BI-GAN: Batch Inversion Membership Inference Attack on Federated Learning

Vo, H; Tang, M; Zheng, X; Yu, S

BI-GAN: Batch Inversion Membership Inference Attack on Federated Learning

Vo, H

Tang, M Zheng, X Yu, S

Permalink

Publisher:: ACM
Publication Type:: Conference Proceeding
Citation:: Proceedings of the 17th ACM Workshop on Mobility in the Evolving Internet Architecture, MobiArch 2022, 2022, pp. 31-36
Issue Date:: 2022-10-21

Open Access

Copyright Clearance Process

Recently Added
In Progress
Open Access

This item is open access.

Adobe PDF

Download Submitted versionAdobe PDF (851.27 kB)

View on publisher's site

View statistics

Full metadata record

Field	Value	Language
dc.contributor.author	Vo, H https://orcid.org/0000-0002-2709-2924
dc.contributor.author	Tang, M
dc.contributor.author	Zheng, X
dc.contributor.author	Yu, S https://orcid.org/0000-0003-4485-6743
dc.date.accessioned	2023-01-25T00:13:42Z
dc.date.available	2023-01-25T00:13:42Z
dc.date.issued	2022-10-21
dc.identifier.citation	Proceedings of the 17th ACM Workshop on Mobility in the Evolving Internet Architecture, MobiArch 2022, 2022, pp. 31-36
dc.identifier.isbn	9781450395182
dc.identifier.uri	http://hdl.handle.net/10453/165419
dc.description.abstract	Federated Learning is a growing advanced collaborative machine learning framework that aims to preserve user-privacy data. However, multiple researchers have investigated attack methods from the server side via gradient inversion techniques or Generative Adversarial Networks (GAN) to reconstruct the raw data distributions from users. In this paper, we propose Batch Inversion GAN (BI-GAN), a novel membership inference attack that can recover user-level batch images from local updates, utilizing both gradient inversion techniques and GAN. Our attack is more stealthy since it only requires access to gradients and does not interfere with the global model performance and is more robust in terms of image batch recovery and victim classification. The experiments show that our attack recovers higher quality images of the victim with higher accuracy compared to other attacks.
dc.language	en
dc.publisher	ACM
dc.relation	http://purl.org/au-research/grants/arc/LP190100676
dc.relation.ispartof	Proceedings of the 17th ACM Workshop on Mobility in the Evolving Internet Architecture, MobiArch 2022
dc.relation.ispartof	Proceedings of the 17th ACM Workshop on Mobility in the Evolving Internet Architecture
dc.relation.isbasedon	10.1145/3556548.3559636
dc.rights	info:eu-repo/semantics/openAccess
dc.rights	200?2 © ACM YEAR. This is the author's version of the work. It is posted here by permission of ACM for your personal use. Not for redistribution. The definitive version was published in PUBLICATION: Proceedings of the 17th ACM Workshop on Mobility in the Evolving Internet Architecture, MobiArch 2022 {VOL#, ISS#, DATE 21 Oct 2022 DIO: https://dl.acm.org/doi/10.1145/3556548.3559636
dc.title	BI-GAN: Batch Inversion Membership Inference Attack on Federated Learning
dc.type	Conference Proceeding
pubs.organisational-group	/University of Technology Sydney
pubs.organisational-group	/University of Technology Sydney/Faculty of Engineering and Information Technology
pubs.organisational-group	/University of Technology Sydney/Faculty of Engineering and Information Technology/School of Computer Science
utslib.copyright.status	open_access	*
dc.date.updated	2023-01-25T00:13:40Z
pubs.publication-status	Published

Abstract:

Federated Learning is a growing advanced collaborative machine learning framework that aims to preserve user-privacy data. However, multiple researchers have investigated attack methods from the server side via gradient inversion techniques or Generative Adversarial Networks (GAN) to reconstruct the raw data distributions from users. In this paper, we propose Batch Inversion GAN (BI-GAN), a novel membership inference attack that can recover user-level batch images from local updates, utilizing both gradient inversion techniques and GAN. Our attack is more stealthy since it only requires access to gradients and does not interfere with the global model performance and is more robust in terms of image batch recovery and victim classification. The experiments show that our attack recovers higher quality images of the victim with higher accuracy compared to other attacks.

Please use this identifier to cite or link to this item:

http://hdl.handle.net/10453/165419