Federated Learning (FL) has been proposed as a privacy-preserving solution
for machine learning. However, recent works have shown that Federated Learning
can leak private client data through membership attacks. In this paper, we show
that the effectiveness of these attacks on the clients negatively correlates
with the size of the client datasets and model complexity. Based on this
finding, we propose model-agnostic Federated Learning as a privacy-enhancing
solution because it enables the use of models of varying complexity in the
clients. To this end, we present $\texttt{MaPP-FL}$, a novel privacy-aware FL
approach that leverages model compression on the clients while keeping a full
model on the server. We compare the performance of $\texttt{MaPP-FL}$ against
state-of-the-art model-agnostic FL methods on the CIFAR-10, CIFAR-100, and
FEMNIST vision datasets. Our experiments show the effectiveness of
$\texttt{MaPP-FL}$ in preserving the clients' and the server's privacy while
achieving competitive classification accuracies.

基于研究成果，我们提出了一种新的隐私感知性联邦学习方法 $	exttt {MaPP-FL}$，通过在客户端上利用模型压缩并在服务器上保持完整模型，实现了同时保护客户端和服务器隐私的功能，并取得了有竞争力的分类准确性。

利用模型压缩解决联合学习中的会员推导攻击

Addressing Membership Inference Attack in Federated Learning with Model  Compression

Machine learning models are increasingly made available to the masses through
public query interfaces. Recent academic work has demonstrated that malicious
users who can query such models are able to infer sensitive information about
records within the training data. Differential privacy can thwart such attacks,
but not all models can be readily trained to achieve this guarantee or to
achieve it with acceptable utility loss. As a result, if a model is trained
without differential privacy guarantee, little is known or can be said about
the privacy risk of releasing it. In this work, we investigate and analyze
membership attacks to understand why and how they succeed. Based on this
understanding, we propose Differential Training Privacy (DTP), an empirical
metric to estimate the privacy risk of publishing a classier when methods such
as differential privacy cannot be applied. DTP is a measure of a classier with
respect to its training dataset, and we show that calculating DTP is efficient
in many practical cases. We empirically validate DTP using state-of-the-art
machine learning models such as neural networks trained on real-world datasets.
Our results show that DTP is highly predictive of the success of membership
attacks and therefore reducing DTP also reduces the privacy risk. We advocate
for DTP to be used as part of the decision-making process when considering
publishing a classifier. To this end, we also suggest adopting the DTP-1
hypothesis: if a classifier has a DTP value above 1, it should not be
published.

研究机器学习模型，提出用 Differential Training Privacy（DTP）来评估发布分类器的隐私风险，并倡导使用 DTP 作为决策过程中的参考，如若分类器 DTP 的值高于 1，则不应发布。