[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"doc-detail-84215-en":3,"doc-seo-84215-105":29,"detail-sidebar-cat-0-en-105":91},{"code":4,"msg":5,"data":6},0,"success",{"doc_id":7,"user_id":8,"nickname":9,"user_avatar":10,"doc_module":4,"category_id":11,"category_name":12,"doc_title":13,"doc_description":14,"doc_content":15,"file_id":16,"file_url":17,"file_type":18,"file_size":19,"view_count":20,"is_deleted":4,"is_public":20,"is_downloadable":20,"audit_status":20,"page_count":21,"language":22,"language_code":23,"site_id":24,"html_lang":23,"table_of_contents":25,"faqs":26,"seo_title":13,"seo_description":14,"update_tm":27,"read_time":28},84215,962075114101,"Seraphina","https://ap-avatar.wpscdn.com/avatar/e000253a75eb197efd?x-image-process=image/resize,m_fixed,w_180,h_180&k=1780044092746381165",8,"Research & Report","FedCVESA: Taking Away Training Data in Federated Learning via Correlation Value Encoding and Segmented Aggregation","Federated learning keeps raw data on local clients, but privacy leakage can still occur through model updates and memorization. This paper studies a white-box Taking Away Training Data (TATD) attack in federated learning, where a malicious server selects target clients and actively writes private training data into the global model during training. FedCVESA adapts Correlation Value Encoding Attack by adding a Pearson-correlation regularizer and introduces segmented aggregation to reduce overwriting of carrier parameters. Experiments on MNIST, Fashion-MNIST, and CIFAR-10 under Dirichlet non-IID partitions demonstrate semantic image theft while preserving acceptable utility.","arXiv :2607 .073 14v 1 [ cs .LG] 8 Jul 2026  \nFedCVESA: Taking Away Training Data in Federated Learning via Correlation Value Encoding and Segmented Aggregation  \nChongkai Li 1 , Bang Zhang 1 , and Wenjian Luo 1 ⋆  \nGuangdong Provincial Key Laboratory of Novel Security Intelligence Technologies, Institute of Cyberspace Security, School of Computer Science and Technology, Harbin Institute of Technology, Shenzhen 518055, China  \nAbstract. Federated learning (FL) avoids explicit data exposure by keeping raw data on local clients, yet privacy risks remain in the training process and the learned model itself. Recently, centralized Taking Away Training Data (TATD) attacks have shown that malicious training could abuse the memorization capacity of deep models to store and later recover training data. However, this memorization-based threat has not been systematically studied under FL environments, where multi-client averaging could overwrite encoded training data. In this paper, we study a white-box TATD attack in which a malicious server selects n target clients from K participating clients and actively writes private training data into the global model during federated training. We propose FedCVESA, a federated variant of Correlation Value Encoding Attack (CVEA), by adding a Pearson-correlation regularizer to the loss function of target clients, so that private training data are gradually encoded into selected model parameters, referred to as carrier parameters. To reduce the overwriting of carrier parameters during server aggregation, we further propose segmented aggregation over dispersed carrier parameters, preserving selected carrier parameters while keeping standard averaging on the remaining parameters. Experiments on MNIST, Fashion-MNIST, and CIFAR-10 under Dirichlet non-IID partitions show that the proposed method can steal semantically meaningful private training images from the trained model while maintaining acceptable main-task utility in a controlled proof-of-concept setting. These results demonstrate that FL can become a parameter-level memorization channel for active TATD attack under the studied white-box malicious-server setting.  \nKeywords: Federated learning · privacy leakage · white-box attack · Taking Away Training Data · Correlation Value Encoding Attack  \n1 Introduction  \nFederated learning (FL) allows multiple clients to jointly train a model without directly sharing raw training data, and has therefore become a standard  \n⋆ Corresponding author.  \n2 C. Li et al.  \nparadigm for privacy-sensitive applications such as healthcare, finance, and mobile intelligence [24, 16, 38, 20] . However, the slogan “data never leaves the device”should not be mistaken for end-to-end privacy protection. Model updates still expose rich information about local training data, and a sufficiently capable adversary can exploit gradients or parameters to infer private data [44, 10, 27, 34, 3] .  \nMost existing white-box data leakage attacks against FL focus on gradient inversion. Representative methods such as DLG, iDLG, and GradInversion recover input training data by matching dummy gradients to observed gradients [44, 43, 41, 15] . These attacks demonstrate that gradients leak substantial information, yet they remain fundamentally passive: the attacker can only reconstruct whatever information is already exposed by the observed updates.  \nCentralized Taking Away Training Data (TATD) attacks study a different privacy risk: malicious training can force a model to remember training data. Early work showed that models can be intentionally trained to remember too much [30] . Subsequent attacks encoded training data through parameter combinations, exploited unused model capacity for training-data leakage in a black-box setting, hiding leakage behind backdoor-style triggers, or stored information in output confidences [21, 22, 39, 40, 26] . These studies reveal that model memorization can be turned into a data-stealing channel in centrali","cbCaivbmKclpNEJA","https://ap.wps.com/l/cbCaivbmKclpNEJA","pdf",1066926,1,17,"English","en",105,"# Introduction\n## Background and Motivation\n## Threat Model and Gap\n## Proposed Method: FedCVESA\n## Contributions and Validation","[{\"question\":\"What privacy risk does the paper focus on in federated learning?\",\"answer\":\"The paper focuses on memorization-based privacy leakage, where malicious training can cause the global model to store and later recover private training data.\"},{\"question\":\"How does FedCVESA encode private training data during federated training?\",\"answer\":\"FedCVESA adds a Pearson-correlation regularizer to the loss of selected target clients so private data are gradually encoded into a subset of model parameters, termed carrier parameters.\"},{\"question\":\"How does segmented aggregation help against overwriting during server aggregation?\",\"answer\":\"Segmented aggregation preserves dispersed carrier parameters across aggregation, while applying standard averaging to the remaining parameters to reduce loss of the encoded information.\"}]",1784194049,43,{"code":4,"msg":30,"data":31},"ok",{"site_id":24,"language":23,"slug":32,"title":13,"keywords":33,"description":14,"schema_data":34,"social_meta":86,"head_meta":88,"extra_data":90,"updated_unix":27},"fedcvesa-taking-away-training-data-in-federated-learning-via-correlation-value-encoding-and-segmented-aggregation","",{"@graph":35,"@context":85},[36,53,68],{"@type":37,"itemListElement":38},"BreadcrumbList",[39,43,47,50],{"item":40,"name":41,"@type":42,"position":20},"https://docshare.wps.com","Home","ListItem",{"item":44,"name":45,"@type":42,"position":46},"https://docshare.wps.com/document/","Document",2,{"item":48,"name":12,"@type":42,"position":49},"https://docshare.wps.com/document/research-report/",3,{"item":51,"name":13,"@type":42,"position":52},"https://docshare.wps.com/document/fedcvesa-taking-away-training-data-in-federated-learning-via-correlation-value-encoding-and-segmented-aggregation/84215/",4,{"url":51,"name":13,"@type":54,"author":55,"headline":13,"publisher":57,"fileFormat":60,"inLanguage":23,"description":14,"dateModified":61,"datePublished":62,"encodingFormat":60,"isAccessibleForFree":63,"interactionStatistic":64},"DigitalDocument",{"name":9,"@type":56},"Person",{"url":40,"name":58,"@type":59},"DocShare","Organization","application/pdf","2026-07-17","2026-07-16",true,{"@type":65,"interactionType":66,"userInteractionCount":20},"InteractionCounter",{"@type":67},"ViewAction",{"@type":69,"mainEntity":70},"FAQPage",[71,77,81],{"name":72,"@type":73,"acceptedAnswer":74},"What privacy risk does the paper focus on in federated learning?","Question",{"text":75,"@type":76},"The paper focuses on memorization-based privacy leakage, where malicious training can cause the global model to store and later recover private training data.","Answer",{"name":78,"@type":73,"acceptedAnswer":79},"How does FedCVESA encode private training data during federated training?",{"text":80,"@type":76},"FedCVESA adds a Pearson-correlation regularizer to the loss of selected target clients so private data are gradually encoded into a subset of model parameters, termed carrier parameters.",{"name":82,"@type":73,"acceptedAnswer":83},"How does segmented aggregation help against overwriting during server aggregation?",{"text":84,"@type":76},"Segmented aggregation preserves dispersed carrier parameters across aggregation, while applying standard averaging to the remaining parameters to reduce loss of the encoded information.","https://schema.org",{"og:url":51,"og:type":87,"og:title":13,"og:site_name":58,"og:description":14},"article",{"robots":89,"canonical":51},"index,follow",{"doc_id":7,"site_id":24},{"code":4,"msg":5,"data":92},[93,97,101,105,110,115,120,123,128,131,135],{"id":20,"doc_module":4,"doc_module_name":45,"category_name":94,"show_sort_weight":95,"slug":96},"Story & Novel",90,"story-novel",{"id":46,"doc_module":4,"doc_module_name":45,"category_name":98,"show_sort_weight":99,"slug":100},"Literature",80,"literature",{"id":52,"doc_module":4,"doc_module_name":45,"category_name":102,"show_sort_weight":103,"slug":104},"Exam",70,"exam",{"id":106,"doc_module":4,"doc_module_name":45,"category_name":107,"show_sort_weight":108,"slug":109},5,"Comic",60,"comic",{"id":111,"doc_module":4,"doc_module_name":45,"category_name":112,"show_sort_weight":113,"slug":114},6,"Technology",50,"technology",{"id":116,"doc_module":4,"doc_module_name":45,"category_name":117,"show_sort_weight":118,"slug":119},7,"Healthcare",40,"healthcare",{"id":11,"doc_module":4,"doc_module_name":45,"category_name":12,"show_sort_weight":121,"slug":122},30,"research-report",{"id":124,"doc_module":4,"doc_module_name":45,"category_name":125,"show_sort_weight":126,"slug":127},9,"Religion & Spirituality",20,"religion-spirituality",{"id":126,"doc_module":4,"doc_module_name":45,"category_name":129,"show_sort_weight":126,"slug":130},"World Cup","world-cup",{"id":132,"doc_module":4,"doc_module_name":45,"category_name":133,"show_sort_weight":132,"slug":134},10,"Lifestyle","lifestyle",{"id":136,"doc_module":4,"doc_module_name":45,"category_name":137,"show_sort_weight":106,"slug":138},19,"General","general"]