Federated Learning is expected to provide strong privacy guarantees, as only gradients or model parameters but no plain text training data is ever exchanged either between the clients or between the clients and the central server. In this paper, we challenge this claim by introducing a simple but still very effective membership inference attack algorithm, which relies only on a single training step. In contrast to the popular honest-but-curious model, we investigate a framework with a dishonest central server. Our strategy is applicable to models with ReLU activations and uses the properties of this activation function to achieve perfect accuracy. Empirical evaluation on visual classification tasks with MNIST, CIFAR10, CIFAR100 and CelebA datasets show that our method provides perfect accuracy in identifying one sample in a training set with thousands of samples. Occasional failures of our method lead us to discover duplicate images in the CIFAR100 and CelebA datasets.

翻译：联邦学习旨在提供强大的隐私保障，因为无论是客户端之间还是客户端与中央服务器之间，仅交换梯度或模型参数，而从不传输明文训练数据。本文通过提出一种简单但极为有效的成员推断攻击算法挑战这一论断，该算法仅需单个训练步骤即可实施。与流行的"诚实但好奇"模型不同，我们研究了包含不诚实中央服务器的框架。我们的策略适用于采用ReLU激活函数的模型，并利用该激活函数的特性实现完全准确率。基于MNIST、CIFAR10、CIFAR100和CelebA数据集的视觉分类任务实证评估表明，我们的方法在识别包含数千样本的训练集中单个样本时能达到完全准确率。方法偶尔的失败案例还使我们发现了CIFAR100和CelebA数据集中的重复图像。