Whispers of Data: Unveiling Label Distributions in Federated Learning Through Virtual Client Simulation
Zhixuan Ma, Haichang Gao, Junxiang Huang, Ping Wang
TL;DR
This paper investigates the risk of label distribution leakage in federated learning by proposing a novel, stable attack that uses virtual client simulation to infer a target client's data distribution. It first estimates the victim's dataset size from gradient behavior, then constructs IID and non-IID virtual clients to generate a temporal generalization profile used to train a neural inference model. An LSTM with a temporal attention mechanism maps the temporal generalization patterns to the target distribution, achieving superior accuracy across MNIST, Fashion-MNIST, FER2013, and AG-News and remaining effective under local differential privacy defenses. The results highlight a practical privacy risk in FL and suggest that defense strategies must account for attack models based on gradient dynamics and virtual-sample simulations.
Abstract
Federated Learning enables collaborative training of a global model across multiple geographically dispersed clients without the need for data sharing. However, it is susceptible to inference attacks, particularly label inference attacks. Existing studies on label distribution inference exhibits sensitive to the specific settings of the victim client and typically underperforms under defensive strategies. In this study, we propose a novel label distribution inference attack that is stable and adaptable to various scenarios. Specifically, we estimate the size of the victim client's dataset and construct several virtual clients tailored to the victim client. We then quantify the temporal generalization of each class label for the virtual clients and utilize the variation in temporal generalization to train an inference model that predicts the label distribution proportions of the victim client. We validate our approach on multiple datasets, including MNIST, Fashion-MNIST, FER2013, and AG-News. The results demonstrate the superiority of our method compared to state-of-the-art techniques. Furthermore, our attack remains effective even under differential privacy defense mechanisms, underscoring its potential for real-world applications.
