Table of Contents
Fetching ...

Whispers of Data: Unveiling Label Distributions in Federated Learning Through Virtual Client Simulation

Zhixuan Ma, Haichang Gao, Junxiang Huang, Ping Wang

TL;DR

This paper investigates the risk of label distribution leakage in federated learning by proposing a novel, stable attack that uses virtual client simulation to infer a target client's data distribution. It first estimates the victim's dataset size from gradient behavior, then constructs IID and non-IID virtual clients to generate a temporal generalization profile used to train a neural inference model. An LSTM with a temporal attention mechanism maps the temporal generalization patterns to the target distribution, achieving superior accuracy across MNIST, Fashion-MNIST, FER2013, and AG-News and remaining effective under local differential privacy defenses. The results highlight a practical privacy risk in FL and suggest that defense strategies must account for attack models based on gradient dynamics and virtual-sample simulations.

Abstract

Federated Learning enables collaborative training of a global model across multiple geographically dispersed clients without the need for data sharing. However, it is susceptible to inference attacks, particularly label inference attacks. Existing studies on label distribution inference exhibits sensitive to the specific settings of the victim client and typically underperforms under defensive strategies. In this study, we propose a novel label distribution inference attack that is stable and adaptable to various scenarios. Specifically, we estimate the size of the victim client's dataset and construct several virtual clients tailored to the victim client. We then quantify the temporal generalization of each class label for the virtual clients and utilize the variation in temporal generalization to train an inference model that predicts the label distribution proportions of the victim client. We validate our approach on multiple datasets, including MNIST, Fashion-MNIST, FER2013, and AG-News. The results demonstrate the superiority of our method compared to state-of-the-art techniques. Furthermore, our attack remains effective even under differential privacy defense mechanisms, underscoring its potential for real-world applications.

Whispers of Data: Unveiling Label Distributions in Federated Learning Through Virtual Client Simulation

TL;DR

This paper investigates the risk of label distribution leakage in federated learning by proposing a novel, stable attack that uses virtual client simulation to infer a target client's data distribution. It first estimates the victim's dataset size from gradient behavior, then constructs IID and non-IID virtual clients to generate a temporal generalization profile used to train a neural inference model. An LSTM with a temporal attention mechanism maps the temporal generalization patterns to the target distribution, achieving superior accuracy across MNIST, Fashion-MNIST, FER2013, and AG-News and remaining effective under local differential privacy defenses. The results highlight a practical privacy risk in FL and suggest that defense strategies must account for attack models based on gradient dynamics and virtual-sample simulations.

Abstract

Federated Learning enables collaborative training of a global model across multiple geographically dispersed clients without the need for data sharing. However, it is susceptible to inference attacks, particularly label inference attacks. Existing studies on label distribution inference exhibits sensitive to the specific settings of the victim client and typically underperforms under defensive strategies. In this study, we propose a novel label distribution inference attack that is stable and adaptable to various scenarios. Specifically, we estimate the size of the victim client's dataset and construct several virtual clients tailored to the victim client. We then quantify the temporal generalization of each class label for the virtual clients and utilize the variation in temporal generalization to train an inference model that predicts the label distribution proportions of the victim client. We validate our approach on multiple datasets, including MNIST, Fashion-MNIST, FER2013, and AG-News. The results demonstrate the superiority of our method compared to state-of-the-art techniques. Furthermore, our attack remains effective even under differential privacy defense mechanisms, underscoring its potential for real-world applications.
Paper Structure (13 sections, 9 equations, 27 figures, 4 tables, 2 algorithms)

This paper contains 13 sections, 9 equations, 27 figures, 4 tables, 2 algorithms.

Figures (27)

  • Figure 1: The overview of the framework.
  • Figure 6: Predicted distribution attack against differential privacy under Non-IID.
  • Figure : gradient noise
  • Figure : MNIST
  • Figure : MNIST
  • ...and 22 more figures