An Efficient Gradient-Based Inference Attack for Federated Learning

TL;DR

This paper introduces a new gradient-based inference attack for federated learning that exploits gradient evolution over multiple rounds to reveal sensitive information, demonstrating significant privacy risks.

Contribution

The work presents a novel, model-agnostic gradient-based attack method for federated learning that can infer membership and attributes without dataset access, applicable to various models and data types.

Findings

Strong attack performance on CIFAR-100 and Purchase100 datasets.

Multi-round federated learning increases vulnerability to inference attacks.

Aggregators pose a greater threat than data owners.

Abstract

Federated Learning is a machine learning setting that reduces direct data exposure, improving the privacy guarantees of machine learning models. Yet, the exchange of model updates between the participants and the aggregator can still leak sensitive information. In this work, we present a new gradient-based membership inference attack for federated learning scenarios that exploits the temporal evolution of last-layer gradients across multiple federated rounds. Our method uses the shadow technique to learn round-wise gradient patterns of the training records, requiring no access to the private dataset, and is designed to consider both semi-honest and malicious adversaries (aggregators or data owners). Beyond membership inference, we also provide a natural extension of the proposed attack to discrete attribute inference by contrasting gradient responses under alternative attribute hypotheses. The proposed attacks are model-agnostic, and therefore applicable to any gradient-based model and can be applied to both classification and regression settings. We evaluate the attack on CIFAR-100 and Purchase100 datasets for membership inference and on Breast Cancer Wisconsin for attribute inference. Our findings reveal strong attack performance and comparable computational and memory overhead in membership inference when compared to another attack from the literature. The obtained results emphasize that multi-round federated learning can increase the vulnerability to inference attacks, that aggregators pose a more substantial threat than data owners, and that attack performance is strongly influenced by the nature of the training dataset, with richer, high-dimensional data leading to stronger leakage than simpler tabular data.