Recovering Labels from Local Updates in Federated Learning

TL;DR

This paper tackles the vulnerability of federated learning to gradient-inversion attacks by introducing RLU, a label-recovery method that exploits correlations between local output-layer updates and data labels. By coupling an auxiliary dataset-based estimation of erroneous-confidence moments with Monte Carlo modeling of epoch dynamics, RLU can recover labels across untrained and well-trained models and under various FL schemes with multiple local epochs. The approach yields near-perfect single-epoch performance and strong robustness to data heterogeneity and different optimizers, and it also enhances gradient-inversion attacks by providing reliable labels for image reconstruction. The findings underscore significant privacy risks in FL and motivate the development of defenses against label-recovery from local updates.

Abstract

Gradient inversion (GI) attacks present a threat to the privacy of clients in federated learning (FL) by aiming to enable reconstruction of the clients' data from communicated model updates. A number of such techniques attempts to accelerate data recovery by first reconstructing labels of the samples used in local training. However, existing label extraction methods make strong assumptions that typically do not hold in realistic FL settings. In this paper we present a novel label recovery scheme, Recovering Labels from Local Updates (RLU), which provides near-perfect accuracy when attacking untrained (most vulnerable) models. More significantly, RLU achieves high performance even in realistic real-world settings where the clients in an FL system run multiple local epochs, train on heterogeneous data, and deploy various optimizers to minimize different objective functions. Specifically, RLU estimates labels by solving a least-square problem that emerges from the analysis of the correlation between labels of the data points used in a training round and the resulting update of the output layer. The experimental results on several datasets, architectures, and data heterogeneity scenarios demonstrate that the proposed method consistently outperforms existing baselines, and helps improve quality of the reconstructed images in GI attacks in terms of both PSNR and LPIPS.

Figures (11)

• Figure 1: Instance-level accuracy of different attack methods deteriorates as training progresses. Each point on the black dashed curve indicates the training accuracy of the global model in each global round.
• Figure 2: The iAcc of RLU utilizing auxiliary dataset $\mathcal{A}$ as the number of samples per class varies.
• Figure 3: Batch image reconstruction (batch size set to 9) on CIFAR10 compared to IG geiping. We select the best reconstructed batch for visualization and display the average metrics of the selected batches.
• Figure 4: A selection of histograms that characterize distribution of the output logits in global round $0$ (randomly initialized) on SVHN dataset. Specifically, each histogram illustrates the number of samples with label $n$ as input that have a certain value of the $j$-th component of output logits. From left to right, the corresponding values of $n$ and $j$ are as follow: (a) $n=1$, $j=1$; (b) $n=5$, $j=5$; (c) $n=9$, $j=9$; (d) $n=1$, $j=5$; (e) $n=1$, $j=9$; (f) $n=5$, $j=9$.
• Figure 5: A selection of histograms that characterize distribution of the output logits in global round $4$ in which the training accuracy of the global model is $68\%$ on SVHN dataset. The other settings are identical to Fig. \ref{['SVHN_round0']}.