Source Inference Attacks: Beyond Membership Inference Attacks in Federated Learning

TL;DR

This paper introduces a novel source inference attack in federated learning, revealing that servers can identify the source client of training data, thus exposing privacy beyond traditional membership inference vulnerabilities.

Contribution

It proposes the first source inference attack (SIA) in federated learning, leveraging Bayesian methods for non-intrusive source identification, and evaluates its effectiveness across multiple frameworks and datasets.

Findings

SIAs successfully identify source clients in various FL frameworks.

Source information leaks occur through gradients, model parameters, and predictions.

Experimental results confirm the attack's high efficacy.

Abstract

Federated learning (FL) is a popular approach to facilitate privacy-aware machine learning since it allows multiple clients to collaboratively train a global model without granting others access to their private data. It is, however, known that FL can be vulnerable to membership inference attacks (MIAs), where the training records of the global model can be distinguished from the testing records. Surprisingly, research focusing on the investigation of the source inference problem appears to be lacking. We also observe that identifying a training record's source client can result in privacy breaches extending beyond MIAs. For example, consider an FL application where multiple hospitals jointly train a COVID-19 diagnosis model, membership inference attackers can identify the medical records that have been used for training, and any additional identification of the source hospital can result the patient from the particular hospital more prone to discrimination. Seeking to contribute to the literature gap, we take the first step to investigate source privacy in FL. Specifically, we propose a new inference attack (hereafter referred to as source inference attack -- SIA), designed to facilitate an honest-but-curious server to identify the training record's source client. The proposed SIAs leverage the Bayesian theorem to allow the server to implement the attack in a non-intrusive manner without deviating from the defined FL protocol. We then evaluate SIAs in three different FL frameworks to show that in existing FL frameworks, the clients sharing gradients, model parameters, or predictions on a public dataset will leak such source information to the server. We also conduct extensive experiments on various datasets to investigate the key factors in an SIA. The experimental results validate the efficacy of the proposed SIAs.