Federated learning has become a widely used paradigm for collaboratively training a common model among different participants with the help of a central server that coordinates the training. Although only the model parameters or other model updates are exchanged during the federated training instead of the participant's data, many attacks have shown that it is still possible to infer sensitive information such as membership, property, or outright reconstruction of participant data. Although differential privacy is considered an effective solution to protect against privacy attacks, it is also criticized for its negative effect on utility. Another possible defense is to use secure aggregation which allows the server to only access the aggregated update instead of each individual one, and it is often more appealing because it does not degrade model quality. However, combining only the aggregated updates, which are generated by a different composition of clients in every round, may still allow the inference of some client-specific information. In this paper, we show that simple linear models can effectively capture client-specific properties only from the aggregated model updates due to the linearity of aggregation. We formulate an optimization problem across different rounds in order to infer a tested property of every client from the output of the linear models, for example, whether they have a specific sample in their training data (membership inference) or whether they misbehave and attempt to degrade the performance of the common model by poisoning attacks. Our reconstruction technique is completely passive and undetectable. We demonstrate the efficacy of our approach on several scenarios which shows that secure aggregation provides very limited privacy guarantees in practice. The source code will be released upon publication.

翻译：联邦学习已成为一种广泛使用的范式，通过协调训练过程的中央服务器，使不同参与者能够协作训练通用模型。尽管联邦训练中仅交换模型参数或其他模型更新而非参与者数据，但诸多攻击表明，仍有可能推断出成员关系、属性或直接重构参与者数据等敏感信息。虽然差分隐私被视为防止隐私攻击的有效方案，但其对效用的负面影响也饱受诟病。另一种可能的防御手段是采用安全聚合，该方法仅允许服务器访问聚合后的更新而非各个独立更新，且因其不降低模型质量而更具吸引力。然而，仅通过聚合更新（每轮由不同客户端组合生成）仍可能推断出某些客户端特定信息。本文证明，由于聚合的线性特性，简单线性模型即可仅从聚合模型更新中有效捕获客户端特定属性。我们构建了一个跨多轮优化的框架，通过线性模型输出推断每个客户端的待测属性（例如其训练数据中是否包含特定样本的成员推断，或是否存在恶意行为并通过投毒攻击降低通用模型性能）。我们的重构技术完全被动且不可检测。在多个场景下的实验表明，安全聚合在实际中提供的隐私保障极为有限。相关源代码将在论文发表后公开。