Traditional defenses against Deep Leakage (DL) attacks in Federated Learning (FL) primarily focus on obfuscation, introducing noise, transformations or encryption to degrade an attacker's ability to reconstruct private data. While effective to some extent, these methods often still leak high-level information such as class distributions or feature representations, and are frequently broken by increasingly powerful denoising attacks. We propose a fundamentally different perspective on FL defense: framing it as a spoofing problem.We introduce SpooFL (Figure 1), a spoofing-based defense that deceives attackers into believing they have recovered the true training data, while actually providing convincing but entirely synthetic samples from an unrelated task. Unlike prior synthetic-data defenses that share classes or distributions with the private data and thus still leak semantic information, SpooFL uses a state-of-the-art generative model trained on an external dataset with no class overlap. As a result, attackers are misled into recovering plausible yet completely irrelevant samples, preventing meaningful data leakage while preserving FL training integrity. We implement the first example of such a spoofing defense, and evaluate our method against state-of-the-art DL defenses and demonstrate that it successfully misdirects attackers without compromising model performance significantly.
翻译:针对联邦学习(FL)中深度泄露(DL)攻击的传统防御方法主要侧重于混淆,通过引入噪声、变换或加密来降低攻击者重构私有数据的能力。尽管这些方法在一定程度上有效,但它们通常仍会泄露类别分布或特征表示等高层次信息,并且经常被日益强大的去噪攻击所破解。我们提出了一种根本不同的联邦学习防御视角:将其构建为一个欺骗问题。我们引入了SpooFL(图1),这是一种基于欺骗的防御方法,旨在诱使攻击者相信他们已恢复出真实的训练数据,而实际上提供的是来自无关任务的、具有说服力但完全合成的样本。与先前那些与私有数据共享类别或分布、因而仍会泄露语义信息的合成数据防御方法不同,SpooFL使用一个在外部数据集上训练的最先进生成模型,该数据集与私有数据不存在类别重叠。因此,攻击者会被误导去恢复看似合理但完全无关的样本,从而在保持联邦学习训练完整性的同时,防止有意义的隐私数据泄露。我们实现了此类欺骗防御的首个实例,并针对最先进的深度泄露防御方法评估了我们的方案,结果表明,我们的方法能成功误导攻击者,且不会显著影响模型性能。