Search papers, labs, and topics across Lattice.
This paper investigates the vulnerability of federated learning (FL) to a white-box Taking Away Training Data (TATD) attack, where a malicious server exploits the model's memorization capacity to encode private training data from selected clients. The authors introduce FedCVESA, which enhances the Correlation Value Encoding Attack by incorporating a Pearson-correlation regularizer to ensure that specific model parameters, termed carrier parameters, retain encoded private data during aggregation. Experimental results on various datasets reveal that this method can successfully extract semantically meaningful private images while preserving the overall utility of the model, highlighting a critical security risk in FL systems.
Federated learning can be exploited to encode and extract private training data, revealing a surprising vulnerability in multi-client environments.
Federated learning (FL) avoids explicit data exposure by keeping raw data on local clients, yet privacy risks remain in the training process and the learned model itself. Recently, centralized Taking Away Training Data (TATD) attacks have shown that malicious training could abuse the memorization capacity of deep models to store and later recover training data. However, this memorization-based threat has not been systematically studied under FL environments, where multi-client averaging could overwrite encoded training data. In this paper, we study a white-box TATD attack in which a malicious server selects n target clients from K participating clients and actively writes private training data into the global model during federated training. We propose FedCVESA, a federated variant of Correlation Value Encoding Attack (CVEA), by adding a Pearson-correlation regularizer to the loss function of target clients, so that private training data are gradually encoded into selected model parameters, referred to as carrier parameters. To reduce the overwriting of carrier parameters during server aggregation, we further propose segmented aggregation over dispersed carrier parameters, preserving selected carrier parameters while keeping standard averaging on the remaining parameters. Experiments on MNIST, Fashion-MNIST, and CIFAR-10 under Dirichlet non-IID partitions show that the proposed method can steal semantically meaningful private training images from the trained model while maintaining acceptable main-task utility in a controlled proof-of-concept setting. These results demonstrate that FL can become a parameter-level memorization channel for active TATD attack under the studied white-box malicious-server setting.