UTrace: Poisoning Forensics for Private Collaborative Learning

TL;DR

PPML enables privacy-preserving collaborative learning but introduces poisoning risks from malicious data owners. The authors propose UTrace, a framework that performs user-level poisoning traceback by combining gradient similarity and approximate unlearning within an MPC auditing pipeline. They extend Arc with sample-independent preprocessing to enable offline auditing and implement optimizations like gradient sketches and top-$k$ selection to reduce overhead. Across vision, text, and malware datasets with ten canonical attacks, UTrace achieves high attribution accuracy and low false positives, advancing practical accountability for PPML.

Abstract

Privacy-preserving machine learning (PPML) systems enable multiple data owners to collaboratively train models without revealing their raw, sensitive data by leveraging cryptographic protocols such as secure multi-party computation (MPC). While PPML offers strong privacy guarantees, it also introduces new attack surfaces: malicious data owners can inject poisoned data into the training process without being detected, thus undermining the integrity of the learned model. Although recent defenses, such as private input validation within MPC, can mitigate some specific poisoning strategies, they remain insufficient, particularly in preventing stealthy or distributed attacks. As the robustness of PPML remains an open challenge, strengthening trust in these systems increasingly necessitates post-hoc auditing mechanisms that instill accountability. In this paper we present UTrace, a framework for user-level traceback in PPML that attributes integrity failures to responsible data owners without compromising the privacy guarantees of MPC. UTrace encapsulates two mechanisms: a gradient similarity method that identifies suspicious update patterns linked to poisoning, and a user-level unlearning technique that quantifies each user's marginal influence on model behavior. Together, these methods allow UTrace to attribute model misbehavior to specific users with high precision. We implement UTrace within an MPC-compatible training and auditing pipeline and evaluate its effectiveness on four datasets spanning vision, text, and malware. Across ten canonical poisoning attacks, UTrace consistently achieves high detection accuracy with low false positive rates.

Figures (10)

• Figure 1: The PPML scenario we consider includes data owners contributing their private datasets to train an ML model $f_{\theta}$ distributively in MPC. MPC servers are ephemeral and do not store long-term state. Model owners store the model $f_\theta$ and training records $R$ that are used for private inference. A traceback service monitors suspicious activity during model deployment and launches a procedure to identify malicious data owners $\mathcal{U}$ given a suspicious input $z_{\mathrm{atk}} = (\tilde{x},\tilde{y})$.
• Figure 2: Malicious user identification ROC curves for dirty-label attacks against CIFAR-10 on ResNet18.
• Figure 3: Overhead of our user-level auditing functions $F_\text{Grad}$ and $F_\text{Unl}$. kNN refers to the kNN baseline, Cos to the unoptimized GAS score. Further, Grad(o) refers to the version of $F_\text{Grad}$ with the reciprocal square root optimization, and Grad(h) refers to $F_\text{Grad}$ with the heuristic sample selection. Finally Unl represents the results of $F_\text{Unl}$.
• Figure 4: Malicious user identification ROC curves for standard attacks against Fashion / ConvNet.
• Figure 5: Malicious user identification ROC curves for attacks against Ember / EmberNN.

Theorems & Definitions (12)

• Definition C.1: Secret-Sharing Scheme
• Theorem C.2: Security of $\Pi\xspace_\mathsf{Grad-Pre}$
• proof
• Theorem C.3: Security of $\Pi\xspace_\mathsf{Grad-Online}$
• proof
• Theorem C.4: Security of $\Pi\xspace_\mathsf{Unl-Pre}$
• proof
• Theorem C.5: Security of $\Pi\xspace_\mathsf{Unl-Online}$
• proof
• Lemma D.1