Recent studies have revealed that federated learning (FL), once considered secure due to clients not sharing their private data with the server, is vulnerable to attacks such as client-side training data distribution inference, where a malicious client can recreate the victim's data. While various countermeasures exist, they are not practical, often assuming server access to some training data or knowledge of label distribution before the attack. In this work, we bridge the gap by proposing InferGuard, a novel Byzantine-robust aggregation rule aimed at defending against client-side training data distribution inference attacks. In our proposed InferGuard, the server first calculates the coordinate-wise median of all the model updates it receives. A client's model update is considered malicious if it significantly deviates from the computed median update. We conduct a thorough evaluation of our proposed InferGuard on five benchmark datasets and perform a comparison with ten baseline methods. The results of our experiments indicate that our defense mechanism is highly effective in protecting against client-side training data distribution inference attacks, even against strong adaptive attacks. Furthermore, our method substantially outperforms the baseline methods in various practical FL scenarios.

翻译：近期研究揭示，联邦学习曾因客户端无需向服务器共享私有数据而被视为安全，实则易受攻击——例如恶意客户端可重构受害者数据分布的训练数据分布推断攻击。尽管存在多种防御机制，但往往缺乏实用性：它们通常假设攻击前服务器可获取部分训练数据或已知标签分布。本研究通过提出InferGuard这一新型拜占庭鲁棒聚合规则弥补该缺陷，旨在防御客户端侧训练数据分布推断攻击。在提出的InferGuard中，服务器首先计算所接收全部模型更新的逐坐标中位数。若某客户端模型更新显著偏离该中位数更新，则视为恶意更新。我们在五个基准数据集上对InferGuard进行详尽评估，并与十种基线方法展开对比。实验结果表明，本防御机制在抵御客户端侧训练数据分布推断攻击方面高度有效，甚至能应对强自适应攻击。此外，本方法在多种实际联邦学习场景中显著优于基线方法。