Metric Privacy in Federated Learning for Medical Imaging: Improving Convergence and Preventing Client Inference Attacks
Judith Sáinz-Pardo Díaz, Andreas Athanasiou, Kangsoo Jung, Catuscia Palamidessi, Álvaro López García
TL;DR
This paper addresses privacy-utility trade-offs in federated learning for medical imaging by introducing metric-privacy, a server-side relaxation of differential privacy that calibrates noise using a distance between client models. The distance $d^{(n)}$ is computed from local model updates and used to scale Gaussian noise so that privacy protection adapts to round-specific client differences, potentially improving convergence relative to standard global-DP. The authors compare metric-privacy to global-DP and vanilla FL across six aggregation functions (FedAvg, FedAvgM, FedMedian, FedProx, FedOpt, FedYogi) using an Alzheimer’s disease MRI dataset under homogeneous and non-iid client distributions, and they also define and evaluate a Client Inference Attack (CIA) to assess privacy risk. Results show that metric-privacy generally yields higher accuracy and smoother convergence than global-DP while providing comparable or better protection against CIA, demonstrating a practical, distance-aware privacy mechanism for FL in medical imaging. The work advances privacy-preserving FL by coupling convergence-aware noise calibration with a novel CIA evaluation, with implications for deployable, privacy-conscious medical imaging analyses.
Abstract
Federated learning is a distributed learning technique that allows training a global model with the participation of different data owners without the need to share raw data. This architecture is orchestrated by a central server that aggregates the local models from the clients. This server may be trusted, but not all nodes in the network. Then, differential privacy (DP) can be used to privatize the global model by adding noise. However, this may affect convergence across the rounds of the federated architecture, depending also on the aggregation strategy employed. In this work, we aim to introduce the notion of metric-privacy to mitigate the impact of classical server side global-DP on the convergence of the aggregated model. Metric-privacy is a relaxation of DP, suitable for domains provided with a notion of distance. We apply it from the server side by computing a distance for the difference between the local models. We compare our approach with standard DP by analyzing the impact on six classical aggregation strategies. The proposed methodology is applied to an example of medical imaging and different scenarios are simulated across homogeneous and non-i.i.d clients. Finally, we introduce a novel client inference attack, where a semi-honest client tries to find whether another client participated in the training and study how it can be mitigated using DP and metric-privacy. Our evaluation shows that metric-privacy can increase the performance of the model compared to standard DP, while offering similar protection against client inference attacks.