Privacy Leakage of Adversarial Training Models in Federated Learning Systems
This work addresses a critical privacy vulnerability for users in federated learning systems, but it is incremental as it builds on prior findings about adversarial training's privacy risks.
The authors tackled the problem of adversarial training models leaking private data in federated learning systems, and they designed a novel attack that accurately reconstructs users' training images, even with large batch sizes.
Adversarial Training (AT) is crucial for obtaining deep neural networks that are robust to adversarial attacks, yet recent works found that it could also make models more vulnerable to privacy attacks. In this work, we further reveal this unsettling property of AT by designing a novel privacy attack that is practically applicable to the privacy-sensitive Federated Learning (FL) systems. Using our method, the attacker can exploit AT models in the FL system to accurately reconstruct users' private training images even when the training batch size is large. Code is available at https://github.com/zjysteven/PrivayAttack_AT_FL.