In this paper, we initiate the study of local model reconstruction attacks for federated learning, where a honest-but-curious adversary eavesdrops the messages exchanged between a targeted client and the server, and then reconstructs the local/personalized model of the victim. The local model reconstruction attack allows the adversary to trigger other classical attacks in a more effective way, since the local model only depends on the client's data and can leak more private information than the global model learned by the server. Additionally, we propose a novel model-based attribute inference attack in federated learning leveraging the local model reconstruction attack. We provide an analytical lower-bound for this attribute inference attack. Empirical results using real world datasets confirm that our local reconstruction attack works well for both regression and classification tasks. Moreover, we benchmark our novel attribute inference attack against the state-of-the-art attacks in federated learning. Our attack results in higher reconstruction accuracy especially when the clients' datasets are heterogeneous. Our work provides a new angle for designing powerful and explainable attacks to effectively quantify the privacy risk in FL.

翻译：本文首次系统研究了联邦学习中的本地模型重构攻击，在此类攻击中，诚实但好奇的敌手窃听目标客户端与服务器之间交换的消息，进而重构受害者的本地/个性化模型。本地模型重构攻击能够帮助敌手以更高效的方式触发其他经典攻击，原因在于本地模型仅依赖于客户端数据，相较于服务器学习的全局模型可能泄露更多私有信息。此外，我们提出了一种基于模型的新型属性推断攻击，该攻击利用联邦学习中的本地模型重构攻击作为基础，并给出了该属性推断攻击的分析性下界。使用真实数据集的实证结果表明，我们的本地重构攻击在回归与分类任务中均具有良好的表现。进一步地，我们将提出的新颖属性推断攻击与联邦学习中的最新攻击进行基准测试，实验显示，尤其是在客户端数据集异构的情况下，我们的攻击能够实现更高的重构精度。本研究为设计强大且可解释的攻击以有效量化联邦学习中的隐私风险提供了全新视角。