Privacy Attack in Federated Learning is Not Easy: An Experimental Study

TL;DR

This study experimentally evaluates privacy attacks in federated learning, revealing that current attack methods are ineffective in realistic settings, indicating that privacy breaches are more difficult than previously thought.

Contribution

The paper provides an experimental assessment of existing privacy attack algorithms in real federated learning environments, highlighting their limitations.

Findings

Existing privacy attack algorithms fail to breach data effectively in realistic FL settings.

Privacy in federated learning is more robust against current attacks than earlier studies suggested.

Experimental results challenge assumptions about the vulnerability of FL to privacy attacks.

Abstract

Federated learning (FL) is an emerging distributed machine learning paradigm proposed for privacy preservation. Unlike traditional centralized learning approaches, FL enables multiple users to collaboratively train a shared global model without disclosing their own data, thereby significantly reducing the potential risk of privacy leakage. However, recent studies have indicated that FL cannot entirely guarantee privacy protection, and attackers may still be able to extract users' private data through the communicated model gradients. Although numerous privacy attack FL algorithms have been developed, most are designed to reconstruct private data from a single step of calculated gradients. It remains uncertain whether these methods are effective in realistic federated environments or if they have other limitations. In this paper, we aim to help researchers better understand and evaluate the effectiveness of privacy attacks on FL. We analyze and discuss recent research papers on this topic and conduct experiments in a real FL environment to compare the performance of various attack methods. Our experimental results reveal that none of the existing state-of-the-art privacy attack algorithms can effectively breach private client data in realistic FL settings, even in the absence of defense strategies. This suggests that privacy attacks in FL are more challenging than initially anticipated.