Membership inference attacks (MIAs), which determine whether a specific data point was included in the training set of a target model, have posed severe threats in federated learning (FL). Unfortunately, existing MIA defenses, typically applied independently to each client in FL, are ineffective against powerful trajectory-based MIAs that exploit temporal information throughout the training process to infer membership status. In this paper, we investigate a new FL defense scenario driven by heterogeneous privacy needs and privacy-utility trade-offs, where only a subset of clients are defended, as well as a collaborative defense mode where clients cooperate to mitigate membership privacy leakage. To this end, we introduce CoFedMID, a collaborative defense framework against MIAs in FL, which limits local model memorization of training samples and, through a defender coalition, enhances privacy protection and model utility. Specifically, CoFedMID consists of three modules: a class-guided partition module for selective local training samples, a utility-aware compensation module to recycle contributive samples and prevent their overconfidence, and an aggregation-neutral perturbation module that injects noise for cancellation at the coalition level into client updates. Extensive experiments on three datasets show that our defense framework significantly reduces the performance of seven MIAs while incurring only a small utility loss. These results are consistently verified across various defense settings.

翻译：成员推理攻击（MIAs）通过判断特定数据点是否包含在目标模型的训练集中，对联邦学习（FL）构成了严重威胁。遗憾的是，现有的MIA防御方法通常独立应用于FL中的每个客户端，难以抵御强大的基于训练轨迹的MIAs——这类攻击利用整个训练过程中的时序信息来推断成员状态。本文研究了一种由异构隐私需求与隐私-效用权衡驱动的新型FL防御场景：仅部分客户端受到保护，同时客户端通过协作模式共同缓解成员隐私泄露。为此，我们提出了CoFedMID——一种针对FL中MIAs的协作式防御框架，该框架通过限制本地模型对训练样本的记忆，并借助防御者联盟增强隐私保护与模型效用。具体而言，CoFedMID包含三个模块：用于选择性本地训练样本的类别引导划分模块、通过回收贡献样本并防止其过度自信的效用感知补偿模块，以及在联盟层面为客户端更新注入可抵消噪声的聚合中立扰动模块。在三个数据集上的大量实验表明，我们的防御框架能显著降低七种MIAs的攻击性能，同时仅产生微小的效用损失。这些结果在不同防御设置下均得到了一致验证。