Table of Contents
Fetching ...

SpooFL: Spoofing Federated Learning

Isaac Baglin, Xiatian Zhu, Simon Hadfield

TL;DR

This work reframes privacy defenses in Federated Learning from passive obfuscation to active deception by introducing SpooFL, a spoofing-based defense that misleads gradient-leakage attacks into reconstructing synthetic data from an external generator. A new metric, Private Leakage Confidence (PLC), quantifies the attacker’s ability to associate reconstructed samples with private labels, enabling rigorous evaluation of spoofing effectiveness. SpooFL optimizes a latent representation to distill a compact synthetic dataset whose induced training trajectory mirrors that of real private data, while ensuring no meaningful leakage from the true task. Empirical results show SpooFL achieves a favorable privacy-utility trade-off, reducing PLC and preserving accuracy with no extra runtime overhead compared to several baseline defenses.

Abstract

Traditional defenses against Deep Leakage (DL) attacks in Federated Learning (FL) primarily focus on obfuscation, introducing noise, transformations or encryption to degrade an attacker's ability to reconstruct private data. While effective to some extent, these methods often still leak high-level information such as class distributions or feature representations, and are frequently broken by increasingly powerful denoising attacks. We propose a fundamentally different perspective on FL defense: framing it as a spoofing problem.We introduce SpooFL (Figure 1), a spoofing-based defense that deceives attackers into believing they have recovered the true training data, while actually providing convincing but entirely synthetic samples from an unrelated task. Unlike prior synthetic-data defenses that share classes or distributions with the private data and thus still leak semantic information, SpooFL uses a state-of-the-art generative model trained on an external dataset with no class overlap. As a result, attackers are misled into recovering plausible yet completely irrelevant samples, preventing meaningful data leakage while preserving FL training integrity. We implement the first example of such a spoofing defense, and evaluate our method against state-of-the-art DL defenses and demonstrate that it successfully misdirects attackers without compromising model performance significantly.

SpooFL: Spoofing Federated Learning

TL;DR

This work reframes privacy defenses in Federated Learning from passive obfuscation to active deception by introducing SpooFL, a spoofing-based defense that misleads gradient-leakage attacks into reconstructing synthetic data from an external generator. A new metric, Private Leakage Confidence (PLC), quantifies the attacker’s ability to associate reconstructed samples with private labels, enabling rigorous evaluation of spoofing effectiveness. SpooFL optimizes a latent representation to distill a compact synthetic dataset whose induced training trajectory mirrors that of real private data, while ensuring no meaningful leakage from the true task. Empirical results show SpooFL achieves a favorable privacy-utility trade-off, reducing PLC and preserving accuracy with no extra runtime overhead compared to several baseline defenses.

Abstract

Traditional defenses against Deep Leakage (DL) attacks in Federated Learning (FL) primarily focus on obfuscation, introducing noise, transformations or encryption to degrade an attacker's ability to reconstruct private data. While effective to some extent, these methods often still leak high-level information such as class distributions or feature representations, and are frequently broken by increasingly powerful denoising attacks. We propose a fundamentally different perspective on FL defense: framing it as a spoofing problem.We introduce SpooFL (Figure 1), a spoofing-based defense that deceives attackers into believing they have recovered the true training data, while actually providing convincing but entirely synthetic samples from an unrelated task. Unlike prior synthetic-data defenses that share classes or distributions with the private data and thus still leak semantic information, SpooFL uses a state-of-the-art generative model trained on an external dataset with no class overlap. As a result, attackers are misled into recovering plausible yet completely irrelevant samples, preventing meaningful data leakage while preserving FL training integrity. We implement the first example of such a spoofing defense, and evaluate our method against state-of-the-art DL defenses and demonstrate that it successfully misdirects attackers without compromising model performance significantly.
Paper Structure (9 sections, 6 equations, 5 figures, 4 tables)

This paper contains 9 sections, 6 equations, 5 figures, 4 tables.

Figures (5)

  • Figure 1: Gradient leakage under different defenses: a) No Defense yields near-exact reconstructions, b) Traditional Defenses obscure but retain features, c) SpooFL produces unrelated images, preserving privacy.
  • Figure 2: Overview of SpooFL. We optimize the latent input of an R3GAN using a model trajectory loss to distill a synthetic dataset. The resulting SpooFL dataset preserves task performance while effectively preventing deep leakage attacks by obfuscating private data.
  • Figure 3: Dataset size versus ResNet-18 model accuracy on CIFAR-10 and SpooFL. SpooFL achieves competitive accuracy with significantly fewer training samples, highlighting its efficiency in reducing communication and computation overhead.
  • Figure 4: Visualization of the SpooFL distillation process. Synthetic images are iteratively optimized to match the model trajectory of the private dataset. The final distilled images converge to representations that follow the same training dynamics as the original private data, without revealing sensitive information. More examples given in the supplementary material.
  • Figure 5: SSIM evolution over training epochs under different defense methods. SpooFL consistently maintains low SSIM values, indicating strong resistance to reconstruction throughout training.