Go to DBLP homepagePoisoning as a Post-Protection: Mitigating Membership Privacy Leakage From Gradient and Prediction of Federated Models
Abstract: Federated learning (FL) is a distributed learning paradigm that enables multiple clients to train a unified model without sharing their private data. However, recent works demonstrate that FL models are vulnerable to membership inference attacks (MIAs), which can infer whether a data sample was used to train a given FL model. Existing countermeasures either require far-reaching modifications of FL training process or enforce extra processing in prediction phase, yielding them unlikely to be applied well in practice. In this article, we design a post-protection mechanism, dubbed P$^{2}$2-Protection, which degrades the inference performance of MIAs by simultaneously poisoning the prediction and gradient of the target FL model to reduce the privacy leakage of training data while keeping the model prediction accuracy. P$^{2}$2-Protection only involves one additional training round to embed the poisoned prediction and gradient into the target FL model, without requiring model retraining or training process modification. We evaluate P$^{2}$2-Protection and compare it with two state-of-the-art defenses against three MIAs on five realistic datasets. Experimental results show that P$^{2}$2-Protection outperforms the existing defenses by offering limited implementation overhead and improved utility-privacy trade-off.
Loading