Fingerprint attack: client de-anonymization in federated learning

Qiongka Xu; Trevor Cohn; Olga Ohrimenko

doi:10.3233/FAIA230590

Fingerprint attack: client de-anonymization in federated learning

Qiongka Xu^*, Trevor Cohn, Olga Ohrimenko

^*Corresponding author for this work

Research output: Chapter in Book/Report/Conference proceeding › Conference proceeding contribution › peer-review

2 Citations (Scopus)

54 Downloads (Pure)

Abstract

Federated Learning allows collaborative training without data sharing in settings where participants do not trust the central server and one another. Privacy can be further improved by ensuring that communication between the participants and the server is anonymized through a shuffle; decoupling the participant identity from their data. This paper seeks to examine whether such a defense is adequate to guarantee anonymity, by proposing a novel fingerprinting attack over gradients sent by the participants to the server. We show that clustering of gradients can easily break the anonymization in an empirical study of learning federated language models on two language corpora. We then show that training with differential privacy can provide a practical defense against our fingerprint attack.

Original language	English
Title of host publication	ECAI 2023
Subtitle of host publication	26th European Conference on Artificial Intelligence September 30–October 4, 2023, Kraków, Poland including 12th Conference on Prestigious Applications of Intelligent Systems (PAIS 2023) proceedings
Editors	Kobi Gal, Ann Nowé, Grzegorz J. Nalepa, Roy Fairstein, Roxana Rădulescu
Place of Publication	Amsterdam, Netherlands
Publisher	IOS Press
Pages	2792-2801
Number of pages	10
ISBN (Electronic)	9781643684376
ISBN (Print)	9781643684369
DOIs	https://doi.org/10.3233/FAIA230590
Publication status	Published - 2023
Externally published	Yes
Event	26th European Conference on Artificial Intelligence, ECAI 2023 - Krakow, Poland Duration: 30 Sept 2023 → 4 Oct 2023

Publication series

Name	Frontiers in Artificial Intelligence and Applications
Publisher	IOS Press
Volume	372

Conference

Conference	26th European Conference on Artificial Intelligence, ECAI 2023
Country/Territory	Poland
City	Krakow
Period	30/09/23 → 4/10/23

Bibliographical note

Copyright the Author(s) 2023. Version archived for private and non-commercial use with the permission of the author/s and according to publisher conditions. For further rights please contact the publisher.

Access to Document

10.3233/FAIA230590Licence: CC BY-NC

Publisher version (open access)Final published version, 481 KBLicence: CC BY-NC

Cite this

Xu, Q., Cohn, T., & Ohrimenko, O. (2023). Fingerprint attack: client de-anonymization in federated learning. In K. Gal, A. Nowé, G. J. Nalepa, R. Fairstein, & R. Rădulescu (Eds.), ECAI 2023: 26th European Conference on Artificial Intelligence September 30–October 4, 2023, Kraków, Poland including 12th Conference on Prestigious Applications of Intelligent Systems (PAIS 2023) proceedings (pp. 2792-2801). (Frontiers in Artificial Intelligence and Applications; Vol. 372). IOS Press. https://doi.org/10.3233/FAIA230590

Xu, Qiongka ; Cohn, Trevor ; Ohrimenko, Olga. / Fingerprint attack : client de-anonymization in federated learning. ECAI 2023: 26th European Conference on Artificial Intelligence September 30–October 4, 2023, Kraków, Poland including 12th Conference on Prestigious Applications of Intelligent Systems (PAIS 2023) proceedings. editor / Kobi Gal ; Ann Nowé ; Grzegorz J. Nalepa ; Roy Fairstein ; Roxana Rădulescu. Amsterdam, Netherlands : IOS Press, 2023. pp. 2792-2801 (Frontiers in Artificial Intelligence and Applications).

@inproceedings{488f1360893f41ceb3c9557e8fbc2b0e,

title = "Fingerprint attack: client de-anonymization in federated learning",

abstract = "Federated Learning allows collaborative training without data sharing in settings where participants do not trust the central server and one another. Privacy can be further improved by ensuring that communication between the participants and the server is anonymized through a shuffle; decoupling the participant identity from their data. This paper seeks to examine whether such a defense is adequate to guarantee anonymity, by proposing a novel fingerprinting attack over gradients sent by the participants to the server. We show that clustering of gradients can easily break the anonymization in an empirical study of learning federated language models on two language corpora. We then show that training with differential privacy can provide a practical defense against our fingerprint attack.",

author = "Qiongka Xu and Trevor Cohn and Olga Ohrimenko",

note = "Copyright the Author(s) 2023. Version archived for private and non-commercial use with the permission of the author/s and according to publisher conditions. For further rights please contact the publisher.; 26th European Conference on Artificial Intelligence, ECAI 2023 ; Conference date: 30-09-2023 Through 04-10-2023",

