Model Inversion Attack against Federated Unlearning

TL;DR

This paper introduces FUIA, a novel attack that exposes privacy vulnerabilities in federated unlearning methods by reconstructing forgotten data, highlighting significant privacy risks and proposing potential defenses.

Contribution

The paper presents the first comprehensive gradient inversion attack tailored for federated unlearning, analyzing privacy leakage across all unlearning types and evaluating mitigation strategies.

Findings

FUIA effectively recovers forgotten data in federated unlearning scenarios.

The attack exposes significant privacy risks inherent in current FU methods.

Defense strategies reduce privacy leakage but impair unlearning performance.

Abstract

With the introduction of regulations related to the ``right to be forgotten", federated learning (FL) is facing new privacy compliance challenges. To address these challenges, researchers have proposed federated unlearning (FU). However, existing FU research has primarily focused on improving the efficiency of unlearning, with less attention paid to the potential privacy vulnerabilities inherent in these methods. To address this gap, we draw inspiration from gradient inversion attacks in FL and propose the federated unlearning inversion attack (FUIA). The FUIA is specifically designed for the three types of FU (sample unlearning, client unlearning, and class unlearning), aiming to provide a comprehensive analysis of the privacy leakage risks associated with FU. In FUIA, the server acts as an honest-but-curious attacker, recording and exploiting the model differences before and after unlearning to expose the features and labels of forgotten data. FUIA significantly leaks the privacy of forgotten data and can target all types of FU. This attack contradicts the goal of FU to eliminate specific data influence, instead exploiting its vulnerabilities to recover forgotten data and expose its privacy flaws. Extensive experimental results show that FUIA can effectively reveal the private information of forgotten data. To mitigate this privacy leakage, we also explore two potential defense methods, although these come at the cost of reduced unlearning effectiveness and the usability of the unlearned model.