Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Building Gradient Bridges: Label Leakage from Restricted Gradient Sharing in Federated Learning

Rui Zhang, Ka-Ho Chow, Ping Li

TL;DR

Federated Learning exposes a privacy risk through gradient sharing, specifically leaking label distributions of private data. The authors present Gradient Bridge (GDBR), an attack that constructs a bridge from accessible bottom-layer gradients to the output logits, enabling recovery of batch label counts from limited gradient information, aided by batch-averaged gradients and auxiliary data. The method achieves robust label recovery across multiple datasets and architectures (e.g., LeNet on MNIST, AlexNet on SVHN, VGG11 on CIFAR-10, ResNet18 on CIFAR-100) and remains effective under gradient pruning and noise perturbation, highlighting weaknesses in lightweight defenses. The work underscores the need for stronger privacy protections in FL and provides a framework for future defense design and evaluation.

Abstract

The growing concern over data privacy, the benefits of utilizing data from diverse sources for model training, and the proliferation of networked devices with enhanced computational capabilities have all contributed to the rise of federated learning (FL). The clients in FL collaborate to train a global model by uploading gradients computed on their private datasets without collecting raw data. However, a new attack surface has emerged from gradient sharing, where adversaries can restore the label distribution of a victim's private data by analyzing the obtained gradients. To mitigate this privacy leakage, existing lightweight defenses restrict the sharing of gradients, such as encrypting the final-layer gradients or locally updating the parameters within. In this paper, we introduce a novel attack called Gradient Bridge (GDBR) that recovers the label distribution of training data from the limited gradient information shared in FL. GDBR explores the relationship between the layer-wise gradients, tracks the flow of gradients, and analytically derives the batch training labels. Extensive experiments show that GDBR can accurately recover more than 80% of labels in various FL settings. GDBR highlights the inadequacy of restricted gradient sharing-based defenses and calls for the design of effective defense schemes in FL.

Building Gradient Bridges: Label Leakage from Restricted Gradient Sharing in Federated Learning

TL;DR

Federated Learning exposes a privacy risk through gradient sharing, specifically leaking label distributions of private data. The authors present Gradient Bridge (GDBR), an attack that constructs a bridge from accessible bottom-layer gradients to the output logits, enabling recovery of batch label counts from limited gradient information, aided by batch-averaged gradients and auxiliary data. The method achieves robust label recovery across multiple datasets and architectures (e.g., LeNet on MNIST, AlexNet on SVHN, VGG11 on CIFAR-10, ResNet18 on CIFAR-100) and remains effective under gradient pruning and noise perturbation, highlighting weaknesses in lightweight defenses. The work underscores the need for stronger privacy protections in FL and provides a framework for future defense design and evaluation.

Abstract

The growing concern over data privacy, the benefits of utilizing data from diverse sources for model training, and the proliferation of networked devices with enhanced computational capabilities have all contributed to the rise of federated learning (FL). The clients in FL collaborate to train a global model by uploading gradients computed on their private datasets without collecting raw data. However, a new attack surface has emerged from gradient sharing, where adversaries can restore the label distribution of a victim's private data by analyzing the obtained gradients. To mitigate this privacy leakage, existing lightweight defenses restrict the sharing of gradients, such as encrypting the final-layer gradients or locally updating the parameters within. In this paper, we introduce a novel attack called Gradient Bridge (GDBR) that recovers the label distribution of training data from the limited gradient information shared in FL. GDBR explores the relationship between the layer-wise gradients, tracks the flow of gradients, and analytically derives the batch training labels. Extensive experiments show that GDBR can accurately recover more than 80% of labels in various FL settings. GDBR highlights the inadequacy of restricted gradient sharing-based defenses and calls for the design of effective defense schemes in FL.

Paper Structure

This paper contains 25 sections, 6 theorems, 38 equations, 6 figures, 2 tables.

Table of Contents

  1. Introduction
  2. Related Work
  3. Gradient Inversion Attacks
  4. Analytical Label Recovery
  5. Lightweight Defense Strategies
  6. Preliminary
  7. Inference of Single One-Hot Label
  8. Gradients in Typical Layers
  9. Threat Model
  10. Methodology
  11. Overview
  12. Correlation Between Layer-wise Gradients
  13. Derivation of Batch-Averaged Gradients
  14. Label Recovery from Inferred Gradients
  15. Experiments
  16. ...and 10 more sections

Key Result

Lemma 1

In an FC layer, let $\nabla\mathbf{x}$, $\nabla\mathbf{W}$, and $\nabla\mathbf{z}$ represent the gradients w.r.t. the input $\mathbf{x}$, the weight $\mathbf{W}$, and the output $\mathbf{z}$, respectively. Then the following relationships hold: where $\odot$ denotes the element-wise product, and $\mathrm{diag}(\cdot)$ denotes the diagonal elements of a matrix.

Figures (6)

  • Figure 1: Illustration of our Gradient Bridge (GDBR) attack. The gray parts in gradients denote the unshared information, while the colored parts depict the shared gradients. GDBR first infers the gradient w.r.t. output logits (in sky blue) from the obtained gradients and then recovers the label distribution of the victim client from the derived equation (in orange).
  • Figure 2: The distributions of input features and output probabilities of the FC layer in ResNet18, which is trained on the CIFAR-100 dataset. The x-axis represents the values of features or probabilities, and the y-axis represents the number of samples.
  • Figure 3: Comparison of GDBR with baselines on InsAcc and ClsAcc across different datasets and batch sizes. The experiments are performed on four model-dataset pairs: LeNet on MNIST, AlexNet on SVHN, VGG11 on CIFAR-10, and ResNet18 on CIFAR-100, with batch sizes ranging from 2 to 512. The batch data is randomly sampled from a subset of training classes.
  • Figure 4: Comparison of utilized gradients from different layers in a 6-layer MLP model, trained on MNIST and CIFAR-10.
  • Figure 5: Comparison of gradient simulation modes for baselines and model initialization modes. The training dataset is SVHN.
  • ...and 1 more figures

Theorems & Definitions (12)

  • Lemma 1
  • proof
  • Lemma 2
  • proof
  • Lemma 3
  • proof
  • Lemma 4
  • proof
  • Theorem 1
  • proof
  • ...and 2 more