Active Membership Inference Attack under Local Differential Privacy in Federated Learning

TL;DR

This paper introduces a new active membership inference attack in federated learning that can succeed even under local differential privacy protections, risking client data privacy.

Contribution

It presents a novel active attack method exploiting feature correlations, demonstrating high success rates under LDP, and analyzes the privacy-utility trade-off in FL.

Findings

The attack achieves high success rates under local differential privacy.

Adding noise to defend against the attack reduces model utility.

Theoretical analysis confirms the attack's effectiveness.

Abstract

Federated learning (FL) was originally regarded as a framework for collaborative learning among clients with data privacy protection through a coordinating server. In this paper, we propose a new active membership inference (AMI) attack carried out by a dishonest server in FL. In AMI attacks, the server crafts and embeds malicious parameters into global models to effectively infer whether a target data sample is included in a client's private training data or not. By exploiting the correlation among data features through a non-linear decision boundary, AMI attacks with a certified guarantee of success can achieve severely high success rates under rigorous local differential privacy (LDP) protection; thereby exposing clients' training data to significant privacy risk. Theoretical and experimental results on several benchmark datasets show that adding sufficient privacy-preserving noise to prevent our attack would significantly damage FL's model utility.