Mitigating Cross-client GANs-based Attack in Federated Learning

TL;DR

This paper identifies a privacy risk in federated learning where malicious clients can reconstruct others' data using GANs, and proposes Fed-EDKD, a method that uses ensemble models and knowledge distillation to mitigate this attack with minimal accuracy loss.

Contribution

The paper introduces Fed-EDKD, a novel federated learning scheme that effectively defends against cross-client GAN-based attacks through ensemble modeling and data-free knowledge distillation.

Findings

Fed-EDKD significantly reduces data leakage from C-GANs attacks.

The proposed method incurs only slight accuracy degradation in federated learning.

Experimental results validate the effectiveness of Fed-EDKD in enhancing privacy protection.

Abstract

Machine learning makes multimedia data (e.g., images) more attractive, however, multimedia data is usually distributed and privacy sensitive. Multiple distributed multimedia clients can resort to federated learning (FL) to jointly learn a global shared model without requiring to share their private samples with any third-party entities. In this paper, we show that FL suffers from the cross-client generative adversarial networks (GANs)-based (C-GANs) attack, in which a malicious client (i.e., adversary) can reconstruct samples with the same distribution as the training samples from other clients (i.e., victims). Since a benign client's data can be leaked to the adversary, this attack brings the risk of local data leakage for clients in many security-critical FL applications. Thus, we propose Fed-EDKD (i.e., Federated Ensemble Data-free Knowledge Distillation) technique to improve the current popular FL schemes to resist C-GANs attack. In Fed-EDKD, each client submits a local model to the server for obtaining an ensemble global model. Then, to avoid model expansion, Fed-EDKD adopts data-free knowledge distillation techniques to transfer knowledge from the ensemble global model to a compressed model. By this way, Fed-EDKD reduces the adversary's control capability over the global model, so Fed-EDKD can effectively mitigate C-GANs attack. Finally, the experimental results demonstrate that Fed-EDKD significantly mitigates C-GANs attack while only incurring a slight accuracy degradation of FL.