User Label Leakage from Gradients in Federated Learning
- URL: http://arxiv.org/abs/2105.09369v1
- Date: Wed, 19 May 2021 19:21:05 GMT
- Title: User Label Leakage from Gradients in Federated Learning
- Authors: Aidmar Wainakh and Fabrizio Ventola and Till M\"u{\ss}ig and Jens Keim
and Carlos Garcia Cordero and Ephraim Zimmer and Tim Grube and Kristian
Kersting and Max M\"uhlh\"auser
- Abstract summary: Federated learning enables multiple users to build a joint model by sharing their model updates (gradients)
We propose Label Leakage from Gradients (LLG), a novel attack to extract the labels of the users' training data from their shared gradients.
- Score: 12.239472997714804
- License: http://creativecommons.org/licenses/by-nc-nd/4.0/
- Abstract: Federated learning enables multiple users to build a joint model by sharing
their model updates (gradients), while their raw data remains local on their
devices. In contrast to the common belief that this provides privacy benefits,
we here add to the very recent results on privacy risks when sharing gradients.
Specifically, we propose Label Leakage from Gradients (LLG), a novel attack to
extract the labels of the users' training data from their shared gradients. The
attack exploits the direction and magnitude of gradients to determine the
presence or absence of any label. LLG is simple yet effective, capable of
leaking potential sensitive information represented by labels, and scales well
to arbitrary batch sizes and multiple classes. We empirically and
mathematically demonstrate the validity of our attack under different settings.
Moreover, empirical results show that LLG successfully extracts labels with
high accuracy at the early stages of model training. We also discuss different
defense mechanisms against such leakage. Our findings suggest that gradient
compression is a practical technique to prevent our attack.
Related papers
- CENSOR: Defense Against Gradient Inversion via Orthogonal Subspace Bayesian Sampling [63.07948989346385]
Federated learning collaboratively trains a neural network on a global server.
Each local client receives the current global model weights and sends back parameter updates (gradients) based on its local private data.
Existing gradient inversion attacks can exploit this vulnerability to recover private training instances from a client's gradient vectors.
We present a novel defense tailored for large neural network models.
arXiv Detail & Related papers (2025-01-27T01:06:23Z) - Building Gradient Bridges: Label Leakage from Restricted Gradient Sharing in Federated Learning [21.799571403101904]
Gradient Bridge (GDBR) recovers the label distribution of training data from the limited gradient information shared in federated learning (FL)
experiments show that GDBR can accurately recover more than 80% of labels in various FL settings.
arXiv Detail & Related papers (2024-12-17T08:03:38Z) - Training on Fake Labels: Mitigating Label Leakage in Split Learning via Secure Dimension Transformation [10.404379188947383]
Two-party split learning has been proven to survive label inference attacks.
We propose a novel two-party split learning method to defend against existing label inference attacks.
arXiv Detail & Related papers (2024-10-11T09:25:21Z) - LabObf: A Label Protection Scheme for Vertical Federated Learning Through Label Obfuscation [10.224977496821154]
Split Neural Network is popular in industry due to its privacy-preserving characteristics.
malicious participants may still infer label information from the uploaded embeddings, leading to privacy leakage.
We propose a new label obfuscation defense strategy, called LabObf', which randomly maps each original integer-valued label to multiple real-valued soft labels.
arXiv Detail & Related papers (2024-05-27T10:54:42Z) - Understanding Deep Gradient Leakage via Inversion Influence Functions [53.1839233598743]
Deep Gradient Leakage (DGL) is a highly effective attack that recovers private training images from gradient vectors.
We propose a novel Inversion Influence Function (I$2$F) that establishes a closed-form connection between the recovered images and the private gradients.
We empirically demonstrate that I$2$F effectively approximated the DGL generally on different model architectures, datasets, attack implementations, and perturbation-based defenses.
arXiv Detail & Related papers (2023-09-22T17:26:24Z) - Client-side Gradient Inversion Against Federated Learning from Poisoning [59.74484221875662]
Federated Learning (FL) enables distributed participants to train a global model without sharing data directly to a central server.
Recent studies have revealed that FL is vulnerable to gradient inversion attack (GIA), which aims to reconstruct the original training samples.
We propose Client-side poisoning Gradient Inversion (CGI), which is a novel attack method that can be launched from clients.
arXiv Detail & Related papers (2023-09-14T03:48:27Z) - Label Inference Attack against Split Learning under Regression Setting [24.287752556622312]
We study the leakage in the scenario of the regression model, where the private labels are continuous numbers.
We propose a novel learning-based attack that integrates gradient information and extra learning regularization objectives.
arXiv Detail & Related papers (2023-01-18T03:17:24Z) - Protecting Split Learning by Potential Energy Loss [70.81375125791979]
We focus on the privacy leakage from the forward embeddings of split learning.
We propose the potential energy loss to make the forward embeddings become more 'complicated'
arXiv Detail & Related papers (2022-10-18T06:21:11Z) - CAFE: Catastrophic Data Leakage in Vertical Federated Learning [65.56360219908142]
Recent studies show that private training data can be leaked through the gradients sharing mechanism deployed in distributed machine learning systems.
We propose an advanced data leakage attack with theoretical justification to efficiently recover batch data from the shared aggregated gradients.
arXiv Detail & Related papers (2021-10-26T23:22:58Z) - Staircase Sign Method for Boosting Adversarial Attacks [123.19227129979943]
Crafting adversarial examples for the transfer-based attack is challenging and remains a research hot spot.
We propose a novel Staircase Sign Method (S$2$M) to alleviate this issue, thus boosting transfer-based attacks.
Our method can be generally integrated into any transfer-based attacks, and the computational overhead is negligible.
arXiv Detail & Related papers (2021-04-20T02:31:55Z) - iDLG: Improved Deep Leakage from Gradients [36.14340188365505]
It is widely believed that sharing gradients will not leak private training data in distributed learning systems.
We propose a simple but reliable approach to extract accurate data from the gradients.
Our approach is valid for any differentiable model trained with cross-entropy loss over one-hot labels.
arXiv Detail & Related papers (2020-01-08T16:45:09Z)
This list is automatically generated from the titles and abstracts of the papers in this site.
This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.