Breaching FedMD: Image Recovery via Paired-Logits Inversion Attack

TL;DR

This paper demonstrates that even the privacy-preserving FedMD scheme is vulnerable to a novel Paired-Logits Inversion attack, which can reconstruct private images from shared logits using a trained neural network.

Contribution

It introduces the PLI attack, revealing a new privacy risk in FedMD by exploiting confidence gaps in shared logits for image reconstruction.

Findings

Malicious server can successfully reconstruct private images.

The attack works across multiple facial recognition datasets.

FedMD's privacy is compromised despite sharing only output logits.

Abstract

Federated Learning with Model Distillation (FedMD) is a nascent collaborative learning paradigm, where only output logits of public datasets are transmitted as distilled knowledge, instead of passing on private model parameters that are susceptible to gradient inversion attacks, a known privacy risk in federated learning. In this paper, we found that even though sharing output logits of public datasets is safer than directly sharing gradients, there still exists a substantial risk of data exposure caused by carefully designed malicious attacks. Our study shows that a malicious server can inject a PLI (Paired-Logits Inversion) attack against FedMD and its variants by training an inversion neural network that exploits the confidence gap between the server and client models. Experiments on multiple facial recognition datasets validate that under FedMD-like schemes, by using paired server-client logits of public datasets only, the malicious server is able to reconstruct private images on all tested benchmarks with a high success rate.