Gongxi Zhu,Donghao Li,Hanlin Gu,Yuan Yao,Lixin Fan,Yuxing Han

2025-01-03

Abstract:Federated Learning (FL) is a promising approach for training machine learning models on decentralized data while preserving privacy. However, privacy risks, particularly Membership Inference Attacks (MIAs), which aim to determine whether a specific data point belongs to a target client's training set, remain a significant concern. Existing methods for implementing MIAs in FL primarily analyze updates from the target client, focusing on metrics such as loss, gradient norm, and gradient difference. However, these methods fail to leverage updates from non-target clients, potentially underutilizing available information. In this paper, we first formulate a one-tailed likelihood-ratio hypothesis test based on the likelihood of updates from non-target clients. Building upon this formulation, we introduce a three-step Membership Inference Attack (MIA) method, called FedMIA, which follows the "all for one"--leveraging updates from all clients across multiple communication rounds to enhance MIA effectiveness. Both theoretical analysis and extensive experimental results demonstrate that FedMIA outperforms existing MIAs in both classification and generative tasks. Additionally, it can be integrated as an extension to existing methods and is robust against various defense strategies, Non-IID data, and different federated structures. Our code is available in <a class="link-external link-https" href="https://github.com/Liar-Mask/FedMIA" rel="external noopener nofollow">this https URL</a>.

Machine Learning,Cryptography and Security

Soumya Banerjee,Sandip Roy,Sayyed Farid Ahamed,Devin Quinn,Marc Vucovich,Dhruv Nandakumar,Kevin Choi,Abdul Rahman,Edward Bowen,Sachin Shetty

2023-11-28

Abstract:The membership inference attack (MIA) is a popular paradigm for compromising the privacy of a machine learning (ML) model. MIA exploits the natural inclination of ML models to overfit upon the training data. MIAs are trained to distinguish between training and testing prediction confidence to infer membership information. Federated Learning (FL) is a privacy-preserving ML paradigm that enables multiple clients to train a unified model without disclosing their private data. In this paper, we propose an enhanced Membership Inference Attack with the Batch-wise generated Attack Dataset (MIA-BAD), a modification to the MIA approach. We investigate that the MIA is more accurate when the attack dataset is generated batch-wise. This quantitatively decreases the attack dataset while qualitatively improving it. We show how training an ML model through FL, has some distinct advantages and investigate how the threat introduced with the proposed MIA-BAD approach can be mitigated with FL approaches. Finally, we demonstrate the qualitative effects of the proposed MIA-BAD methodology by conducting extensive experiments with various target datasets, variable numbers of federated clients, and training batch sizes.

Cryptography and Security,Artificial Intelligence,Machine Learning

Chengcheng Zhu,Jiale Zhang,Xiang Cheng,Weitong Chen,Xiaobing Sun

DOI: https://doi.org/10.1007/978-3-031-31420-9_9

2023-01-01

Abstract:Federated learning has achieved significant success in both academia and industry scenarios since it can train a joint model among unbalanced datasets while protecting the training data privacy. Recent research has shown that, by inferring whether a given data record belongs to the model’s training dataset, the membership information could be leaked by malicious participants. However, when deploying member inference attacks in federated learning, the core problem is how to obtain the membership inference attack data with the same distribution as the training data. In this paper, to tackle this problem, we mainly focus on exploring membership inference attacks in federated learning based on the data augmentation method. Specifically, we present two types of membership inference attacks based on the generative adversarial nets, in which a class-level attack aims to infer the global model and a user-level attack tries to focus on a specific victim. We conduct extensive experiments to evaluate the effectiveness of our proposed two types of membership inference attacks on two benchmark datasets. The experimental results have shown that both class-level and user-level attacks can achieve extraordinary attack accuracy on federated learning.

