Skip to main content
ENHU
Home

Main navigation

  • Discover
    • News
    • Events
    • Tenders
  • Research fields
  • Resources
    • Publications
    • Downloads
    • Brochure
  • About us
  • Partners
  1. Home
  2. Events
Mar 22, 2023 | 2:00pm
online

Client-specific Property Inference against Secure Aggregation in Federated Learning

Link for the seminar
Széchenyi Plusz RRF

The next lecture in the Security sub-project seminar series will be given by Gergely Ács (BME) on Wednesday 22 March at 14:00. The lecture will be held in Hungarian, online (via Microsoft Teams). All interested are welcome!

Abstract:

Client-specific Property Inference against Secure Aggregation in Federated Learning

Federated learning has become a widely used paradigm for collaboratively training a common model among different participants with the help of a central server that coordinates the training.
Although only the model parameters or other model updates are exchanged during the federated training instead of the participant's data, many attacks have shown that it is still possible to infer sensitive information such as membership, property, or outright reconstruction of participant data.

Although differential privacy is considered an effective solution to protect against privacy attacks, it is also criticized for its negative effect on utility. Another possible defense is to use secure aggregation which allows the server to only access the aggregated update instead of each individual one, and it is often more appealing because it does not degrade model quality. However, combining only the aggregated updates, which are generated by a different composition of clients in every round, may still allow the inference of some client-specific information.

We show that simple linear models can effectively capture client-specific properties only from the aggregated model updates due to the linearity of aggregation. We formulate an optimization problem across different rounds in order to infer a tested property of every client from the output of the linear models, for example, whether they have a specific sample in their training data (membership inference) or whether they misbehave and attempt to degrade the performance of the common model by poisoning attacks. Our reconstruction technique is completely passive and undetectable.

We demonstrate the efficacy of our approach on several scenarios which shows that secure aggregation provides very limited privacy guarantees in practice.

Institutes
Read more
Home

LinkedIn

Become a partner

Subscribe to newsletter

Send partnership request

Explore

  • News
  • Events
  • Tenders
  • Publications
  • Downloads
  • Partners

Research fields

  • Foundations of AI
  • Human Language Processing
  • Machine perception
  • Medical, Health and Biology
  • Security and Privacy
  • Sensors, IoT and Telecommunications

Contact us

Hungary, H-1111 Budapest,
Kende u. 13-17.
+36 1 279 6000
@email

© 2020-2021 Artifical Intelligence National Laboratory, Budapest