Defending Label Inference and Backdoor Attacks in Vertical Federated
Learning
- URL: http://arxiv.org/abs/2112.05409v1
- Date: Fri, 10 Dec 2021 09:32:09 GMT
- Title: Defending Label Inference and Backdoor Attacks in Vertical Federated
Learning
- Authors: Yang Liu, Zhihao Yi, Yan Kang, Yuanqin He, Wenhan Liu, Tianyuan Zou,
Qiang Yang
- Abstract summary: In collaborative learning, curious parities might be honest but are attempting to infer other parties' private data through inference attacks.
In this paper, we show that private labels can be reconstructed from per-sample gradients.
We introduce a novel technique termed confusional autoencoder (CoAE) based on autoencoder and entropy regularization.
- Score: 11.319694528089773
- License: http://arxiv.org/licenses/nonexclusive-distrib/1.0/
- Abstract: In collaborative learning settings like federated learning, curious parities
might be honest but are attempting to infer other parties' private data through
inference attacks while malicious parties might manipulate the learning process
for their own purposes through backdoor attacks. However, most existing works
only consider the federated learning scenario where data are partitioned by
samples (HFL). The feature-partitioned federated learning (VFL) can be another
important scenario in many real-world applications. Attacks and defenses in
such scenarios are especially challenging when the attackers and the defenders
are not able to access the features or model parameters of other participants.
Previous works have only shown that private labels can be reconstructed from
per-sample gradients. In this paper, we first show that private labels can be
reconstructed when only batch-averaged gradients are revealed, which is against
the common presumption. In addition, we show that a passive party in VFL can
even replace its corresponding labels in the active party with a target label
through a gradient-replacement attack. To defend against the first attack, we
introduce a novel technique termed confusional autoencoder (CoAE), based on
autoencoder and entropy regularization. We demonstrate that label inference
attacks can be successfully blocked by this technique while hurting less main
task accuracy compared to existing methods. Our CoAE technique is also
effective in defending the gradient-replacement backdoor attack, making it an
universal and practical defense strategy with no change to the original VFL
protocol. We demonstrate the effectiveness of our approaches under both
two-party and multi-party VFL settings. To the best of our knowledge, this is
the first systematic study to deal with label inference and backdoor attacks in
the feature-partitioned federated learning framework.
Related papers
- Training on Fake Labels: Mitigating Label Leakage in Split Learning via Secure Dimension Transformation [10.404379188947383]
Two-party split learning has been proven to survive label inference attacks.
We propose a novel two-party split learning method to defend against existing label inference attacks.
arXiv Detail & Related papers (2024-10-11T09:25:21Z) - KDk: A Defense Mechanism Against Label Inference Attacks in Vertical Federated Learning [2.765106384328772]
In a Vertical Federated Learning (VFL) scenario, the labels of the samples are kept private from all the parties except for the aggregating server, that is the label owner.
Recent works discovered that by exploiting gradient information returned by the server to bottom models, an adversary can infer the private labels.
We propose a novel framework called KDk, that combines Knowledge Distillation and k-anonymity to provide a defense mechanism.
arXiv Detail & Related papers (2024-04-18T17:51:02Z) - Label Inference Attacks against Node-level Vertical Federated GNNs [26.80658307067889]
We investigate label inference attacks on Vertical Federated Learning (VFL) using a zero-background knowledge strategy.
Our proposed attack, BlindSage, provides impressive results in the experiments, achieving nearly 100% accuracy in most cases.
arXiv Detail & Related papers (2023-08-04T17:04:58Z) - Practical and General Backdoor Attacks against Vertical Federated
Learning [3.587415228422117]
Federated learning (FL) aims to facilitate data collaboration across multiple organizations without exposing data privacy.
BadVFL is a novel and practical approach to inject backdoor triggers into victim models without label information.
BadVFL achieves over 93% attack success rate with only 1% poisoning rate.
arXiv Detail & Related papers (2023-06-19T07:30:01Z) - Mutual Information Regularization for Vertical Federated Learning [6.458078197870505]
Vertical Federated Learning (VFL) is widely utilized in real-world applications to enable collaborative learning while protecting data privacy and safety.
Previous works show that parties without labels (passive parties) in VFL can infer the sensitive label information owned by the party with labels (active party) or execute backdoor attacks to VFL.
We propose a new general defense method which limits the mutual information between private raw data, including both features and labels, and intermediate outputs to achieve a better trade-off between model utility and privacy.
arXiv Detail & Related papers (2023-01-01T02:03:34Z) - FLIP: A Provable Defense Framework for Backdoor Mitigation in Federated
Learning [66.56240101249803]
We study how hardening benign clients can affect the global model (and the malicious clients)
We propose a trigger reverse engineering based defense and show that our method can achieve improvement with guarantee robustness.
Our results on eight competing SOTA defense methods show the empirical superiority of our method on both single-shot and continuous FL backdoor attacks.
arXiv Detail & Related papers (2022-10-23T22:24:03Z) - Protecting Split Learning by Potential Energy Loss [70.81375125791979]
We focus on the privacy leakage from the forward embeddings of split learning.
We propose the potential energy loss to make the forward embeddings become more 'complicated'
arXiv Detail & Related papers (2022-10-18T06:21:11Z) - Is Vertical Logistic Regression Privacy-Preserving? A Comprehensive
Privacy Analysis and Beyond [57.10914865054868]
We consider vertical logistic regression (VLR) trained with mini-batch descent gradient.
We provide a comprehensive and rigorous privacy analysis of VLR in a class of open-source Federated Learning frameworks.
arXiv Detail & Related papers (2022-07-19T05:47:30Z) - Hidden Backdoor Attack against Semantic Segmentation Models [60.0327238844584]
The emphbackdoor attack intends to embed hidden backdoors in deep neural networks (DNNs) by poisoning training data.
We propose a novel attack paradigm, the emphfine-grained attack, where we treat the target label from the object-level instead of the image-level.
Experiments show that the proposed methods can successfully attack semantic segmentation models by poisoning only a small proportion of training data.
arXiv Detail & Related papers (2021-03-06T05:50:29Z) - Meta Federated Learning [57.52103907134841]
Federated Learning (FL) is vulnerable to training time adversarial attacks.
We propose Meta Federated Learning ( Meta-FL) which not only is compatible with secure aggregation protocol but also facilitates defense against backdoor attacks.
arXiv Detail & Related papers (2021-02-10T16:48:32Z) - Label-Only Membership Inference Attacks [67.46072950620247]
We introduce label-only membership inference attacks.
Our attacks evaluate the robustness of a model's predicted labels under perturbations.
We find that training models with differential privacy and (strong) L2 regularization are the only known defense strategies.
arXiv Detail & Related papers (2020-07-28T15:44:31Z)
This list is automatically generated from the titles and abstracts of the papers in this site.
This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.