Table of Contents
Fetching ...

United We Defend: Collaborative Membership Inference Defenses in Federated Learning

Li Bai, Junxu Liu, Sen Zhang, Xinwei Zhang, Qingqing Ye, Haibo Hu

TL;DR

CoFedMID is introduced, a collaborative defense framework against MIAs in FL, which limits local model memorization of training samples and, through a defender coalition, enhances privacy protection and model utility.

Abstract

Membership inference attacks (MIAs), which determine whether a specific data point was included in the training set of a target model, have posed severe threats in federated learning (FL). Unfortunately, existing MIA defenses, typically applied independently to each client in FL, are ineffective against powerful trajectory-based MIAs that exploit temporal information throughout the training process to infer membership status. In this paper, we investigate a new FL defense scenario driven by heterogeneous privacy needs and privacy-utility trade-offs, where only a subset of clients are defended, as well as a collaborative defense mode where clients cooperate to mitigate membership privacy leakage. To this end, we introduce CoFedMID, a collaborative defense framework against MIAs in FL, which limits local model memorization of training samples and, through a defender coalition, enhances privacy protection and model utility. Specifically, CoFedMID consists of three modules: a class-guided partition module for selective local training samples, a utility-aware compensation module to recycle contributive samples and prevent their overconfidence, and an aggregation-neutral perturbation module that injects noise for cancellation at the coalition level into client updates. Extensive experiments on three datasets show that our defense framework significantly reduces the performance of seven MIAs while incurring only a small utility loss. These results are consistently verified across various defense settings.

United We Defend: Collaborative Membership Inference Defenses in Federated Learning

TL;DR

CoFedMID is introduced, a collaborative defense framework against MIAs in FL, which limits local model memorization of training samples and, through a defender coalition, enhances privacy protection and model utility.

Abstract

Membership inference attacks (MIAs), which determine whether a specific data point was included in the training set of a target model, have posed severe threats in federated learning (FL). Unfortunately, existing MIA defenses, typically applied independently to each client in FL, are ineffective against powerful trajectory-based MIAs that exploit temporal information throughout the training process to infer membership status. In this paper, we investigate a new FL defense scenario driven by heterogeneous privacy needs and privacy-utility trade-offs, where only a subset of clients are defended, as well as a collaborative defense mode where clients cooperate to mitigate membership privacy leakage. To this end, we introduce CoFedMID, a collaborative defense framework against MIAs in FL, which limits local model memorization of training samples and, through a defender coalition, enhances privacy protection and model utility. Specifically, CoFedMID consists of three modules: a class-guided partition module for selective local training samples, a utility-aware compensation module to recycle contributive samples and prevent their overconfidence, and an aggregation-neutral perturbation module that injects noise for cancellation at the coalition level into client updates. Extensive experiments on three datasets show that our defense framework significantly reduces the performance of seven MIAs while incurring only a small utility loss. These results are consistently verified across various defense settings.
Paper Structure (36 sections, 1 theorem, 21 equations, 8 figures, 23 tables, 4 algorithms)

This paper contains 36 sections, 1 theorem, 21 equations, 8 figures, 23 tables, 4 algorithms.

Key Result

Theorem 1

Given a set of $N$ classes and $K$ users (or clients), suppose each user is assigned a subset of $m$ classes. Let be the subsets assigned to the $K$ users, with $|S_i| = m$ for all $i = 1, \dots, K$. Then the maximum overlap between any pair of users satisfies the lower bound:

Figures (8)

  • Figure 1: Loss trajectories of members and non-members.
  • Figure 2: Overview of the proposed defense framework. It consists of three modules: ① class-guided partition, ② utility-aware compensation, and ③ aggregation-neutral perturbation. Both ① and ③ are performed in a collaborative mode.
  • Figure 3: Performance of various coalitions in both independent and collaborative modes on CIFAR100.
  • Figure 4: Performance of various total clients on CIFAR100.
  • Figure 5: Proportions and probabilities of sample intervals in early and late training rounds.
  • ...and 3 more figures

Theorems & Definitions (3)

  • Remark 1
  • Theorem 1
  • proof