Evaluating Mitigation Strategies for Membership Inference Attacks in Federated Learning

This project implements a federated learning environment to train Wide ResNet 28-4 on CIFAR-100 and systematically evaluates differential privacy as a defense mechanism against membership inference attacks (MIA). Using PyTorch with the Flower framework for federated learning simulation, the system supports toggling differential privacy via Opacus and conducts black-box shadow model attacks using the Adversarial Robustness Toolbox (ART). The architecture implements FedAvg aggregation across multiple simulated clients with 300 server rounds, 4 local epochs per client, and 75% client sampling per round.\n\nThe research produced counterintuitive findings: applying local differential privacy caused evaluation accuracy to plummet from 54.8% to 7.52% (an 86.2% decrease), while membership inference attack success actually increased from 70.64% to 84.33%. This occurred because differential privacy, when applied to severely overfit models, amplified the confidence gap between member and non-member data, making the models more vulnerable to exploitation rather than less.\n\nThese results demonstrate that differential privacy is not a universal defense against membership inference attacks—its effectiveness depends critically on model fit. When models are overfit, DP can paradoxically increase privacy vulnerabilities. This research was conducted for a Master of Science in Computer Science at the University of Central Florida, investigating critical privacy-utility tradeoffs in collaborative machine learning systems.