Zhenpeng Liu,Ruilin Li,Dewei Miao,Lele Ren,Yonggang Zhao

DOI: https://doi.org/10.1155/2022/1615476

IF: 1.968

2022-07-16

Security and Communication Networks

Abstract:Distributed federated learning models are vulnerable to membership inference attacks (MIA) because they remember information about their training data. Through a comprehensive privacy analysis of distributed federated learning models, we design an attack model based on generative adversarial networks (GAN) and member inference attacks (MIA). Malicious participants (attackers) utilize the attack model to successfully reconstruct training sets of other regular participants without any negative impact on the global model. To solve this problem, we apply the differential privacy method to the training process of the model, which effectively reduces the accuracy of member inference attacks by clipping the gradient and adding noise to it. In addition, we manage the participants hierarchically through the method of trust domain division to alleviate the performance degradation of the model caused by differential privacy processing. Experimental results show that in distributed federated learning, our designed scheme can effectively defend against member inference attacks in white-box scenarios and maintain the usability of the global model, realizing an effective trade-off between privacy and usability.

computer science, information systems,telecommunications

Xicong Shen,Ying Liu,Fu Li,Chunguang Li

DOI: https://doi.org/10.1109/jiot.2023.3288886

IF: 10.6

2024-01-01

IEEE Internet of Things Journal

Abstract:Federated learning (FL) has attracted widespread attention in the Internet of Things domain recently. With FL, multiple distributed devices can cooperatively train a global model by transmitting model updates without disclosing the original data. However, the distributed nature of FL makes it vulnerable to data poisoning attacks. In practice, malicious clients can launch the label-flipping attack (LFA) by simply tampering with the labels of local data, thus causing the global model to misclassify the samples of a selected class as the target class. Although some defense mechanisms have been proposed, they rely on specific assumptions about data distribution, and their performance degrades significantly when the data on clients are non-IID. Besides, most existing methods require clients to upload model updates in plaintext so that the server can identify and remove the malicious updates. But, direct transmission of model updates may still reveal private information. Considering these issues, we develop a label-flipping-robust and privacy-preserving FL (LFR-PPFL) algorithm, which is applicable to both independent and identically distributed (IID) and non-IID data. We first propose a detection method based on temporal analysis on cosine similarity to distinguish malicious clients from benign clients. Then, we propose a privacy-preserving computation protocol based on homomorphic encryption to implement this detection method and perform federated aggregation while protecting the privacy of clients. Besides, a detailed theoretical analysis is given to demonstrate the privacy guarantee of the proposed protocol. Experimental results on real-world data sets show that the proposed algorithm can effectively defend against LFAs under various data distributions.

Yanchao Zhao,Jiale Chen,Jiale Zhang,Zilu Yang,Huawei Tu,Hao Han,Kun Zhu,Bing Chen

DOI: https://doi.org/10.1155/2021/5534270

2021-10-19

Wireless Communications and Mobile Computing

Abstract:With the rise of privacy concerns in traditional centralized machine learning services, federated learning, which incorporates multiple participants to train a global model across their localized training data, has lately received significant attention in both industry and academia. Bringing federated learning into a wireless network scenario is a great move. The combination of them inspires tremendous power and spawns a number of promising applications. Recent researches reveal the inherent vulnerabilities of the various learning modes for the membership inference attacks that the adversary could infer whether a given data record belongs to the model’s training set. Although the state-of-the-art techniques could successfully deduce the membership information from the centralized machine learning models, it is still challenging to infer the member data at a more confined level, the user level. It is exciting that the common wireless monitor technique in the wireless network environment just provides a good ground for fine-grained membership inference. In this paper, we novelly propose and define a concept of user-level inference attack in federated learning. Specifically, we first give a comprehensive analysis of active and targeted membership inference attacks in the context of federated learning. Then, by considering a more complicated scenario that the adversary can only passively observe the updating models from different iterations, we incorporate the generative adversarial networks into our method, which can enrich the training set for the final membership inference model. In the end, we comprehensively research and implement inferences launched by adversaries of different roles, which makes the attack scenario complete and realistic. The extensive experimental results demonstrate the effectiveness of our proposed attacking approach in the case of single label and multilabel.

computer science, information systems,telecommunications,engineering, electrical & electronic

