FedCVESA: Taking Away Training Data in Federated Learning via Correlation Value Encoding and Segmented Aggregation

· Source: Machine Learning · Field: Technology & Digital — Artificial Intelligence & Machine Learning, Cybersecurity & Data Privacy · Depth: Expert, quick

Summary

FedCVESA, a novel federated variant of the Correlation Value Encoding Attack (CVEA), demonstrates a white-box malicious-server attack capable of actively stealing private training data in federated learning (FL) environments. Published on 2026-07-08, this method targets n clients from K participants, encoding private data into selected "carrier parameters" of the global model. It achieves this by adding a Pearson-correlation regularizer to the target clients' loss functions. To prevent overwriting during server aggregation, FedCVESA employs segmented aggregation, preserving carrier parameters while standard averaging applies to others. Experiments on MNIST, Fashion-MNIST, and CIFAR-10 with Dirichlet non-IID partitions successfully recovered semantically meaningful private images, maintaining acceptable main-task utility. This research confirms FL can serve as a parameter-level memorization channel for active data exfiltration.

Key takeaway

For AI Security Engineers evaluating federated learning deployments, you must account for active "Taking Away Training Data" (TATD) attacks, even with multi-client averaging. Your FL systems are vulnerable to malicious servers actively encoding and recovering private data, necessitating robust server-side validation and client-side anomaly detection. Consider implementing mechanisms to detect unusual parameter updates or correlation patterns during aggregation.

Key insights

Federated learning can be exploited by malicious servers to actively encode and recover private training data.

Principles

Method

FedCVESA integrates a Pearson-correlation regularizer into target client loss functions to encode data into "carrier parameters." It then uses segmented aggregation to protect these parameters from overwriting during server-side model updates.

In practice

Topics

Best for: Research Scientist, CTO, VP of Engineering/Data, AI Scientist, AI Security Engineer

Related on AIssential

Open in AIssential →

Editorial summary, takeaway, and curation by AIssential. Original article published by Machine Learning.