Federated learning (FL) was originally regarded as a framework for collaborative learning among clients with data privacy protection through a coordinating server. In this paper, we propose a new active membership inference (AMI) attack carried out by a dishonest server in FL. In AMI attacks, the server crafts and embeds malicious parameters into global models to effectively infer whether a target data sample is included in a client's private training data or not. By exploiting the correlation among data features through a non-linear decision boundary, AMI attacks with a certified guarantee of success can achieve severely high success rates under rigorous local differential privacy (LDP) protection; thereby exposing clients' training data to significant privacy risk. Theoretical and experimental results on several benchmark datasets show that adding sufficient privacy-preserving noise to prevent our attack would significantly damage FL's model utility.

翻译：联邦学习最初被视为一种通过协调服务器实现客户端间协作学习且具备数据隐私保护的框架。本文提出了一种针对联邦学习的新型主动成员推断攻击，由不诚实的服务器实施。在主动成员推断攻击中，服务器精心构造并嵌入恶意参数至全局模型中，以有效推断目标数据样本是否属于某个客户端的私有训练数据。通过利用非线性决策边界下数据特征之间的相关性，此类具有成功保证的主动成员推断攻击在严格的本地差分隐私保护下仍能达到极高的成功率，从而使客户端的训练数据面临显著的隐私风险。在多个基准数据集上的理论与实验结果表明，为防止此类攻击而添加足够的隐私保护噪声会严重损害联邦学习的模型效用。