FedMIA: An Effective Membership Inference Attack Exploiting "All for One" Principle in Federated Learning

TL;DR

FedMIA introduces a novel membership inference attack in federated learning that exploits updates from all clients across multiple rounds, significantly improving attack effectiveness and robustness against defenses.

Contribution

The paper proposes FedMIA, a new three-step MIA leveraging all client updates and a likelihood-ratio test, outperforming existing methods and enhancing privacy risk assessment in FL.

Findings

FedMIA outperforms existing MIAs in classification and generative tasks.

It is robust against defense strategies and Non-IID data.

FedMIA can be integrated with existing methods.

Abstract

Federated Learning (FL) is a promising approach for training machine learning models on decentralized data while preserving privacy. However, privacy risks, particularly Membership Inference Attacks (MIAs), which aim to determine whether a specific data point belongs to a target client's training set, remain a significant concern. Existing methods for implementing MIAs in FL primarily analyze updates from the target client, focusing on metrics such as loss, gradient norm, and gradient difference. However, these methods fail to leverage updates from non-target clients, potentially underutilizing available information. In this paper, we first formulate a one-tailed likelihood-ratio hypothesis test based on the likelihood of updates from non-target clients. Building upon this formulation, we introduce a three-step Membership Inference Attack (MIA) method, called FedMIA, which follows the "all for one"--leveraging updates from all clients across multiple communication rounds to enhance MIA effectiveness. Both theoretical analysis and extensive experimental results demonstrate that FedMIA outperforms existing MIAs in both classification and generative tasks. Additionally, it can be integrated as an extension to existing methods and is robust against various defense strategies, Non-IID data, and different federated structures. Our code is available in https://github.com/Liar-Mask/FedMIA.