Local Model Reconstruction Attacks in Federated Learning and their Uses
This work addresses privacy risks for users in federated learning systems by revealing a new attack vector that can leak more information than global models, though it is incremental in building on existing attack methods.
The paper tackles the problem of privacy leakage in federated learning by introducing local model reconstruction attacks, where an adversary eavesdrops on client-server communications to reconstruct a client's local model, and uses this to propose a novel attribute inference attack with higher accuracy, especially in heterogeneous data settings, as confirmed by empirical results on real-world datasets.
In this paper, we initiate the study of local model reconstruction attacks for federated learning, where a honest-but-curious adversary eavesdrops the messages exchanged between a targeted client and the server, and then reconstructs the local/personalized model of the victim. The local model reconstruction attack allows the adversary to trigger other classical attacks in a more effective way, since the local model only depends on the client's data and can leak more private information than the global model learned by the server. Additionally, we propose a novel model-based attribute inference attack in federated learning leveraging the local model reconstruction attack. We provide an analytical lower-bound for this attribute inference attack. Empirical results using real world datasets confirm that our local reconstruction attack works well for both regression and classification tasks. Moreover, we benchmark our novel attribute inference attack against the state-of-the-art attacks in federated learning. Our attack results in higher reconstruction accuracy especially when the clients' datasets are heterogeneous. Our work provides a new angle for designing powerful and explainable attacks to effectively quantify the privacy risk in FL.