Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Membership Inference Attacks and Defenses in Federated Learning: A Survey

Li Bai, Haibo Hu, Qingqing Ye, Haoyang Li, Leixia Wang, Jianliang Xu

TL;DR

This survey presents a structured, up-to-date overview of membership inference attacks (MIAs) and defenses in federated learning (FL). It introduces a two-pronged attack taxonomy—update-based and trend-based MIAs—and details a diverse set of defenses, including partial sharing, secure aggregation, noise perturbation, and anomaly detection, highlighting their advantages and limitations. The paper contrasts FL MIAs with centralized-learning MIAs to illuminate unique insider threats and attack surfaces in FL, and it outlines key future directions, such as unified evaluation benchmarks and robust, low-utility-loss defenses. By mapping attack strategies to defense mechanisms across the FL training lifecycle, the work provides a practical reference for researchers and practitioners aiming to safeguard membership privacy in collaborative, decentralized AI systems.

Abstract

Federated learning is a decentralized machine learning approach where clients train models locally and share model updates to develop a global model. This enables low-resource devices to collaboratively build a high-quality model without requiring direct access to the raw training data. However, despite only sharing model updates, federated learning still faces several privacy vulnerabilities. One of the key threats is membership inference attacks, which target clients' privacy by determining whether a specific example is part of the training set. These attacks can compromise sensitive information in real-world applications, such as medical diagnoses within a healthcare system. Although there has been extensive research on membership inference attacks, a comprehensive and up-to-date survey specifically focused on it within federated learning is still absent. To fill this gap, we categorize and summarize membership inference attacks and their corresponding defense strategies based on their characteristics in this setting. We introduce a unique taxonomy of existing attack research and provide a systematic overview of various countermeasures. For these studies, we thoroughly analyze the strengths and weaknesses of different approaches. Finally, we identify and discuss key future research directions for readers interested in advancing the field.

Membership Inference Attacks and Defenses in Federated Learning: A Survey

TL;DR

This survey presents a structured, up-to-date overview of membership inference attacks (MIAs) and defenses in federated learning (FL). It introduces a two-pronged attack taxonomy—update-based and trend-based MIAs—and details a diverse set of defenses, including partial sharing, secure aggregation, noise perturbation, and anomaly detection, highlighting their advantages and limitations. The paper contrasts FL MIAs with centralized-learning MIAs to illuminate unique insider threats and attack surfaces in FL, and it outlines key future directions, such as unified evaluation benchmarks and robust, low-utility-loss defenses. By mapping attack strategies to defense mechanisms across the FL training lifecycle, the work provides a practical reference for researchers and practitioners aiming to safeguard membership privacy in collaborative, decentralized AI systems.

Abstract

Federated learning is a decentralized machine learning approach where clients train models locally and share model updates to develop a global model. This enables low-resource devices to collaboratively build a high-quality model without requiring direct access to the raw training data. However, despite only sharing model updates, federated learning still faces several privacy vulnerabilities. One of the key threats is membership inference attacks, which target clients' privacy by determining whether a specific example is part of the training set. These attacks can compromise sensitive information in real-world applications, such as medical diagnoses within a healthcare system. Although there has been extensive research on membership inference attacks, a comprehensive and up-to-date survey specifically focused on it within federated learning is still absent. To fill this gap, we categorize and summarize membership inference attacks and their corresponding defense strategies based on their characteristics in this setting. We introduce a unique taxonomy of existing attack research and provide a systematic overview of various countermeasures. For these studies, we thoroughly analyze the strengths and weaknesses of different approaches. Finally, we identify and discuss key future research directions for readers interested in advancing the field.

Paper Structure

This paper contains 38 sections, 9 equations, 7 figures, 9 tables.

Table of Contents

  1. Introduction
  2. Preliminaries
  3. Centralized Learning
  4. Federated Learning
  5. Brief Introduction of Federated Learning
  6. Categorization of Federated Learning
  7. Membership Inference Attacks in Centralized Learning
  8. Membership Inference Defenses in Centralized Learning
  9. Threat Model and Attack Taxonomy
  10. Threat Model
  11. Adversary's Goal.
  12. Adversary's Role.
  13. Adversary's Strategy.
  14. Attack Taxonomy
  15. Membership Inference Attacks in Federated Learning
  16. ...and 23 more sections

Figures (7)

  • Figure 1: Membership inference attacks and defenses in federated learning.
  • Figure 2: Three categories of federated learning.
  • Figure 3: Overview of the shadow training scheme in CL.
  • Figure 4: Categorization of threat models.
  • Figure 5: Overview of update-based MIAs by using original gradients and other intermediate features.
  • ...and 2 more figures