Hanxiao Chen,Hongwei Li,Guishan Dong,Meng Hao,Guowen Xu,Xiaoming Huang,Zhe Liu

DOI: https://doi.org/10.1109/tii.2020.3046648

IF: 12.3

2022-01-01

IEEE Transactions on Industrial Informatics

Abstract:The effectiveness of state-of-the-art deep learning (DL) models has empowered the development of industrial Internet of things (IIoT). Recently, considering resource-constrained and privacy-required IIoT devices, collaborative inference has been proposed, which splits DL models and deploys them in IIoT devices and an edge server separately. However, in this article, we argue that there are still severe privacy vulnerabilities in collaborative inference systems. And we devise the first membership inference attack (MIA) against collaborative inference, to infer whether a particular data sample is used for training the model of IIoT systems. Existing MIAs either assume full access to the systems' APIs or availability of the target model's parameters, which is not applicable in realistic IIoT environments. In contrast to prior works, we propose transfer-inherit shadow learning and thus relax these key assumptions. We evaluate our attack on different datasets and various settings, and the results show it has high effectiveness.

automation & control systems,computer science, interdisciplinary applications,engineering, industrial

Li Bai,Haibo Hu,Qingqing Ye,Haoyang Li,Leixia Wang,Jianliang Xu

2024-12-09

Abstract:Federated learning is a decentralized machine learning approach where clients train models locally and share model updates to develop a global model. This enables low-resource devices to collaboratively build a high-quality model without requiring direct access to the raw training data. However, despite only sharing model updates, federated learning still faces several privacy vulnerabilities. One of the key threats is membership inference attacks, which target clients' privacy by determining whether a specific example is part of the training set. These attacks can compromise sensitive information in real-world applications, such as medical diagnoses within a healthcare system. Although there has been extensive research on membership inference attacks, a comprehensive and up-to-date survey specifically focused on it within federated learning is still absent. To fill this gap, we categorize and summarize membership inference attacks and their corresponding defense strategies based on their characteristics in this setting. We introduce a unique taxonomy of existing attack research and provide a systematic overview of various countermeasures. For these studies, we thoroughly analyze the strengths and weaknesses of different approaches. Finally, we identify and discuss key future research directions for readers interested in advancing the field.

Cryptography and Security

Tianqi Su,Meiqi Wang,Zhongfeng Wang

DOI: https://doi.org/10.1109/AICAS51828.2021.9458510

2021-01-01

Abstract:Distributed machine learning (ML) and other related techniques such as federated learning are facing a high risk of information leakage. Differential privacy (DP) is commonly used to protect privacy. However, it suffers from low accuracy due to the unbalanced data distribution in federated learning and additional noise brought by DP itself. In this paper, we propose a novel federated learning model that can protect data privacy from the gradient leakage attack and black-box membership inference attack (MIA). The proposed protection scheme makes the data hard to be reproduced and be distinguished from predictions. A small simulated attacker network is embedded as a regularization punishment to defend the malicious attacks. We further introduce a gradient modification method to secure the weight information and remedy the additional accuracy loss. The proposed privacy protection scheme is evaluated on MNIST and CIFAR-10, and compared with state-of-the-art DP-based federated learning models. Experimental results demonstrate that our model can successfully defend diverse external attacks to user-level privacy with negligible accuracy loss.

Yuhao Gu,Yuebin Bai

DOI: https://doi.org/10.1016/j.jisa.2023.103475

2023-01-01

Abstract:With the popularity of IoT (Internet of Things) applications, edge computing has received lots of attention. To meet data privacy protection requirements of edge nodes and cope with their unbalanced data distribution, federated learning (FL), a distributed learning framework, is widely used in intelligent edge computing applications. However, recent studies have shown that FL still suffers from privacy leakage problems, including membership inference, data reconstruction, etc. However, these studies mainly focus on the feature information of private data. In this paper, we concern the user-level label privacy in FL. We propose LDIA, a label distribution inference attack against FL in edge computing, exploring the possibility that an honest but curious cloud server can infer the proportions of samples per label in the edge user's private data. LDIA is inspired by the observation that parameter changes in the output layer of a model can reflect the label distribution of training data. We use a neural network to learn individual features of the output layer updates over different label distributions, and then perform inference from local models uploaded by users. Our comprehensive evaluation shows that LDIA is effective on various datasets in different settings, demonstrating the severe privacy leakage in FL-based edge computing.

