What attack will Federated Learning Face?

Published in

Disassembly

3 min readAug 3, 2020

Federated learning will face the problem form privacy-preserving machine learning (PPML) and secure machine learning(SML).

Reconstruction Attacks

Privacy leakage will not only leak by the data, but also the gradient client update or the support vector machine and k-nearest neighbor which stores the explicit feature value. Reconstruction attacks are to get the privacy information on these possible ways.

Its goal is to extract the training data or feature vectors of the training data during ML model training. In federated learning, gradient update from the client may leak the information of the client. Therefore, we will need secure multi-party computation(MPC) and homomorphic encryption(HE) to defend against this attack. Moreover, ML model store the explicit feature values should be avoided.

Model Inversion Attacks

If the model can be a query for many times, the adversary can reconstruct the clear-text model by equation solving attack. The adversary can learn about the distribution of the training data and a similar model.

Membership-Inference Attacks

The target of the membership inference attacks is to infer if the member is in the training dataset. It builds a shadow model to create a dataset that is familiar to the original dataset. There are three ways used to build the shadow model mentioned in the paper.

Intuitively, we can use the model as a shadow model. If the output has high confidence values, it is similar to the original dataset.

Attribute-Inference Attacks

The adversary trys to de-anonymize or target the record owner. How To Break Anonymity of the Netflix Prize Dataset show that anonymized data can use other data set such as IMDB to de-anonymize the data. In other words, you will be inferred by any other public data set such as your blog or rating website.

It is a quite famous and interesting paper. Here are the FAQs for that paper.

Model Poisoning Attacks

There are many kinds of poisoning attacks, such as data flipping attack, back-door attack. The main purpose of a poisoning attack is to affect the model performance without being noticed.

Back-door attack as mention in this article:

A backdoor is a type of input that the model’s designer is not aware of, but that the attacker can leverage to get the ML system to do what they want.

These three problems make the verify of the poisoning attack harder (from this paper):

participants’ local training procedure is invisible to the central server, it is impossible to verify the authenticity of a certain local update;
non-IID data training property in federated learning leads to the participants’ local updates are very different from each other;
the secure aggregation protocol used in parameter transmission prevents the central server from auditing each participant’s update to the global model.