Recent studies have revealed that federated learning (FL), once considered secure due to clients not sharing their private data with the server, is vulnerable to attacks such as client-side training data distribution inference, where a malicious client can recreate the victim's data. While various countermeasures exist, they are not practical, often assuming server access to some training data or knowledge of label distribution before the attack. In this work, we bridge the gap by proposing InferGuard, a novel Byzantine-robust aggregation rule aimed at defending against client-side training data distribution inference attacks. In our proposed InferGuard, the server first calculates the coordinate-wise median of all the model updates it receives. A client's model update is considered malicious if it significantly deviates from the computed median update. We conduct a thorough evaluation of our proposed InferGuard on five benchmark datasets and perform a comparison with ten baseline methods. The results of our experiments indicate that our defense mechanism is highly effective in protecting against client-side training data distribution inference attacks, even against strong adaptive attacks. Furthermore, our method substantially outperforms the baseline methods in various practical FL scenarios.

翻译：近期研究表明，联邦学习（FL）曾因客户端不向服务器共享私有数据而被视为安全，但实际上其易受攻击，例如客户端侧训练数据分布推理攻击——恶意客户端可重构受害者的数据。尽管存在多种防御措施，但这些方法并不实用，通常假设攻击前服务器可访问部分训练数据或知晓标签分布。在本工作中，我们通过提出InferGuard弥合了这一差距，这是一种新型拜占庭鲁棒聚合规则，旨在防御客户端侧训练数据分布推理攻击。在我们提出的InferGuard中，服务器首先计算收到的所有模型更新的坐标中位数。若某客户端的模型更新与计算得到的中位数更新存在显著偏差，则判定其为恶意更新。我们在五个基准数据集上对InferGuard进行了全面评估，并与十种基线方法进行了对比。实验结果表明，我们的防御机制能高效地抵御客户端侧训练数据分布推理攻击，甚至在面对强自适应攻击时仍具鲁棒性。此外，在多种实际FL场景中，我们的方法显著优于基线方法。