AugMixCloak: A Defense against Membership Inference Attacks via Image Transformation

TL;DR

AugMixCloak is a novel defense method that combines data augmentation and PCA-based information fusion to effectively protect federated learning models from membership inference attacks, outperforming existing defenses.

Contribution

It introduces a two-stage defense mechanism using image transformation techniques to mitigate privacy risks in federated learning against MIAs.

Findings

Successfully defends against binary classifier-based MIA

Effective against metric-based MIA across multiple datasets

Outperforms regularization-based and confidence masking defenses

Abstract

Traditional machine learning (ML) raises serious privacy concerns, while federated learning (FL) mitigates the risk of data leakage by keeping data on local devices. However, the training process of FL can still leak sensitive information, which adversaries may exploit to infer private data. One of the most prominent threats is the membership inference attack (MIA), where the adversary aims to determine whether a particular data record was part of the training set. This paper addresses this problem through a two-stage defense called AugMixCloak. The core idea is to apply data augmentation and principal component analysis (PCA)-based information fusion to query images, which are detected by perceptual hashing (pHash) as either identical to or highly similar to images in the training set. Experimental results show that AugMixCloak successfully defends against both binary classifier-based MIA and metric-based MIA across five datasets and various decentralized FL (DFL) topologies. Compared with regularization-based defenses, AugMixCloak demonstrates stronger protection. Compared with confidence score masking, AugMixCloak exhibits better generalization.