FedCVESA: Taking Away Training Data in Federated Learning via Correlation Value Encoding and Segmented Aggregation

📅 2026-07-08
📈 Citations: 0
Influential: 0
📄 PDF
🤖 AI Summary
This work addresses a critical vulnerability in federated learning, where a malicious server can exploit the model’s memorization capability to steal clients’ private training data—a threat inadequately mitigated by existing defenses. The paper presents the first active training data extraction attack under a white-box setting, wherein the adversary embeds private images into designated “payload parameters” by introducing a Pearson correlation regularization term into the client-side loss function. A tailored piecewise aggregation mechanism is further designed to shield these payload parameters from being overwritten by global averaging. Experiments on MNIST, Fashion-MNIST, and CIFAR-10 demonstrate that the proposed method successfully reconstructs semantically meaningful private images from the aggregated model while preserving high accuracy on the primary task, thereby confirming the feasibility and severity of memory-based active data theft in federated learning.
📝 Abstract
Federated learning (FL) avoids explicit data exposure by keeping raw data on local clients, yet privacy risks remain in the training process and the learned model itself. Recently, centralized Taking Away Training Data (TATD) attacks have shown that malicious training could abuse the memorization capacity of deep models to store and later recover training data. However, this memorization-based threat has not been systematically studied under FL environments, where multi-client averaging could overwrite encoded training data. In this paper, we study a white-box TATD attack in which a malicious server selects n target clients from K participating clients and actively writes private training data into the global model during federated training. We propose FedCVESA, a federated variant of Correlation Value Encoding Attack (CVEA), by adding a Pearson-correlation regularizer to the loss function of target clients, so that private training data are gradually encoded into selected model parameters, referred to as carrier parameters. To reduce the overwriting of carrier parameters during server aggregation, we further propose segmented aggregation over dispersed carrier parameters, preserving selected carrier parameters while keeping standard averaging on the remaining parameters. Experiments on MNIST, Fashion-MNIST, and CIFAR-10 under Dirichlet non-IID partitions show that the proposed method can steal semantically meaningful private training images from the trained model while maintaining acceptable main-task utility in a controlled proof-of-concept setting. These results demonstrate that FL can become a parameter-level memorization channel for active TATD attack under the studied white-box malicious-server setting.
Problem

Research questions and friction points this paper is trying to address.

Federated Learning
Privacy Attack
Training Data Memorization
Taking Away Training Data
Model Inversion
Innovation

Methods, ideas, or system contributions that make the work stand out.

Federated Learning
Taking Away Training Data
Correlation Value Encoding
Segmented Aggregation
Privacy Attack
🔎 Similar Papers
2024-10-04IEEE International Symposium on Network Computing and ApplicationsCitations: 3
C
Chongkai Li
Guangdong Provincial Key Laboratory of Novel Security Intelligence Technologies, Institute of Cyberspace Security, School of Computer Science and Technology, Harbin Institute of Technology, Shenzhen 518055, China
B
Bang Zhang
Guangdong Provincial Key Laboratory of Novel Security Intelligence Technologies, Institute of Cyberspace Security, School of Computer Science and Technology, Harbin Institute of Technology, Shenzhen 518055, China
Wenjian Luo
Wenjian Luo
Professor, School of Computer Science and Technology, Harbin Institute of Technology, Shenzhen
AI and SecurityIntelligent SecuritySecure IntelligencePrivacy ComputationImmune Computation