Active Membership Inference Attack under Local Differential Privacy in Federated Learning
This exposes a critical privacy risk for clients in federated learning systems, even under rigorous privacy protections, and is incremental in demonstrating vulnerabilities in existing methods.
The paper tackles the problem of data privacy in federated learning by proposing an active membership inference attack that can achieve high success rates under local differential privacy, showing that preventing this attack with noise significantly damages model utility.
Federated learning (FL) was originally regarded as a framework for collaborative learning among clients with data privacy protection through a coordinating server. In this paper, we propose a new active membership inference (AMI) attack carried out by a dishonest server in FL. In AMI attacks, the server crafts and embeds malicious parameters into global models to effectively infer whether a target data sample is included in a client's private training data or not. By exploiting the correlation among data features through a non-linear decision boundary, AMI attacks with a certified guarantee of success can achieve severely high success rates under rigorous local differential privacy (LDP) protection; thereby exposing clients' training data to significant privacy risk. Theoretical and experimental results on several benchmark datasets show that adding sufficient privacy-preserving noise to prevent our attack would significantly damage FL's model utility.