Abstract:The primary promise of decentralized learning is to allow users to engage in the training of machine learning models in a collaborative manner while keeping their data on their premises and without relying on any central entity. However, this paradigm necessitates the exchange of model parameters or gradients between peers. Such exchanges can be exploited to infer sensitive information about training data, which is achieved through privacy attacks (e.g Membership Inference Attacks -- MIA). In order to devise effective defense mechanisms, it is important to understand the factors that increase/reduce the vulnerability of a given decentralized learning architecture to MIA. In this study, we extensively explore the vulnerability to MIA of various decentralized learning architectures by varying the graph structure (e.g number of neighbors), the graph dynamics, and the aggregation strategy, across diverse datasets and data distributions. Our key finding, which to the best of our knowledge we are the first to report, is that the vulnerability to MIA is heavily correlated to (i) the local model mixing strategy performed by each node upon reception of models from neighboring nodes and (ii) the global mixing properties of the communication graph. We illustrate these results experimentally using four datasets and by theoretically analyzing the mixing properties of various decentralized architectures. Our paper draws a set of lessons learned for devising decentralized learning systems that reduce by design the vulnerability to MIA.

What problem does this paper attempt to address?

The problem that this paper attempts to solve is: **the vulnerability of Decentralized Learning in Membership Inference Attacks (MIA)**. Specifically, the research aims to explore and analyze the vulnerability of different decentralized learning architectures to MIA and identify the key factors that influence this vulnerability. ### Detailed Explanation 1. **Background and Motivation** - Decentralized learning allows multiple nodes to collaboratively train machine - learning models without relying on a central server while keeping data stored locally. - Although this paradigm has the advantage of privacy protection, the exchange of model parameters or gradients between nodes can be exploited for privacy attacks, such as MIA, thus leaking sensitive information. 2. **Research Objectives** - Understand which factors can increase or decrease the vulnerability of a specific decentralized learning architecture to MIA. - By changing the graph structure (e.g., the number of neighbors), graph dynamic characteristics, and aggregation strategies, evaluate the MIA vulnerability of different decentralized learning architectures under multiple datasets and data distributions. 3. **Key Findings** - The vulnerability of MIA is closely related to two main factors: 1. **Local Model Mixing and Propagation Strategies**: How each node integrates the models received from its neighbors and how it propagates the updated model. 2. **Global Mixing Characteristics of the Communication Graph**: For example, a static highly - connected graph and a dynamic graph of the same size have similar vulnerabilities; in a weakly - connected graph, the graph dynamic characteristics brought by the Random Peer Sampling (RPS) protocol can significantly reduce the vulnerability of MIA. 4. **Contributions** - Provide a comprehensive study of the MIA vulnerability in decentralized learning, especially the influence of graph connectivity, graph dynamic characteristics, model mixing, and data distribution. - Reveal the crucial role of local and global model - mixing characteristics in the MIA vulnerability and show how dynamic graph settings and enhanced view sizes can improve model mixing and mitigate privacy risks. - Propose design recommendations to balance the utility of decentralized learning systems and MIA vulnerability, emphasizing the importance of dynamism and robust mixing protocols. ### Conclusion Through this research, the authors hope to provide theoretical basis and practical guidance for designing more secure and efficient decentralized learning systems, especially in dealing with membership inference attacks.

Scrutinizing the Vulnerability of Decentralized Learning to Membership Inference Attacks

A Three-layer Security Assurance Model for a Decentralized Federated Learning System

Privacy Attacks in Decentralized Learning

MIA-BAD: An Approach for Enhancing Membership Inference Attack and its Mitigation with Federated Learning

Defenses to Membership Inference Attacks: A Survey

Investigating Membership Inference Attacks under Data Dependencies

Decentralized Adversarial Training over Graphs

Backdoor Attacks in Peer-to-Peer Federated Learning

Membership Inference Attacks on Machine Learning: A Survey

Fundamental Limits of Membership Inference Attacks on Machine Learning Models

A survey on vulnerability of federated learning: A learning algorithm perspective

Subject-Level Membership Inference Attack via Data Augmentation and Model Discrepancy

Privacy Threats in Stable Diffusion Models

MIST: Defending Against Membership Inference Attacks Through Membership-Invariant Subspace Training

MIA-Leak: Exploring Membership Inference Attacks in Federated Learning Systems

A Method to Facilitate Membership Inference Attacks in Deep Learning Models

Membership Inference Attacks against Language Models via Neighbourhood Comparison

EdgeLeakage: Membership Information Leakage in Distributed Edge Intelligence Systems

Center-Based Relaxed Learning Against Membership Inference Attacks

White-box Inference Attacks against Centralized Machine Learning and Federated Learning