TY - GEN
T1 - Reconstructing Individual Data Points in Federated Learning Hardened with Differential Privacy and Secure Aggregation
AU - Boenisch, Franziska
AU - Dziedzic, Adam
AU - Schuster, Roei
AU - Shamsabadi, Ali Shahin
AU - Shumailov, Ilia
AU - Papernot, Nicolas
N1 - Publisher Copyright:
© 2023 IEEE.
PY - 2023
Y1 - 2023
N2 - Federated learning (FL) is a framework for users to jointly train a machine learning model. FL is promoted as a privacy-enhancing technology (PET) that provides data minimization: data never "leaves"personal devices and users share only model updates with a server (e.g., a company) coordinating the distributed training. While prior work showed that in vanilla FL a malicious server can extract users' private data from the model updates, in this work we take it further and demonstrate that a malicious server can reconstruct user data even in hardened versions of the protocol. More precisely, we propose an attack against FL protected with distributed differential privacy (DDP) and secure aggregation (SA). Our attack method is based on the introduction of sybil devices that deviate from the protocol to expose individual users' data for reconstruction by the server. The underlying root cause for the vulnerability to our attack is a power imbalance: the server orchestrates the whole protocol and users are given little guarantees about the selection of other users participating in the protocol. Moving forward, we discuss requirements for privacy guarantees in FL. We conclude that users should only participate in the protocol when they trust the server or they apply local primitives such as local DP, shifting power away from the server. Yet, the latter approaches come at significant overhead in terms of performance degradation of the trained model, making them less likely to be deployed in practice.
AB - Federated learning (FL) is a framework for users to jointly train a machine learning model. FL is promoted as a privacy-enhancing technology (PET) that provides data minimization: data never "leaves"personal devices and users share only model updates with a server (e.g., a company) coordinating the distributed training. While prior work showed that in vanilla FL a malicious server can extract users' private data from the model updates, in this work we take it further and demonstrate that a malicious server can reconstruct user data even in hardened versions of the protocol. More precisely, we propose an attack against FL protected with distributed differential privacy (DDP) and secure aggregation (SA). Our attack method is based on the introduction of sybil devices that deviate from the protocol to expose individual users' data for reconstruction by the server. The underlying root cause for the vulnerability to our attack is a power imbalance: the server orchestrates the whole protocol and users are given little guarantees about the selection of other users participating in the protocol. Moving forward, we discuss requirements for privacy guarantees in FL. We conclude that users should only participate in the protocol when they trust the server or they apply local primitives such as local DP, shifting power away from the server. Yet, the latter approaches come at significant overhead in terms of performance degradation of the trained model, making them less likely to be deployed in practice.
UR - http://www.scopus.com/inward/record.url?scp=85167882817&partnerID=8YFLogxK
U2 - 10.1109/EuroSP57164.2023.00023
DO - 10.1109/EuroSP57164.2023.00023
M3 - ???researchoutput.researchoutputtypes.contributiontobookanthology.conference???
AN - SCOPUS:85167882817
T3 - Proceedings - 8th IEEE European Symposium on Security and Privacy, Euro S and P 2023
SP - 241
EP - 257
BT - Proceedings - 8th IEEE European Symposium on Security and Privacy, Euro S and P 2023
PB - Institute of Electrical and Electronics Engineers Inc.
T2 - 8th IEEE European Symposium on Security and Privacy, Euro S and P 2023
Y2 - 3 July 2023 through 7 July 2023
ER -