A Data-Free Membership Inference Attack on Federated Learning in Hardware Assurance

TL;DR

This paper presents a novel data-free membership inference attack on federated learning models used in hardware assurance, revealing significant privacy risks without requiring auxiliary data.

Contribution

It introduces a gradient inversion attack leveraging hardware layout priors to reconstruct sensitive data and infer hardware characteristics without auxiliary datasets.

Findings

Attack successfully distinguishes between circuit layers and technology nodes.

A new loss term enhances attack effectiveness on complex data structures.

Reveals severe IP leakage risks in federated learning for hardware assurance.

Abstract

Federated Learning (FL) is an emerging solution to the data scarcity problem for training deep learning models in hardware assurance. While FL is designed to enhance privacy by not sharing raw data, it remains vulnerable to Membership Inference Attacks (MIAs) that can leak sensitive intellectual property (IP). Traditional MIAs are often impractical in this domain because they require access to auxiliary datasets that can match the unique statistical properties of private data. This paper introduces a novel, data-free MIA targeting image segmentation models in FL for hardware assurance. Our methodology leverages Standard Cell Library Layouts (SCLLs) as priors to guide a gradient inversion attack, allowing an adversary to reconstruct images from a client's intercepted model update without needing any private data. We demonstrate that, by analyzing the reconstruction fidelity, an adversary can infer sensitive hardware characteristics, successfully distinguishing between circuit layers (e.g., metal vs. diffusion) and technology nodes (e.g., 32nm vs. 90nm). Our findings reveal that a novel loss term can conditionally amplify the attack's effectiveness by overcoming evaluation bottlenecks for structurally complex data. This work underscores a significant IP risk, challenging the assumption that FL provides inherent privacy guarantees and proving that severe information leakage can occur even without access to domain-specific datasets.