Malicious server (MS) attacks have enabled the scaling of data stealing in federated learning to large batch sizes and secure aggregation, settings previously considered private. However, many concerns regarding client-side detectability of MS attacks were raised, questioning their practicality once they are publicly known. In this work, for the first time, we thoroughly study the problem of client-side detectability.We demonstrate that most prior MS attacks, which fundamentally rely on one of two key principles, are detectable by principled client-side checks. Further, we formulate desiderata for practical MS attacks and propose SEER, a novel attack framework that satisfies all desiderata, while stealing user data from gradients of realistic networks, even for large batch sizes (up to 512 in our experiments) and under secure aggregation. The key insight of SEER is the use of a secret decoder, which is jointly trained with the shared model. Our work represents a promising first step towards more principled treatment of MS attacks, paving the way for realistic data stealing that can compromise user privacy in real-world deployments.

翻译：恶意服务器攻击已使联邦学习中的数据窃取能够扩展至大批量训练与安全聚合场景——这些设置先前被视为具有隐私保障。然而，关于恶意服务器攻击在客户端侧可检测性的诸多担忧随之而来，质疑其一旦被公开后是否仍具实用性。本研究首次系统性地探讨了客户端侧可检测性问题。我们证明，绝大多数基于两大核心原理的现有恶意服务器攻击，均可通过原则性的客户端侧检查被检测到。进一步，我们提出了实用化恶意服务器攻击的若干设计准则，并构建了SEER这一新型攻击框架。该框架在满足所有设计准则的同时，能够从现实网络模型的梯度中窃取用户数据——即便在大批量训练（实验中最高达512）及安全聚合条件下依然有效。SEER的核心创新在于采用与共享模型联合训练的隐秘解码器。本研究为更规范地处理恶意服务器攻击迈出了关键第一步，为可在真实部署中侵害用户隐私的现实数据窃取技术奠定了基础。