Qi Tan,Qi Li,Yi Zhao,Zhuotao Liu,Xiaobing Guo,Ke Xu

2024-03-03

Abstract:Federated Learning (FL) trains a black-box and high-dimensional model among different clients by exchanging parameters instead of direct data sharing, which mitigates the privacy leak incurred by machine learning. However, FL still suffers from membership inference attacks (MIA) or data reconstruction attacks (DRA). In particular, an attacker can extract the information from local datasets by constructing DRA, which cannot be effectively throttled by existing techniques, e.g., Differential Privacy (DP).

Machine Learning,Cryptography and Security,Distributed, Parallel, and Cluster Computing

Yuhao Gu,Yuebin Bai,Shubin Xu

DOI: https://doi.org/10.1016/j.jisa.2022.103201

IF: 4.96

2022-01-01

Journal of Information Security and Applications

Abstract:Federated learning (FL) is vulnerable to membership inference attacks even it is designed to protect users’ data during model training, as model parameters remember the information of training data. However, existing inference attacks against FL perform poorly in multi-participant scenarios. We propose CS-MIA, a novel membership inference based on prediction confidence series, posing a more critical privacy threat to FL. The inspirations of CS-MIA are the different prediction confidence of a model on training and testing data, and multiple versions of target models over rounds during FL. We use a neural network to learn individual features of confidence series on training and testing data for subsequent membership inference. We design inference algorithms for both local and global adversaries in FL. And we also design an active attack for global adversaries to extract more information. Our confidence-series-based membership inference outperforms most state-of-the-art attacks on various datasets in different scenarios, demonstrating the severe privacy leakage in FL.

ShiMao Xu,Xiaopeng Ke,Xing Su,Shucheng Li,Hao Wu,Sheng Zhong,Fengyuan Xu

2024-11-04

Abstract:Federated Learning (FL) allows users to share knowledge instead of raw data to train a model with high accuracy. Unfortunately, during the training, users lose control over the knowledge shared, which causes serious data privacy issues. We hold that users are only willing and need to share the essential knowledge to the training task to obtain the FL model with high accuracy. However, existing efforts cannot help users minimize the shared knowledge according to the user intention in the FL training procedure. This work proposes FLiP, which aims to bring the principle of least privilege (PoLP) to FL training. The key design of FLiP is applying elaborate information reduction on the training data through a local-global dataset distillation design. We measure the privacy performance through attribute inference and membership inference attacks. Extensive experiments show that FLiP strikes a good balance between model accuracy and privacy protection.

Machine Learning

Hongsheng Hu,Zoran Salcic,Lichao Sun,Gillian Dobbie,Xuyun Zhang

DOI: https://doi.org/10.1109/icdm51629.2021.00129

2021-12-01

Abstract:Federated learning (FL) has emerged as a promising privacy-aware paradigm that allows multiple clients to jointly train a model without sharing their private data. Recently, many studies have shown that FL is vulnerable to membership inference attacks (MIAs) that can distinguish the training members of the given model from the non-members. However, existing MIAs ignore the source of a training member, i.e., the information of the client owning the training member, while it is essential to explore source privacy in FL beyond membership privacy of examples from all clients. The leakage of source information can lead to severe privacy issues. For example, identification of the hospital contributing to the training of an FL model for the COVID-19 pandemic can render the owner of a data record from this hospital more prone to discrimination if the hospital is in a high risk region. In this paper, we propose a new inference attack called source inference attack (SIA), which can derive an optimal estimation of the source of a training member. Specifically, we innovatively adopt the Bayesian perspective to demonstrate that an honest-but-curious server can launch an SIA to steal non-trivial source information of the training members without violating the FL protocol. The server leverages the prediction loss of local models on the training members to achieve the attack effectively and non-intrusively. We conduct extensive experiments on one synthetic and five real datasets to evaluate the key factors in an SIA, and the results show the efficacy of the proposed source inference attack.

