Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Model Inversion Attack against Federated Unlearning

Lei Zhou, Youwen Zhu

TL;DR

This work analyzes privacy risks in federated unlearning (FU) by introducing Federated Unlearning Inversion Attack (FUIA), an attacker that leverages model-difference information across unlearning to reconstruct forgotten data in sample, client, and class unlearning. FUIA extends gradient inversion concepts to FU, detailing gradient separation, target gradient acquisition, and gradient inversion steps, and demonstrates strong data leakage over CIFAR-10/100 with ResNet backbones. To mitigate risk, the paper proposes gradient pruning and gradient perturbation defenses, acknowledging trade-offs with unlearning effectiveness and model utility. The results highlight substantial privacy leakage in current FU approaches and call for robust FU designs that can preserve utility while safeguarding forgotten data.

Abstract

With the introduction of regulations related to the ``right to be forgotten", federated learning (FL) is facing new privacy compliance challenges. To address these challenges, researchers have proposed federated unlearning (FU). However, existing FU research has primarily focused on improving the efficiency of unlearning, with less attention paid to the potential privacy vulnerabilities inherent in these methods. To address this gap, we draw inspiration from gradient inversion attacks in FL and propose the federated unlearning inversion attack (FUIA). The FUIA is specifically designed for the three types of FU (sample unlearning, client unlearning, and class unlearning), aiming to provide a comprehensive analysis of the privacy leakage risks associated with FU. In FUIA, the server acts as an honest-but-curious attacker, recording and exploiting the model differences before and after unlearning to expose the features and labels of forgotten data. FUIA significantly leaks the privacy of forgotten data and can target all types of FU. This attack contradicts the goal of FU to eliminate specific data influence, instead exploiting its vulnerabilities to recover forgotten data and expose its privacy flaws. Extensive experimental results show that FUIA can effectively reveal the private information of forgotten data. To mitigate this privacy leakage, we also explore two potential defense methods, although these come at the cost of reduced unlearning effectiveness and the usability of the unlearned model.

Model Inversion Attack against Federated Unlearning

TL;DR

This work analyzes privacy risks in federated unlearning (FU) by introducing Federated Unlearning Inversion Attack (FUIA), an attacker that leverages model-difference information across unlearning to reconstruct forgotten data in sample, client, and class unlearning. FUIA extends gradient inversion concepts to FU, detailing gradient separation, target gradient acquisition, and gradient inversion steps, and demonstrates strong data leakage over CIFAR-10/100 with ResNet backbones. To mitigate risk, the paper proposes gradient pruning and gradient perturbation defenses, acknowledging trade-offs with unlearning effectiveness and model utility. The results highlight substantial privacy leakage in current FU approaches and call for robust FU designs that can preserve utility while safeguarding forgotten data.

Abstract

With the introduction of regulations related to the ``right to be forgotten", federated learning (FL) is facing new privacy compliance challenges. To address these challenges, researchers have proposed federated unlearning (FU). However, existing FU research has primarily focused on improving the efficiency of unlearning, with less attention paid to the potential privacy vulnerabilities inherent in these methods. To address this gap, we draw inspiration from gradient inversion attacks in FL and propose the federated unlearning inversion attack (FUIA). The FUIA is specifically designed for the three types of FU (sample unlearning, client unlearning, and class unlearning), aiming to provide a comprehensive analysis of the privacy leakage risks associated with FU. In FUIA, the server acts as an honest-but-curious attacker, recording and exploiting the model differences before and after unlearning to expose the features and labels of forgotten data. FUIA significantly leaks the privacy of forgotten data and can target all types of FU. This attack contradicts the goal of FU to eliminate specific data influence, instead exploiting its vulnerabilities to recover forgotten data and expose its privacy flaws. Extensive experimental results show that FUIA can effectively reveal the private information of forgotten data. To mitigate this privacy leakage, we also explore two potential defense methods, although these come at the cost of reduced unlearning effectiveness and the usability of the unlearned model.

Paper Structure

This paper contains 44 sections, 22 equations, 15 figures, 2 tables, 3 algorithms.

Table of Contents

  1. Introduction
  2. Related work
  3. Federated Unlearning
  4. Gradient Inversion Attack in Federated Learning
  5. Discussion
  6. Preliminaries
  7. Problem Statement
  8. Threat Model
  9. Problem Formulation
  10. Attack Methodology
  11. FUIA against Sample Unlearning
  12. Step 1: Gradient Separation
  13. Step 2: Target Gradient Acquisition
  14. Step 3: Gradient Inversion
  15. FUIA against Client Unlearning
  16. ...and 29 more sections

Figures (15)

  • Figure 1: Overview of FUIA. The server (attacker) inverts by comparing the differences in the model parameters of the stored unlearning process to get the privacy information of the forgotten data.
  • Figure 2: Overview of FUIA against sample unlearning.
  • Figure 3: Overview of FUIA against client unlearning.
  • Figure 4: Overview of FUIA against class unlearning.
  • Figure 5: Effectiveness of FUIA against sample unlearning.
  • ...and 10 more figures