FedCVESA: Taking Away Training Data in Federated Learning via Correlation Value Encoding and Segmented Aggregation
Summary
FedCVESA introduces a novel white-box "Taking Away Training Data" (TATD) attack designed for Federated Learning (FL) environments. This attack, a federated variant of Correlation Value Encoding Attack (CVEA), demonstrates how a malicious server can actively embed private training data into a global model. The method involves adding a Pearson-correlation regularizer to the loss function of targeted clients, encoding private data into specific "carrier parameters." To counteract the overwriting effect of multi-client averaging, FedCVESA employs a segmented aggregation strategy, preserving these carrier parameters while applying standard averaging to the rest. Experimental evaluations on MNIST, Fashion-MNIST, and CIFAR-10 datasets, under Dirichlet non-IID partitions, successfully extracted semantically meaningful private training images. Crucially, the attack maintained acceptable main-task utility, confirming that FL can serve as a parameter-level memorization channel for active TATD attacks in a white-box malicious-server setting.
Key takeaway
For AI Security Engineers designing or auditing federated learning systems, you must account for sophisticated white-box data extraction attacks. This research demonstrates that malicious servers can actively embed and recover private training data from global models, even with aggregation. You should implement robust defenses against parameter-level memorization and consider advanced aggregation strategies that prevent targeted data encoding, rather than relying solely on standard privacy-preserving techniques.
Key insights
Federated learning can be exploited by malicious servers to embed and extract private training data.
Principles
- Deep models memorize training data.
- Selective aggregation can preserve encoded data.
- Correlation regularizers embed private data.
Method
FedCVESA adds a Pearson-correlation regularizer to target client loss functions to encode data into "carrier parameters." Segmented aggregation then preserves these parameters during server updates.
In practice
- Implement correlation-based data encoding.
- Design aggregation to protect specific parameters.
- Test FL systems for parameter-level data leakage.
Topics
- Federated Learning
- Data Privacy
- White-box Attacks
- Data Extraction
- Model Memorization
- Correlation Encoding
- Segmented Aggregation
Code references
Best for: Research Scientist, CTO, VP of Engineering/Data, AI Scientist, Machine Learning Engineer, AI Security Engineer
Related on AIssential
See Counsel's argued verdicts on the open AI decisions leaders are weighing →
Editorial summary, takeaway, and curation by AIssential. Original article published by Takara TLDR - Daily AI Papers.