In this paper, we initiate the study of local model reconstruction attacks for federated learning, where a honest-but-curious adversary eavesdrops the messages exchanged between a targeted client and the server, and then reconstructs the local/personalized model of the victim. The local model reconstruction attack allows the adversary to trigger other classical attacks in a more effective way, since the local model only depends on the client's data and can leak more private information than the global model learned by the server. Additionally, we propose a novel model-based attribute inference attack in federated learning leveraging the local model reconstruction attack. We provide an analytical lower-bound for this attribute inference attack. Empirical results using real world datasets confirm that our local reconstruction attack works well for both regression and classification tasks. Moreover, we benchmark our novel attribute inference attack against the state-of-the-art attacks in federated learning. Our attack results in higher reconstruction accuracy especially when the clients' datasets are heterogeneous. Our work provides a new angle for designing powerful and explainable attacks to effectively quantify the privacy risk in FL.

翻译：本文开创性地研究了联邦学习中的本地模型重构攻击，其中诚实但好奇的敌手通过窃听目标客户端与服务器之间的通信消息，重构受害者的本地/个性化模型。由于本地模型仅取决于客户端数据，且比服务器学习的全局模型可能泄露更多隐私信息，该攻击能使敌手以更高效的方式触发其他经典攻击。此外，我们提出一种基于本地模型重构攻击的新型联邦学习属性推断攻击，并给出了该攻击的理论下界分析。基于真实数据集的实验结果表明，我们的本地重构攻击在回归和分类任务中均表现良好。进一步地，我们将新型属性推断攻击与联邦学习领域最先进的攻击方法进行对比验证。实验证明，当客户端数据呈现异构特性时，我们的攻击能实现更高的重构准确率。本研究为设计高效且可解释的攻击方法提供了新视角，以更有效地量化联邦学习中的隐私风险。