Table of Contents
Fetching ...

Similarity-based Label Inference Attack against Training and Inference of Split Learning

Junlin Liu, Xinchen Lyu, Qimei Cui, Xiaofeng Tao

TL;DR

This paper mathematically analyze the potential label leakages and proposes the cosine and Euclidean similarity measurements for gradients and smashed data, and designs three label inference attacks to efficiently recover the private labels during both the training and inference phases.

Abstract

Split learning is a promising paradigm for privacy-preserving distributed learning. The learning model can be cut into multiple portions to be collaboratively trained at the participants by exchanging only the intermediate results at the cut layer. Understanding the security performance of split learning is critical for many privacy-sensitive applications. This paper shows that the exchanged intermediate results, including the smashed data (i.e., extracted features from the raw data) and gradients during training and inference of split learning, can already reveal the private labels. We mathematically analyze the potential label leakages and propose the cosine and Euclidean similarity measurements for gradients and smashed data, respectively. Then, the two similarity measurements are shown to be unified in Euclidean space. Based on the similarity metric, we design three label inference attacks to efficiently recover the private labels during both the training and inference phases. Experimental results validate that the proposed approaches can achieve close to 100% accuracy of label attacks. The proposed attack can still achieve accurate predictions against various state-of-the-art defense mechanisms, including DP-SGD, label differential privacy, gradient compression, and Marvell.

Similarity-based Label Inference Attack against Training and Inference of Split Learning

TL;DR

This paper mathematically analyze the potential label leakages and proposes the cosine and Euclidean similarity measurements for gradients and smashed data, and designs three label inference attacks to efficiently recover the private labels during both the training and inference phases.

Abstract

Split learning is a promising paradigm for privacy-preserving distributed learning. The learning model can be cut into multiple portions to be collaboratively trained at the participants by exchanging only the intermediate results at the cut layer. Understanding the security performance of split learning is critical for many privacy-sensitive applications. This paper shows that the exchanged intermediate results, including the smashed data (i.e., extracted features from the raw data) and gradients during training and inference of split learning, can already reveal the private labels. We mathematically analyze the potential label leakages and propose the cosine and Euclidean similarity measurements for gradients and smashed data, respectively. Then, the two similarity measurements are shown to be unified in Euclidean space. Based on the similarity metric, we design three label inference attacks to efficiently recover the private labels during both the training and inference phases. Experimental results validate that the proposed approaches can achieve close to 100% accuracy of label attacks. The proposed attack can still achieve accurate predictions against various state-of-the-art defense mechanisms, including DP-SGD, label differential privacy, gradient compression, and Marvell.
Paper Structure (13 sections, 8 equations, 13 figures, 4 tables, 1 algorithm)

This paper contains 13 sections, 8 equations, 13 figures, 4 tables, 1 algorithm.

Figures (13)

  • Figure 1: The illustration of basic split learning setups with and without label protections, where setups (b) and (c) are designed to protect the private labels.
  • Figure 2: Threat model of split learning. During training, gradient $g$ can leak private label information. During inference, smashed data $f(X)$ can also disclose private labels
  • Figure 3: Possible label leakages in split learning with an emphasis on the last hidden layer. $W_L$ is the weights of the last hidden layer and $a_{L-1}$ is the activation output of layer $L-1$. $\nabla W_L^i$ is the gradients of weights $W_L^i$ in terms of the $i$-th logit. $\nabla W_L$, $\nabla a_{L-1}$, and $\nabla logits$ denote the gradients of $W_L$, $a_{L-1}$ and $logits$ respectively.
  • Figure 4: Samples distributions on CIFAR-10. The captions of subfigures demonstrate the dataset and the position of the cut layer.
  • Figure 5: The attack performance under different positions of cut layers. The attack performance from gradients/smashed data increases with the cut layer approaching to the output.
  • ...and 8 more figures

Theorems & Definitions (1)

  • Definition 5.1