Ping Zhao,Zhikui Cao,Jin Jiang,Fei Gao

DOI: https://doi.org/10.1109/jiot.2022.3201231

IF: 10.6

2022-12-24

IEEE Internet of Things Journal

Abstract:Federated learning (FL) enables multiple worker devices share local models trained on their private data to collaboratively train a machine learning model. However, local models are proved to imply the information about the private data and, thus, introduce much vulnerabilities to inference attacks where the adversary reconstructs or infers the sensitive information about the private data (e.g., labels, memberships, etc.) from the local models. To address this issue, existing works proposed homomorphic encryption, secure multiparty computation (SMC), and differential privacy methods. Nevertheless, the homomorphic encryption and SMC-based approaches are not applicable to large-scale FL scenarios as they incur substantial additional communication and computation costs and require secure channels to delivery keys. Moreover, differential privacy brings a substantial tradeoff between privacy budget and model performance. In this article, we propose a novel FL framework, which can protect the data privacy of worker devices against the inference attacks with minimal accuracy cost and low computation and communication cost, and does not rely on the secure pairwise communication channels. The main idea is to generate the lightweight keys based on computational Diffie–Hellman (CDH) problem to encrypt the local models, and the FL server can only get the sum of the local models of all worker devices without knowing the exact local model of any specific worker device. The extensive experimental results on three real-world data sets validate that the proposed FL framework can protect the data privacy of worker devices, and only incurs a small constant of computation and communication cost and a drop in test accuracy of no more than 1%.

computer science, information systems,telecommunications,engineering, electrical & electronic

Peng Jiang,Yimin Liu,Liehuang Zhu

DOI: https://doi.org/10.1109/TIFS.2023.3318950

IF: 7.231

IEEE Transactions on Information Forensics and Security

Abstract:Federated learning (FL) models are vulnerable to membership inference attacks (MIAs), and the requirement of individual privacy motivates the protection of subjects where the individual data is distributed across multiple users in the cross-silo FL setting. In this paper, we propose a subject-level membership inference attack based on data augmentation and model discrepancy. It can effectively infer whether the data distribution of the target subject has been sampled and used for training by specific federated users, even if other users (also) may sample from the same subject and use it as part of their training set. Specifically, the adversary uses a generative adversarial network (GAN) to perform data augmentation on a small amount of priori federation-associated information known in advance. Subsequently, the adversary merges two different outputs from the global and tested user models using an optimal feature construction method. We simulate a controlled federation configuration and conduct extensive experiments on real datasets that include both image and categorical data. Results show that the area under the curve (AUC) is improved by 12.6% to 16.8% compared to the classical membership inference attack. This is at the expense of the test accuracy of the data augmented with GAN, which is at most 3.5% lower than the real test data. We also explore the degree of privacy leakage between overfitted models and well-generalized models in the cross-silo FL setting and conclude experimentally that the former is more likely to leak individual privacy with a subject-level degradation rate of up to 0.43. Finally, we present two possible defense mechanisms to attenuate this newly discovered privacy risk.

Computer Science

Truc Nguyen,Phung Lai,Khang Tran,NhatHai Phan,My T. Thai

2023-07-25

Abstract:Federated learning (FL) was originally regarded as a framework for collaborative learning among clients with data privacy protection through a coordinating server. In this paper, we propose a new active membership inference (AMI) attack carried out by a dishonest server in FL. In AMI attacks, the server crafts and embeds malicious parameters into global models to effectively infer whether a target data sample is included in a client's private training data or not. By exploiting the correlation among data features through a non-linear decision boundary, AMI attacks with a certified guarantee of success can achieve severely high success rates under rigorous local differential privacy (LDP) protection; thereby exposing clients' training data to significant privacy risk. Theoretical and experimental results on several benchmark datasets show that adding sufficient privacy-preserving noise to prevent our attack would significantly damage FL's model utility.

