to the number of federated clients. While accuracy and privacy are strongly correlated across datasets and model architecture, the lack of correlation with the number of federated clients remains consistent.
• Figure 5: Regularizing effect of the number of FL clients on accuracy: with a larger number of clients, the models converge slower but tend to overfit less.