🤖 AI Summary
This work addresses a critical vulnerability in federated learning, where a malicious server can exploit the model’s memorization capability to steal clients’ private training data—a threat inadequately mitigated by existing defenses. The paper presents the first active training data extraction attack under a white-box setting, wherein the adversary embeds private images into designated “payload parameters” by introducing a Pearson correlation regularization term into the client-side loss function. A tailored piecewise aggregation mechanism is further designed to shield these payload parameters from being overwritten by global averaging. Experiments on MNIST, Fashion-MNIST, and CIFAR-10 demonstrate that the proposed method successfully reconstructs semantically meaningful private images from the aggregated model while preserving high accuracy on the primary task, thereby confirming the feasibility and severity of memory-based active data theft in federated learning.
📝 Abstract
Federated learning (FL) avoids explicit data exposure by keeping raw data on local clients, yet privacy risks remain in the training process and the learned model itself. Recently, centralized Taking Away Training Data (TATD) attacks have shown that malicious training could abuse the memorization capacity of deep models to store and later recover training data. However, this memorization-based threat has not been systematically studied under FL environments, where multi-client averaging could overwrite encoded training data. In this paper, we study a white-box TATD attack in which a malicious server selects n target clients from K participating clients and actively writes private training data into the global model during federated training. We propose FedCVESA, a federated variant of Correlation Value Encoding Attack (CVEA), by adding a Pearson-correlation regularizer to the loss function of target clients, so that private training data are gradually encoded into selected model parameters, referred to as carrier parameters. To reduce the overwriting of carrier parameters during server aggregation, we further propose segmented aggregation over dispersed carrier parameters, preserving selected carrier parameters while keeping standard averaging on the remaining parameters. Experiments on MNIST, Fashion-MNIST, and CIFAR-10 under Dirichlet non-IID partitions show that the proposed method can steal semantically meaningful private training images from the trained model while maintaining acceptable main-task utility in a controlled proof-of-concept setting. These results demonstrate that FL can become a parameter-level memorization channel for active TATD attack under the studied white-box malicious-server setting.