Federated learning allows a set of users to train a deep neural network over their private training datasets. During the protocol, datasets never leave the devices of the respective users. This is achieved by requiring each user to send "only" model updates to a central server that, in turn, aggregates them to update the parameters of the deep neural network. However, it has been shown that each model update carries sensitive information about the user's dataset (e.g., gradient inversion attacks). The state-of-the-art implementations of federated learning protect these model updates by leveraging secure aggregation: A cryptographic protocol that securely computes the aggregation of the model updates of the users. Secure aggregation is pivotal to protect users' privacy since it hinders the server from learning the value and the source of the individual model updates provided by the users, preventing inference and data attribution attacks. In this work, we show that a malicious server can easily elude secure aggregation as if the latter were not in place. We devise two different attacks capable of inferring information on individual private training datasets, independently of the number of users participating in the secure aggregation. This makes them concrete threats in large-scale, real-world federated learning applications. The attacks are generic and do not target any specific secure aggregation protocol. They are equally effective even if the secure aggregation protocol is replaced by its ideal functionality that provides the perfect level of security. Our work demonstrates that secure aggregation has been incorrectly combined with federated learning and that current implementations offer only a "false sense of security".
翻译:联邦学习允许一组用户在他们的私人培训数据集中训练深层神经网络。 在协议期间, 数据集从不离开各自用户的装置。 这是通过要求每个用户向中央服务器发送“ 唯一的” 模型更新来达到的。 中央服务器将它们集中起来, 从而更新深神经网络的参数。 但是, 已经显示, 每个模型更新都含有用户数据集的敏感信息( 例如, 梯度反向攻击 ) 。 最先进的联合学习实施方式通过利用安全聚合来保护这些模型更新: 加密协议, 安全地将用户的模型更新汇总整理起来。 安全聚合对于保护用户隐私至关重要, 因为它会阻碍服务器学习由用户提供的单个模型更新的价值和来源, 防止误判和数据归属攻击。 在这项工作中, 我们显示恶意服务器可以很容易地安全地隐藏数据汇总。 我们设计了两种不同的攻击方式, 可以在单个私人培训数据集中推断信息, 甚至可以安全地拼凑用户的组合组合组合组合。 安全性系统化的系统化系统化的系统化系统化的系统化系统化系统化系统化系统化系统化系统化的系统化系统化系统化的系统化系统化系统化系统化系统化系统化, 。