We consider a cross-silo federated learning (FL) setting where a machine learning model with a fully connected first layer is trained between different clients and a central server using FedAvg, and where the aggregation step can be performed with secure aggregation (SA). We present SRATTA an attack relying only on aggregated models which, under realistic assumptions, (i) recovers data samples from the different clients, and (ii) groups data samples coming from the same client together. While sample recovery has already been explored in an FL setting, the ability to group samples per client, despite the use of SA, is novel. This poses a significant unforeseen security threat to FL and effectively breaks SA. We show that SRATTA is both theoretically grounded and can be used in practice on realistic models and datasets. We also propose counter-measures, and claim that clients should play an active role to guarantee their privacy during training.

翻译：我们考虑一种跨孤岛联邦学习场景，其中使用FedAvg在多个客户端与中央服务器之间训练一个具有全连接第一层的机器学习模型，并且聚合步骤可以采用安全聚合进行。我们提出SRATTA攻击，该攻击仅依赖于聚合后的模型，在现实假设下能够：(i) 恢复来自不同客户端的数据样本，(ii) 将来自同一客户端的数据样本进行分组。虽然在联邦学习场景中样本恢复已有研究，但在使用安全聚合的情况下仍能按客户端对样本进行分组的能力是新颖的。这给联邦学习带来了重大的、未预料到的安全威胁，并有效破解了安全聚合。我们证明SRATTA既有理论依据，又能在现实模型和数据集上实际应用。我们还提出了防御措施，并指出客户端应在训练过程中主动保障其隐私。