Summary of Secure Aggregation Is Not Private Against Membership Inference Attacks, by Khac-hoang Ngo et al.
Secure Aggregation is Not Private Against Membership Inference Attacks
by Khac-Hoang Ngo, Johan Östman, Giuseppe Durisi, Alexandre Graell i Amat
First submitted to arxiv on: 26 Mar 2024
Categories
- Main: Machine Learning (cs.LG)
- Secondary: Cryptography and Security (cs.CR)
GrooveSquid.com Paper Summaries
GrooveSquid.com’s goal is to make artificial intelligence research accessible by summarizing AI papers in simpler terms. Each summary below covers the same AI paper, written at different levels of difficulty. The medium difficulty and low difficulty versions are original summaries written by GrooveSquid.com, while the high difficulty version is the paper’s original abstract. Feel free to learn from the version that suits you best!
| Summary difficulty | Written by | Summary |
|---|---|---|
| High | Paper authors | High Difficulty Summary Read the original abstract here |
| Medium | GrooveSquid.com (original content) | Medium Difficulty Summary A novel analysis of secure aggregation (SecAgg) in federated learning reveals that it provides weak privacy guarantees against membership inference attacks. By treating SecAgg as a local differential privacy (LDP) mechanism for each update, the authors design an attack to infer which update vector a client submitted from two possible options. The study assesses the success probability of this attack and quantifies the LDP guarantees provided by SecAgg. Numerical results show that SecAgg offers poor privacy even in a single training round, making it essential to combine with other privacy-enhancing mechanisms like noise injection. |
| Low | GrooveSquid.com (original content) | Low Difficulty Summary Federated learning is a way for many devices to work together without sharing their own data. A technique called secure aggregation (SecAgg) helps keep individual updates private. But does it really provide good protection? Researchers looked at SecAgg and found that it’s actually not very effective against certain types of attacks. They showed that even in just one training round, an attacker could figure out which device submitted a particular update. This means we need to use additional techniques, like adding random noise, to keep updates private. |
Keywords
* Artificial intelligence * Federated learning * Inference * Probability
