Network Structures as an Attack Surface: Topology-Based Privacy Leakage in Federated Learning

TL;DR

This paper reveals that network topology knowledge can lead to significant privacy leakage in federated learning, even with differential privacy, and proposes structural noise injection as an effective defense.

Contribution

It is the first comprehensive analysis of topology-based privacy leakage in federated learning and introduces topology-aware defenses to mitigate this vulnerability.

Findings

Adversaries can infer sensitive data with high success rates using topology knowledge.

Partial topology knowledge often remains effective for attacks, surpassing security thresholds.

Structural noise injection reduces attack success by up to 51.4%.

Abstract

Federated learning systems increasingly rely on diverse network topologies to address scalability and organizational constraints. While existing privacy research focuses on gradient-based attacks, the privacy implications of network topology knowledge remain critically understudied. We conduct the first comprehensive analysis of topology-based privacy leakage across realistic adversarial knowledge scenarios, demonstrating that adversaries with varying degrees of structural knowledge can infer sensitive data distribution patterns even under strong differential privacy guarantees. Through systematic evaluation of 4,720 attack instances, we analyze six distinct adversarial knowledge scenarios: complete topology knowledge and five partial knowledge configurations reflecting real-world deployment constraints. We propose three complementary attack vectors: communication pattern analysis, parameter magnitude profiling, and structural position correlation, achieving success rates of 84.1%, 65.0%, and 47.2% under complete knowledge conditions. Critically, we find that 80% of realistic partial knowledge scenarios maintain attack effectiveness above security thresholds, with certain partial knowledge configurations achieving performance superior to the baseline complete knowledge scenario. To address these vulnerabilities, we propose and empirically validate structural noise injection as a complementary defense mechanism across 808 configurations, demonstrating up to 51.4% additional attack reduction when properly layered with existing privacy techniques. These results establish that network topology represents a fundamental privacy vulnerability in federated learning systems while providing practical pathways for mitigation through topology-aware defense mechanisms.