Privacy Leakage of Adversarial Training Models in Federated Learning Systems
Jingyang Zhang, Yiran Chen, Hai Li
TL;DR
This paper uncovers that adversarial training in federated learning can inadvertently increase privacy risks, enabling attackers to reconstruct private data despite large batch sizes, highlighting a critical security concern.
Contribution
It introduces a novel privacy attack method targeting adversarially trained federated learning models, demonstrating increased vulnerability to data reconstruction attacks.
Findings
Attacker can reconstruct private images from federated learning models with adversarial training.
Privacy attack remains effective even with large training batch sizes.
Highlights a new privacy risk associated with adversarial training in federated systems.
Abstract
Adversarial Training (AT) is crucial for obtaining deep neural networks that are robust to adversarial attacks, yet recent works found that it could also make models more vulnerable to privacy attacks. In this work, we further reveal this unsettling property of AT by designing a novel privacy attack that is practically applicable to the privacy-sensitive Federated Learning (FL) systems. Using our method, the attacker can exploit AT models in the FL system to accurately reconstruct users' private training images even when the training batch size is large. Code is available at https://github.com/zjysteven/PrivayAttack_AT_FL.
Peer Reviews
No public reviews on file for this paper yet. If you reviewed it on a platform where reviews are public (OpenReview, ICLR, NeurIPS, ICML), you can paste yours below so the community can read it here.
Code & Models
Videos
No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.
Taxonomy
TopicsAdversarial Robustness in Machine Learning · Privacy-Preserving Technologies in Data