Perfectly Accurate Membership Inference by a Dishonest Central Server in Federated Learning

TL;DR

This paper demonstrates a simple yet effective membership inference attack in federated learning with a dishonest server, achieving perfect accuracy on multiple datasets by exploiting ReLU activation properties.

Contribution

It introduces a novel membership inference attack that works against a dishonest central server in federated learning, achieving perfect accuracy with minimal assumptions.

Findings

Achieves perfect membership inference accuracy on multiple datasets.

Reveals potential privacy vulnerabilities in federated learning.

Discovers duplicate images in datasets through attack failures.

Abstract

Federated Learning is expected to provide strong privacy guarantees, as only gradients or model parameters but no plain text training data is ever exchanged either between the clients or between the clients and the central server. In this paper, we challenge this claim by introducing a simple but still very effective membership inference attack algorithm, which relies only on a single training step. In contrast to the popular honest-but-curious model, we investigate a framework with a dishonest central server. Our strategy is applicable to models with ReLU activations and uses the properties of this activation function to achieve perfect accuracy. Empirical evaluation on visual classification tasks with MNIST, CIFAR10, CIFAR100 and CelebA datasets show that our method provides perfect accuracy in identifying one sample in a training set with thousands of samples. Occasional failures of our method lead us to discover duplicate images in the CIFAR100 and CelebA datasets.