Hiding in Plain Sight: Disguising Data Stealing Attacks in Federated Learning
This work addresses security vulnerabilities in federated learning, which is crucial for privacy-sensitive applications, though it is incremental in improving attack stealth.
The paper tackles the problem of client-side detectability in malicious server data stealing attacks in federated learning, demonstrating that prior attacks are detectable and proposing SEER, a novel attack framework that can steal user data from gradients with large batch sizes up to 512 and under secure aggregation.
Malicious server (MS) attacks have enabled the scaling of data stealing in federated learning to large batch sizes and secure aggregation, settings previously considered private. However, many concerns regarding the client-side detectability of MS attacks were raised, questioning their practicality. In this work, for the first time, we thoroughly study client-side detectability. We first demonstrate that all prior MS attacks are detectable by principled checks, and formulate a necessary set of requirements that a practical MS attack must satisfy. Next, we propose SEER, a novel attack framework that satisfies these requirements. The key insight of SEER is the use of a secret decoder, jointly trained with the shared model. We show that SEER can steal user data from gradients of realistic networks, even for large batch sizes of up to 512 and under secure aggregation. Our work is a promising step towards assessing the true vulnerability of federated learning in real-world settings.