Fingerprint Attack: Client De-Anonymization in Federated Learning
Qiongkai Xu, Trevor Cohn, Olga Ohrimenko
TL;DR
This paper introduces a fingerprinting attack on federated learning gradients that can de-anonymize participants, and demonstrates that differential privacy can effectively defend against this attack.
Contribution
It presents a novel fingerprinting attack on federated learning gradients and evaluates its effectiveness, proposing differential privacy as a practical countermeasure.
Findings
Gradient clustering can de-anonymize participants.
Differential privacy mitigates fingerprinting attack.
Empirical validation on language models.
Abstract
Federated Learning allows collaborative training without data sharing in settings where participants do not trust the central server and one another. Privacy can be further improved by ensuring that communication between the participants and the server is anonymized through a shuffle; decoupling the participant identity from their data. This paper seeks to examine whether such a defense is adequate to guarantee anonymity, by proposing a novel fingerprinting attack over gradients sent by the participants to the server. We show that clustering of gradients can easily break the anonymization in an empirical study of learning federated language models on two language corpora. We then show that training with differential privacy can provide a practical defense against our fingerprint attack.
Peer Reviews
No public reviews on file for this paper yet. If you reviewed it on a platform where reviews are public (OpenReview, ICLR, NeurIPS, ICML), you can paste yours below so the community can read it here.
Code & Models
Videos
No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.
Taxonomy
TopicsPrivacy-Preserving Technologies in Data · Hate Speech and Cyberbullying Detection