FedCVESA: Taking Away Training Data in Federated Learning via Correlation Value Encoding and Segmented Aggregation
Summary
FedCVESA, a novel federated variant of the Correlation Value Encoding Attack (CVEA), demonstrates a white-box malicious-server attack capable of actively stealing private training data in federated learning (FL) environments. Published on 2026-07-08, this method targets n clients from K participants, encoding private data into selected "carrier parameters" of the global model. It achieves this by adding a Pearson-correlation regularizer to the target clients' loss functions. To prevent overwriting during server aggregation, FedCVESA employs segmented aggregation, preserving carrier parameters while standard averaging applies to others. Experiments on MNIST, Fashion-MNIST, and CIFAR-10 with Dirichlet non-IID partitions successfully recovered semantically meaningful private images, maintaining acceptable main-task utility. This research confirms FL can serve as a parameter-level memorization channel for active data exfiltration.
Key takeaway
For AI Security Engineers evaluating federated learning deployments, you must account for active "Taking Away Training Data" (TATD) attacks, even with multi-client averaging. Your FL systems are vulnerable to malicious servers actively encoding and recovering private data, necessitating robust server-side validation and client-side anomaly detection. Consider implementing mechanisms to detect unusual parameter updates or correlation patterns during aggregation.
Key insights
Federated learning can be exploited by malicious servers to actively encode and recover private training data.
Principles
- Pearson-correlation regularizers can encode data into model parameters.
- Segmented aggregation preserves specific parameters during FL averaging.
- FL environments are vulnerable to active data exfiltration attacks.
Method
FedCVESA integrates a Pearson-correlation regularizer into target client loss functions to encode data into "carrier parameters." It then uses segmented aggregation to protect these parameters from overwriting during server-side model updates.
In practice
- Implement Pearson-correlation regularizers for data encoding.
- Apply segmented aggregation to protect specific parameters.
- Test on non-IID datasets like MNIST, CIFAR-10.
Topics
- Federated Learning
- Data Privacy
- TATD Attacks
- Model Memorization
- Correlation Value Encoding
- Segmented Aggregation
Best for: Research Scientist, CTO, VP of Engineering/Data, AI Scientist, AI Security Engineer
Related on AIssential
Editorial summary, takeaway, and curation by AIssential. Original article published by Machine Learning.