Protection against Source Inference Attacks in Federated Learning
Andreas Athanasiou, Kangsoo Jung, Catuscia Palamidessi
TL;DR
This paper introduces a novel shuffling-based defense mechanism in federated learning that effectively prevents source inference attacks without compromising model accuracy.
Contribution
It proposes a new combination of parameter-level shuffling with the residue number system to defend against source inference attacks in federated learning.
Findings
Standard shuffling fails to prevent SIAs.
Our method reduces attack accuracy to random guessing.
The approach maintains model accuracy while enhancing privacy.
Abstract
Federated Learning (FL) was initially proposed as a privacy-preserving machine learning paradigm. However, FL has been shown to be susceptible to a series of privacy attacks. Recently, there has been concern about the Source Inference Attack (SIA), where an honest-but-curious central server attempts to identify exactly which client owns a given data point which was used in the training phase. Alarmingly, standard gradient obfuscation techniques with Differential Privacy have been shown to be ineffective against SIAs, at least without severely diminishing the accuracy. In this work, we propose a defense against SIAs within the widely studied shuffle model of FL, where an honest shuffler acts as an intermediary between the clients and the server. First, we demonstrate that standard naive shuffling alone is insufficient to prevent SIAs. To effectively defend against SIAs, shuffling needs…
Peer Reviews
Decision·ICLR 2026 Poster
1. Interesting setting and important problem to study. 1. Theoretical results on the security of the proposed shuffling algorithm. 1. Comprehensive discussions on different trust models and different variations of the proposed method. 1. A lot of experiments of different settings. 1. Comparison to secure aggregation.
1. Unclear settings for the experiments in Section 7. 1. I would like more clarification on the trust model of the shuffler. 1. Discussions of the security of the proposed method beyond SIA.
1. First systematic defense against Source Inference Attacks (SIAs) in Federated Learning, introducing a novel parameter-level shuffling and RNS-based mechanism that reduces SIA accuracy to random guessing. 2. Well-structured “problem–proposal–verification” format with clear explanations, visual aids, and comprehensive appendices. 3. Addresses a core privacy challenge in cross-silo FL, offering compatible, low-cost protection against both SIAs and DRAs. Expands FL privacy theory and establishes
1. Lack of Discussion on Detailed Synergistic Optimization Between the Mechanism and Differential Privacy (DP): The paper claims that the proposed mechanism can be "seamlessly integrated with other privacy mechanisms such as DP" (meeting Specification S.2), yet it fails to verify the actual performance after integration or provide a specific integration scheme. DP requires adding noise to protect privacy, but the RNS encoding of the mechanism may interact with the noise distribution (e.g., noise
1. Clearly identifies that basic shuffling in FL still leaks client identity. 2. Proposes a new bit-level encoding + shuffling defense, not just adding noise. 3. Shows strong privacy improvement with almost no accuracy loss. 4. Provides both attack and defense experiments to support claims.
1. Shadow-dataset assumption is strong; needs sensitivity analysis under distribution shift. 2. Relies on a trusted shuffler, not obvious in many deployments. 3. No evaluation on text/LLM/tabular medical/time-series with only CV toy setups. 4. Multi-round leakage not addressed (momentum, clipping signals, correlated updates). 5. Communication claims hinge on compression + trust assumption, which is not apples-to-apples vs secure aggregation.
Videos
No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.
Taxonomy
TopicsPrivacy-Preserving Technologies in Data · Cryptography and Data Security · Adversarial Robustness in Machine Learning