Trojan attribute inference attack on gradient boosting decision trees

We propose a Trojan horse-type attribute inference attack (AIA) against the gradient boosting decision trees (GBDT) in the federated learning setting. Our Trojan AIA consists of a Trojan tree creation and an attribute inference. Both algorithms leverage the characteristics of the federated learning protocol for the GBDT training. First, the adversary creates a decision tree, a Trojan tree, that isolates a target data record from other data records. The adversary sends the Trojan tree to the server through the federated learning protocol at their round. Trojan tree forces the victim's tree to "memorize" a target attribute value of target data record that the adversary wants to know. The adversary can recover the target attribute value by observing the tree submitted by the victim if the victim uses the target data record for training the tree. For the regression task, we derive sufficient conditions for a successful attack. According to our theorem, if the target data record is distinct in the victim's dataset, the proposed attack is always successful. Experiments on multiple datasets and settings show results that align with the above theoretical analysis. Even if some conditions for theoretical analysis are relaxed, the proposed attack outperforms baseline attacks. To the best of our knowledge, this is the first study of an attribute inference attack against the GBDT in the federated learning setting.