Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Hidden Data Privacy Breaches in Federated Learning

Xueluan Gong, Yuji Wang, Shuaike Li, Mengyuan Sun, Songze Li, Qian Wang, Kwok-Yan Lam, Chen Chen

TL;DR

This paper proposes a novel data-reconstruction attack leveraging malicious code injection, supported by two key techniques, i.e., distinctive and sparse encoding design and block partitioning, which can handle large-scale and high-resolution data without being detected or mitigated by state-of-the-art data reconstruction defense methods.

Abstract

Federated Learning (FL) emerged as a paradigm for conducting machine learning across broad and decentralized datasets, promising enhanced privacy by obviating the need for direct data sharing. However, recent studies show that attackers can steal private data through model manipulation or gradient analysis. Existing attacks are constrained by low theft quantity or low-resolution data, and they are often detected through anomaly monitoring in gradients or weights. In this paper, we propose a novel data-reconstruction attack leveraging malicious code injection, supported by two key techniques, i.e., distinctive and sparse encoding design and block partitioning. Unlike conventional methods that require detectable changes to the model, our method stealthily embeds a hidden model using parameter sharing to systematically extract sensitive data. The Fibonacci-based index design ensures efficient, structured retrieval of memorized data, while the block partitioning method enhances our method's capability to handle high-resolution images by dividing them into smaller, manageable units. Extensive experiments on 4 datasets confirmed that our method is superior to the five state-of-the-art data-reconstruction attacks under the five respective detection methods. Our method can handle large-scale and high-resolution data without being detected or mitigated by state-of-the-art data reconstruction defense methods. In contrast to baselines, our method can be directly applied to both FedAVG and FedSGD scenarios, underscoring the need for developers to devise new defenses against such vulnerabilities. We will open-source our code upon acceptance.

Hidden Data Privacy Breaches in Federated Learning

TL;DR

This paper proposes a novel data-reconstruction attack leveraging malicious code injection, supported by two key techniques, i.e., distinctive and sparse encoding design and block partitioning, which can handle large-scale and high-resolution data without being detected or mitigated by state-of-the-art data reconstruction defense methods.

Abstract

Federated Learning (FL) emerged as a paradigm for conducting machine learning across broad and decentralized datasets, promising enhanced privacy by obviating the need for direct data sharing. However, recent studies show that attackers can steal private data through model manipulation or gradient analysis. Existing attacks are constrained by low theft quantity or low-resolution data, and they are often detected through anomaly monitoring in gradients or weights. In this paper, we propose a novel data-reconstruction attack leveraging malicious code injection, supported by two key techniques, i.e., distinctive and sparse encoding design and block partitioning. Unlike conventional methods that require detectable changes to the model, our method stealthily embeds a hidden model using parameter sharing to systematically extract sensitive data. The Fibonacci-based index design ensures efficient, structured retrieval of memorized data, while the block partitioning method enhances our method's capability to handle high-resolution images by dividing them into smaller, manageable units. Extensive experiments on 4 datasets confirmed that our method is superior to the five state-of-the-art data-reconstruction attacks under the five respective detection methods. Our method can handle large-scale and high-resolution data without being detected or mitigated by state-of-the-art data reconstruction defense methods. In contrast to baselines, our method can be directly applied to both FedAVG and FedSGD scenarios, underscoring the need for developers to devise new defenses against such vulnerabilities. We will open-source our code upon acceptance.

Paper Structure

This paper contains 27 sections, 18 equations, 4 figures, 11 tables.

Table of Contents

  1. Introduction
  2. Background
  3. Malicious Code Poisoning
  4. Data Reconstruction Attacks against FL
  5. Data Reconstruction Defenses against FL
  6. Detailed Construction
  7. Threat Model
  8. Overview of our method
  9. Secret Model Training
  10. Distinctive and Sparse Encoding Design
  11. Block Partitioning
  12. Experiment
  13. Experiment Setup
  14. Comparison with Baselines
  15. Ablation Study
  16. ...and 12 more sections

Figures (4)

  • Figure 1: Examples of injected malicious code in our method. The green boxes highlight the sections where the malicious code needs to be injected.
  • Figure 2: Overview of our method. our method features an active server attack designed to extract the training samples of victim clients. It is composed of three key modules: secret model training, distinctive and sparse encoding design, and block partitioning. Note that $b_i$ represents the Fibonacci coding bits of $n$.
  • Figure 3: Comparison of our method with baselines in terms of the reconstruction sample quality.
  • Figure 4: Impact of the loss change.