Malicious server (MS) attacks have enabled the scaling of data stealing in federated learning to large batch sizes and secure aggregation, settings previously considered private. However, many concerns regarding client-side detectability of MS attacks were raised, questioning their practicality once they are publicly known. In this work, for the first time, we thoroughly study the problem of client-side detectability.We demonstrate that most prior MS attacks, which fundamentally rely on one of two key principles, are detectable by principled client-side checks. Further, we formulate desiderata for practical MS attacks and propose SEER, a novel attack framework that satisfies all desiderata, while stealing user data from gradients of realistic networks, even for large batch sizes (up to 512 in our experiments) and under secure aggregation. The key insight of SEER is the use of a secret decoder, which is jointly trained with the shared model. Our work represents a promising first step towards more principled treatment of MS attacks, paving the way for realistic data stealing that can compromise user privacy in real-world deployments.

翻译：恶意服务器攻击已使得联邦学习中的数据窃取得以扩展至大批次规模和安全聚合场景，而这些设置此前被认为具有隐私保护性。然而，针对恶意服务器攻击在客户端侧的可检测性引发了诸多担忧，质疑其一旦公开后的实际可行性。本研究首次系统性地探讨了客户端侧的可检测性问题。我们证明，绝大多数现有恶意服务器攻击（本质上依赖于两种核心原理之一）均可通过原则性的客户端检测手段被识别。进一步地，我们制定了实用化恶意服务器攻击的设计准则，并提出SEER这一新型攻击框架，该框架在满足所有设计准则的同时，能够从现实网络的梯度中窃取用户数据——即便在大批次（实验中最高达512）和安全聚合条件下依然有效。SEER的核心创新在于使用一个与共享模型联合训练的隐蔽解码器。本工作为恶意服务器攻击的更原则化处理迈出了富有前景的第一步，为实际部署中可能损害用户隐私的现实数据窃取铺平道路。