Hidden Data Privacy Breaches in Federated Learning

TL;DR

This paper introduces a stealthy data-reconstruction attack on federated learning that can extract high-resolution sensitive data without detection, highlighting critical privacy vulnerabilities in current FL systems.

Contribution

The authors propose a novel, undetectable attack leveraging malicious code injection, sparse encoding, and block partitioning to reconstruct sensitive data in federated learning.

Findings

Outperforms five state-of-the-art attacks in detection scenarios

Effective on large-scale, high-resolution datasets

Applicable to both FedAVG and FedSGD scenarios

Abstract

Federated Learning (FL) emerged as a paradigm for conducting machine learning across broad and decentralized datasets, promising enhanced privacy by obviating the need for direct data sharing. However, recent studies show that attackers can steal private data through model manipulation or gradient analysis. Existing attacks are constrained by low theft quantity or low-resolution data, and they are often detected through anomaly monitoring in gradients or weights. In this paper, we propose a novel data-reconstruction attack leveraging malicious code injection, supported by two key techniques, i.e., distinctive and sparse encoding design and block partitioning. Unlike conventional methods that require detectable changes to the model, our method stealthily embeds a hidden model using parameter sharing to systematically extract sensitive data. The Fibonacci-based index design ensures efficient, structured retrieval of memorized data, while the block partitioning method enhances our method's capability to handle high-resolution images by dividing them into smaller, manageable units. Extensive experiments on 4 datasets confirmed that our method is superior to the five state-of-the-art data-reconstruction attacks under the five respective detection methods. Our method can handle large-scale and high-resolution data without being detected or mitigated by state-of-the-art data reconstruction defense methods. In contrast to baselines, our method can be directly applied to both FedAVG and FedSGD scenarios, underscoring the need for developers to devise new defenses against such vulnerabilities. We will open-source our code upon acceptance.