TimberStrike: Dataset Reconstruction Attack Revealing Privacy Leakage in Federated Tree-Based Systems

TL;DR

TimberStrike is an optimization-based attack that reveals sensitive training data in federated tree-based models, exposing privacy vulnerabilities across multiple frameworks and datasets.

Contribution

This paper introduces TimberStrike, the first dataset reconstruction attack targeting federated tree-based models, demonstrating significant privacy risks and analyzing mitigation strategies.

Findings

Reconstructs 73-95% of training data in experiments

Vulnerable across multiple federated learning frameworks

Partial mitigation by Differential Privacy reduces data leakage

Abstract

Federated Learning has emerged as a privacy-oriented alternative to centralized Machine Learning, enabling collaborative model training without direct data sharing. While extensively studied for neural networks, the security and privacy implications of tree-based models remain underexplored. This work introduces TimberStrike, an optimization-based dataset reconstruction attack targeting horizontally federated tree-based models. Our attack, carried out by a single client, exploits the discrete nature of decision trees by using split values and decision paths to infer sensitive training data from other clients. We evaluate TimberStrike on State-of-the-Art federated gradient boosting implementations across multiple frameworks, including Flower, NVFlare, and FedTree, demonstrating their vulnerability to privacy breaches. On a publicly available stroke prediction dataset, TimberStrike consistently reconstructs between 73.05% and 95.63% of the target dataset across all implementations. We further analyze Differential Privacy, showing that while it partially mitigates the attack, it also significantly degrades model performance. Our findings highlight the need for privacy-preserving mechanisms specifically designed for tree-based Federated Learning systems, and we provide preliminary insights into their design.