SRATTA : Sample Re-ATTribution Attack of Secure Aggregation in Federated Learning

Proceedings of the ... International Conference on Machine Learning. International Conference on Machine Learning Pub Date : 2023-06-13 DOI:10.48550/arXiv.2306.07644

Tanguy Marchand, Regis Loeb, Ulysse Marteau-Ferey, Jean Ogier du Terrail, Arthur Pignet

{"title":"SRATTA : Sample Re-ATTribution Attack of Secure Aggregation in Federated Learning","authors":"Tanguy Marchand, Regis Loeb, Ulysse Marteau-Ferey, Jean Ogier du Terrail, Arthur Pignet","doi":"10.48550/arXiv.2306.07644","DOIUrl":null,"url":null,"abstract":"We consider a cross-silo federated learning (FL) setting where a machine learning model with a fully connected first layer is trained between different clients and a central server using FedAvg, and where the aggregation step can be performed with secure aggregation (SA). We present SRATTA an attack relying only on aggregated models which, under realistic assumptions, (i) recovers data samples from the different clients, and (ii) groups data samples coming from the same client together. While sample recovery has already been explored in an FL setting, the ability to group samples per client, despite the use of SA, is novel. This poses a significant unforeseen security threat to FL and effectively breaks SA. We show that SRATTA is both theoretically grounded and can be used in practice on realistic models and datasets. We also propose counter-measures, and claim that clients should play an active role to guarantee their privacy during training.","PeriodicalId":74529,"journal":{"name":"Proceedings of the ... International Conference on Machine Learning. International Conference on Machine Learning","volume":"16 1","pages":"23886-23914"},"PeriodicalIF":0.0000,"publicationDate":"2023-06-13","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Proceedings of the ... International Conference on Machine Learning. International Conference on Machine Learning","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.48550/arXiv.2306.07644","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 0

Abstract

We consider a cross-silo federated learning (FL) setting where a machine learning model with a fully connected first layer is trained between different clients and a central server using FedAvg, and where the aggregation step can be performed with secure aggregation (SA). We present SRATTA an attack relying only on aggregated models which, under realistic assumptions, (i) recovers data samples from the different clients, and (ii) groups data samples coming from the same client together. While sample recovery has already been explored in an FL setting, the ability to group samples per client, despite the use of SA, is novel. This poses a significant unforeseen security threat to FL and effectively breaks SA. We show that SRATTA is both theoretically grounded and can be used in practice on realistic models and datasets. We also propose counter-measures, and claim that clients should play an active role to guarantee their privacy during training.

查看原文本刊更多论文

联邦学习中安全聚合的样本重归因攻击

我们考虑一个跨竖井联邦学习(FL)设置，其中使用fedag在不同客户端和中央服务器之间训练具有完全连接的第一层的机器学习模型，并且可以使用安全聚合(SA)执行聚合步骤。我们提出的SRATTA攻击仅依赖于聚合模型，在现实的假设下，(i)恢复来自不同客户端的数据样本，(ii)将来自同一客户端的数据样本分组在一起。虽然样品回收率已经在FL设置中进行了探索，但尽管使用了SA，但每个客户分组样品的能力还是新颖的。这对FL构成了重大的不可预见的安全威胁，并有效地破坏了SA。我们表明SRATTA既有理论基础，也可以在实际模型和数据集上使用。我们也提出了相应的对策，并主张客户在培训过程中应发挥积极的作用，保障自己的隐私。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

Proceedings of the ... International Conference on Machine Learning. International Conference on Machine Learning

自引率

0.00%

发文量