DRAUN: An Algorithm-Agnostic Data Reconstruction Attack on Federated Unlearning Systems
This addresses a critical privacy problem for users and regulators in federated learning systems, highlighting a novel security threat in an emerging area.
The paper tackles the privacy risk in Federated Unlearning (FU) systems by introducing DRAUN, a data reconstruction attack that exploits unlearning updates to reconstruct removed data, demonstrating vulnerabilities across four datasets and four model architectures with state-of-the-art FU methods.
Federated Unlearning (FU) enables clients to remove the influence of specific data from a collaboratively trained shared global model, addressing regulatory requirements such as GDPR and CCPA. However, this unlearning process introduces a new privacy risk: A malicious server may exploit unlearning updates to reconstruct the data requested for removal, a form of Data Reconstruction Attack (DRA). While DRAs for machine unlearning have been studied extensively in centralized Machine Learning-as-a-Service (MLaaS) settings, their applicability to FU remains unclear due to the decentralized, client-driven nature of FU. This work presents DRAUN, the first attack framework to reconstruct unlearned data in FU systems. DRAUN targets optimization-based unlearning methods, which are widely adopted for their efficiency. We theoretically demonstrate why existing DRAs targeting machine unlearning in MLaaS fail in FU and show how DRAUN overcomes these limitations. We validate our approach through extensive experiments on four datasets and four model architectures, evaluating its performance against five popular unlearning methods, effectively demonstrating that state-of-the-art FU methods remain vulnerable to DRAs.