FedCVESA: Taking Away Training Data in Federated Learning via Correlation Value Encoding and Segmented Aggregation

· Source: Takara TLDR - Daily AI Papers · Field: Technology & Digital — Artificial Intelligence & Machine Learning, Cybersecurity & Data Privacy · Depth: Expert, medium

Summary

FedCVESA introduces a novel white-box "Taking Away Training Data" (TATD) attack designed for Federated Learning (FL) environments. This attack, a federated variant of Correlation Value Encoding Attack (CVEA), demonstrates how a malicious server can actively embed private training data into a global model. The method involves adding a Pearson-correlation regularizer to the loss function of targeted clients, encoding private data into specific "carrier parameters." To counteract the overwriting effect of multi-client averaging, FedCVESA employs a segmented aggregation strategy, preserving these carrier parameters while applying standard averaging to the rest. Experimental evaluations on MNIST, Fashion-MNIST, and CIFAR-10 datasets, under Dirichlet non-IID partitions, successfully extracted semantically meaningful private training images. Crucially, the attack maintained acceptable main-task utility, confirming that FL can serve as a parameter-level memorization channel for active TATD attacks in a white-box malicious-server setting.

Key takeaway

For AI Security Engineers designing or auditing federated learning systems, you must account for sophisticated white-box data extraction attacks. This research demonstrates that malicious servers can actively embed and recover private training data from global models, even with aggregation. You should implement robust defenses against parameter-level memorization and consider advanced aggregation strategies that prevent targeted data encoding, rather than relying solely on standard privacy-preserving techniques.

Key insights

Federated learning can be exploited by malicious servers to embed and extract private training data.

Principles

Method

FedCVESA adds a Pearson-correlation regularizer to target client loss functions to encode data into "carrier parameters." Segmented aggregation then preserves these parameters during server updates.

In practice

Topics

Code references

Best for: Research Scientist, CTO, VP of Engineering/Data, AI Scientist, Machine Learning Engineer, AI Security Engineer

Related on AIssential

Open in AIssential →

Editorial summary, takeaway, and curation by AIssential. Original article published by Takara TLDR - Daily AI Papers.