Theoretically Unmasking Inference Attacks Against LDP-Protected Clients in Federated Vision Models
This work addresses privacy vulnerabilities for clients in federated vision models, highlighting that LDP is insufficient against MIAs, which is an incremental finding building on prior attack studies.
The paper tackles the problem of membership inference attacks (MIAs) against federated learning with local differential privacy (LDP) protection, showing that theoretical lower bounds for attack success rates exist and practical evaluations reveal significant privacy risks that degrade model utility when mitigated.
Federated Learning enables collaborative learning among clients via a coordinating server while avoiding direct data sharing, offering a perceived solution to preserve privacy. However, recent studies on Membership Inference Attacks (MIAs) have challenged this notion, showing high success rates against unprotected training data. While local differential privacy (LDP) is widely regarded as a gold standard for privacy protection in data analysis, most studies on MIAs either neglect LDP or fail to provide theoretical guarantees for attack success rates against LDP-protected data. To address this gap, we derive theoretical lower bounds for the success rates of low-polynomial time MIAs that exploit vulnerabilities in fully connected or self-attention layers. We establish that even when data are protected by LDP, privacy risks persist, depending on the privacy budget. Practical evaluations on federated vision models confirm considerable privacy risks, revealing that the noise required to mitigate these attacks significantly degrades models' utility.