year = "2023",

doi = "10.3233/FAIA230590",

language = "English",

isbn = " 9781643684369",

series = "Frontiers in Artificial Intelligence and Applications",

publisher = "IOS Press",

pages = "2792--2801",

editor = "Kobi Gal and Ann Now{\'e} and Nalepa, {Grzegorz J.} and Roy Fairstein and Roxana R{\u a}dulescu",

booktitle = "ECAI 2023",

address = "Netherlands",

}

Xu, Q, Cohn, T & Ohrimenko, O 2023, Fingerprint attack: client de-anonymization in federated learning. in K Gal, A Nowé, GJ Nalepa, R Fairstein & R Rădulescu (eds), ECAI 2023: 26th European Conference on Artificial Intelligence September 30–October 4, 2023, Kraków, Poland including 12th Conference on Prestigious Applications of Intelligent Systems (PAIS 2023) proceedings. Frontiers in Artificial Intelligence and Applications, vol. 372, IOS Press, Amsterdam, Netherlands, pp. 2792-2801, 26th European Conference on Artificial Intelligence, ECAI 2023, Krakow, Poland, 30/09/23. https://doi.org/10.3233/FAIA230590

Fingerprint attack: client de-anonymization in federated learning. / Xu, Qiongka; Cohn, Trevor; Ohrimenko, Olga.
ECAI 2023: 26th European Conference on Artificial Intelligence September 30–October 4, 2023, Kraków, Poland including 12th Conference on Prestigious Applications of Intelligent Systems (PAIS 2023) proceedings. ed. / Kobi Gal; Ann Nowé; Grzegorz J. Nalepa; Roy Fairstein; Roxana Rădulescu. Amsterdam, Netherlands: IOS Press, 2023. p. 2792-2801 (Frontiers in Artificial Intelligence and Applications; Vol. 372).

Research output: Chapter in Book/Report/Conference proceeding › Conference proceeding contribution › peer-review

TY - GEN

T1 - Fingerprint attack

T2 - 26th European Conference on Artificial Intelligence, ECAI 2023

AU - Xu, Qiongka

AU - Cohn, Trevor

AU - Ohrimenko, Olga

N1 - Copyright the Author(s) 2023. Version archived for private and non-commercial use with the permission of the author/s and according to publisher conditions. For further rights please contact the publisher.

PY - 2023

Y1 - 2023

N2 - Federated Learning allows collaborative training without data sharing in settings where participants do not trust the central server and one another. Privacy can be further improved by ensuring that communication between the participants and the server is anonymized through a shuffle; decoupling the participant identity from their data. This paper seeks to examine whether such a defense is adequate to guarantee anonymity, by proposing a novel fingerprinting attack over gradients sent by the participants to the server. We show that clustering of gradients can easily break the anonymization in an empirical study of learning federated language models on two language corpora. We then show that training with differential privacy can provide a practical defense against our fingerprint attack.

AB - Federated Learning allows collaborative training without data sharing in settings where participants do not trust the central server and one another. Privacy can be further improved by ensuring that communication between the participants and the server is anonymized through a shuffle; decoupling the participant identity from their data. This paper seeks to examine whether such a defense is adequate to guarantee anonymity, by proposing a novel fingerprinting attack over gradients sent by the participants to the server. We show that clustering of gradients can easily break the anonymization in an empirical study of learning federated language models on two language corpora. We then show that training with differential privacy can provide a practical defense against our fingerprint attack.

UR - http://www.scopus.com/inward/record.url?scp=85175847100&partnerID=8YFLogxK

U2 - 10.3233/FAIA230590

DO - 10.3233/FAIA230590

M3 - Conference proceeding contribution

SN - 9781643684369

T3 - Frontiers in Artificial Intelligence and Applications

SP - 2792

EP - 2801

BT - ECAI 2023

A2 - Gal, Kobi

A2 - Nowé, Ann

A2 - Nalepa, Grzegorz J.

A2 - Fairstein, Roy

A2 - Rădulescu, Roxana

PB - IOS Press

CY - Amsterdam, Netherlands

Y2 - 30 September 2023 through 4 October 2023

ER -

Xu Q, Cohn T, Ohrimenko O. Fingerprint attack: client de-anonymization in federated learning. In Gal K, Nowé A, Nalepa GJ, Fairstein R, Rădulescu R, editors, ECAI 2023: 26th European Conference on Artificial Intelligence September 30–October 4, 2023, Kraków, Poland including 12th Conference on Prestigious Applications of Intelligent Systems (PAIS 2023) proceedings. Amsterdam, Netherlands: IOS Press. 2023. p. 2792-2801. (Frontiers in Artificial Intelligence and Applications). doi: 10.3233/FAIA230590

Fingerprint attack: client de-anonymization in federated learning

Abstract

Publication series

Conference

Bibliographical note

Access to Document

Other files and links

Fingerprint

Cite this