Machine Learning,Artificial Intelligence,Cryptography and Security

Faisal Ahmed,David Sánchez,Zouhair Haddi,Josep Domingo-Ferrer

DOI: https://doi.org/10.1016/j.neunet.2024.106768

2024-10-01

Abstract:Federated Learning (FL) allows multiple data owners to build high-quality deep learning models collaboratively, by sharing only model updates and keeping data on their premises. Even though FL offers privacy-by-design, it is vulnerable to membership inference attacks (MIA), where an adversary tries to determine whether a sample was included in the training data. Existing defenses against MIA cannot offer meaningful privacy protection without significantly hampering the model's utility and causing a non-negligible training overhead. In this paper we analyze the underlying causes of the differences in the model behavior for member and non-member samples, which arise from model overfitting and facilitate MIAs. Accordingly, we propose MemberShield, a generalization-based defense method for MIAs that consists of: (i) one-time preprocessing of each client's training data labels that transforms one-hot encoded labels to soft labels and eventually exploits them in local training, and (ii) early stopping the training when the local model's validation accuracy does not improve on that of the global model for a number of epochs. Extensive empirical evaluations on three widely used datasets and four model architectures demonstrate that MemberShield outperforms state-of-the-art defense methods by delivering substantially better practical privacy protection against all forms of MIAs, while better preserving the target model utility. On top of that, our proposal significantly reduces training time and is straightforward to implement, by just tuning a single hyperparameter.

Liwei Zhang,Linghui Li,Xiaoyong Li,Binsi Cai,Yali Gao,Ruobin Dou,Luying Chen

DOI: https://doi.org/10.1145/3607199.3607204

2023-01-01

Abstract:Federated learning aims to complete model training without private data sharing, but many privacy risks remain. Recent studies have shown that federated learning is vulnerable to membership inference attacks. The weight as an important parameter in neural networks has been proven effective for membership inference attacks, but it leads to significant overhead. Facing this issue, in this paper, we propose a bias-based method for efficient membership inference attacks against federated learning. Different from the weight that determines the direction of the decision surface, the bias also plays an important role in determining the distance to move along the direction. Moreover, the number of bias is way less than the weight. We consider two types of attacks: local attack and global attack, corresponding to two possible types of insiders: participant and central aggregator. For the local attack, we design a neural network-based inference, which fully learns the vertical bias changes of the member data and non-member data. For the global attack, we design a difference comparison-based inference to determine the data source. Extensive experimental results on four public datasets show that the proposed method achieves state-of-the-art inference accuracy. Moreover, experiments prove the effectiveness of the proposed method to resist some commonly used defenses.

Haiqin Weng,Juntao Zhang,Feng Xue,Tao Wei,Shouling Ji,Zhiyuan Zong

2020-01-01

Abstract:Federated learning enables mutually distrusting participants to collaboratively learn a distributed machine learning model without revealing anything but the model's output. Generic federated learning has been studied extensively, and several learning protocols, as well as open-source frameworks, have been developed. Yet, their over pursuit of computing efficiency and fast implementation might diminish the security and privacy guarantees of participant's training data, about which little is known thus far. In this paper, we consider an honest-but-curious adversary who participants in training a distributed ML model, does not deviate from the defined learning protocol, but attempts to infer private training data from the legitimately received information. In this setting, we design and implement two practical attacks, reverse sum attack and reverse multiplication attack, neither of which will affect the accuracy of the learned model. By empirically studying the privacy leakage of two learning protocols, we show that our attacks are (1) effective - the adversary successfully steal the private training data, even when the intermediate outputs are encrypted to protect data privacy; (2) evasive - the adversary's malicious behavior does not deviate from the protocol specification and deteriorate any accuracy of the target model; and (3) easy - the adversary needs little prior knowledge about the data distribution of the target participant. We also experimentally show that the leaked information is as effective as the raw training data through training an alternative classifier on the leaked information. We further discuss potential countermeasures and their challenges, which we hope may lead to several promising research directions.