ML Security PapersUnited We Defend: Collaborative Membership Inference Defenses in Federated Learning
Li Bai 1, Junxu Liu 1,2, Sen Zhang 1, Xinwei Zhang 1, Qingqing Ye 1, Haibo Hu 1,2
1 The Hong Kong Polytechnic University
2 PolyU Research Centre for Privacy and Security Technologies in Future Smart Systems
Published on arXiv
2601.06866
Membership Inference Attack
OWASP ML Top 10 — ML04
Key Finding
CoFedMID significantly reduces the success of seven membership inference attacks across three datasets while incurring only a small utility loss, outperforming existing independent per-client defenses against trajectory-based MIAs.
CoFedMID
Novel technique introduced
Membership inference attacks (MIAs), which determine whether a specific data point was included in the training set of a target model, have posed severe threats in federated learning (FL). Unfortunately, existing MIA defenses, typically applied independently to each client in FL, are ineffective against powerful trajectory-based MIAs that exploit temporal information throughout the training process to infer membership status. In this paper, we investigate a new FL defense scenario driven by heterogeneous privacy needs and privacy-utility trade-offs, where only a subset of clients are defended, as well as a collaborative defense mode where clients cooperate to mitigate membership privacy leakage. To this end, we introduce CoFedMID, a collaborative defense framework against MIAs in FL, which limits local model memorization of training samples and, through a defender coalition, enhances privacy protection and model utility. Specifically, CoFedMID consists of three modules: a class-guided partition module for selective local training samples, a utility-aware compensation module to recycle contributive samples and prevent their overconfidence, and an aggregation-neutral perturbation module that injects noise for cancellation at the coalition level into client updates. Extensive experiments on three datasets show that our defense framework significantly reduces the performance of seven MIAs while incurring only a small utility loss. These results are consistently verified across various defense settings.
Key Contributions
- CoFedMID: a three-module collaborative defense framework that unites a subset of FL clients into a defender coalition to jointly mitigate membership inference leakage
- Aggregation-neutral perturbation module that injects noise into individual client updates designed to cancel at the coalition level, preserving utility while adding local privacy
- Heterogeneous privacy setting analysis showing that partial, collaborative defense among a subset of clients is both practical and effective against powerful trajectory-based MIAs
🛡️ Threat Analysis
The paper directly defends against membership inference attacks — the threat of determining whether a specific data point was in a model's training set — which is the canonical ML04 threat. CoFedMID is explicitly evaluated against seven MIA methods including trajectory-based attacks that exploit temporal training signals in federated learning.