Label Leakage from Gradients in Distributed Machine Learning

Wainakh, Aidmar; Müßig, Till; Grube, Tim; Mühlhäuser, Max

doi:10.1109/ccnc49032.2021.9369498

Cited by 15 publications

(6 citation statements)

References 30 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…The study proposed by [24] improved the weight matching algorithm for deep leakage from gradients to enhance the reconstruction performance. Similarly, the study in [25] also proposed the reconstruction of data while matching the gradient information. In addition, the study also uses auxiliary information in order to improve the reconstruction performance.…”

Section: Related Workmentioning

confidence: 99%

Get Your Foes Fooled: Proximal Gradient Split Learning for Defense Against Model Inversion Attacks on IoMT Data

Khowaja

Lee

Dev

et al. 2023

IEEE Trans. Netw. Sci. Eng.

View full text Add to dashboard Cite

The past decade has seen a rapid adoption of Artificial Intelligence (AI), specifically the deep learning networks, in Internet of Medical Things (IoMT) ecosystem. However, it has been shown recently that the deep learning networks can be exploited by adversarial attacks that not only make IoMT vulnerable to the data theft but also to the manipulation of medical diagnosis. The existing studies consider adding noise to the raw IoMT data or model parameters which not only reduces the overall performance concerning medical inferences but also is ineffective to the likes of deep leakage from gradients method. In this work, we propose proximal gradient split learning (PSGL) method for defense against the model inversion attacks. The proposed method intentionally attacks the IoMT data when undergoing the deep neural network training process at client side. We propose the use of proximal gradient method to recover gradient maps and a decision-level fusion strategy to improve the recognition performance. Extensive analysis show that the PGSL not only provides effective defense mechanism against the model inversion attacks but also helps in improving the recognition performance on publicly available datasets. We report 14.0%, 17.9%, and 36.9% gains in accuracy over reconstructed and adversarial attacked images, respectively.

show abstract

Section: Related Workmentioning

confidence: 99%

Get Your Foes Fooled: Proximal Gradient Split Learning for Defense Against Model Inversion Attacks on IoMT Data

Khowaja

Lee

Dev

et al. 2023

IEEE Trans. Netw. Sci. Eng.

View full text Add to dashboard Cite

show abstract

“…However, their approach is limited to one-sample batch, which is uncommon in real-world applications of FL, where users typically have multiple data samples and train the model on these samples (a bunch of them at least) before sharing the gradients with the server. Wainakh et al [34], in a short paper (4 pages), introduced a basic idea to extend the attack of [38] for bigger batches, however, their work lacks formalization and thorough evaluation to substantially support the validity of the approach. Li et al [21] proposed also an analytical approach based on the observation that the gradient norms of a particular class are generally larger than the others.…”

Section: Label Extractionmentioning

confidence: 99%

User-Level Label Leakage from Gradients in Federated Learning

Wainakh

Ventola

Müßig

et al. 2022

Proceedings on Privacy Enhancing Technologies

Self Cite

View full text Add to dashboard Cite

Federated learning enables multiple users to build a joint model by sharing their model updates (gradients), while their raw data remains local on their devices. In contrast to the common belief that this provides privacy benefits, we here add to the very recent results on privacy risks when sharing gradients. Specifically, we investigate Label Leakage from Gradients (LLG), a novel attack to extract the labels of the users’ training data from their shared gradients. The attack exploits the direction and magnitude of gradients to determine the presence or absence of any label. LLG is simple yet effective, capable of leaking potential sensitive information represented by labels, and scales well to arbitrary batch sizes and multiple classes. We mathematically and empirically demonstrate the validity of the attack under different settings. Moreover, empirical results show that LLG successfully extracts labels with high accuracy at the early stages of model training. We also discuss different defense mechanisms against such leakage. Our findings suggest that gradient compression is a practical technique to mitigate the attack.

show abstract

“…If the identity is known while the models are aggregated, the adversary can infer something about the training data but not track it for a particular participant. In general, tracing requires ancillary information specific to the leak (Wainakh et al , 2021; McMahan et al , 2017; Zhu et al , 2019). For example, after inferring that photos of a certain person had started appearing in the training data, an adversary may have enough complementary and contextual information about the participants to guess which of them included these images in the training data (Yin et al , 2018; Blanchard et al , 2017).…”

Section: Threats and Defensesmentioning

confidence: 99%

Inference attacks based on GAN in federated learning

Dang

2022

IJWIS

View full text Add to dashboard Cite

Purpose In the digital age, organizations want to build a more powerful machine learning model that can serve the increasing needs of people. However, enhancing privacy and data security is one of the challenges for machine learning models, especially in federated learning. Parties want to collaborate with each other to build a better model, but they do not want to reveal their own data. This study aims to introduce threats and defenses to privacy leaks in the collaborative learning model. Design/methodology/approach In the collaborative model, the attacker was the central server or a participant. In this study, the attacker is on the side of the participant, who is “honest but curious.” Attack experiments are on the participant’s side, who performs two tasks: one is to train the collaborative learning model; the second task is to build a generative adversarial networks (GANs) model, which will perform the attack to infer more information received from the central server. There are three typical types of attacks: white box, black box without auxiliary information and black box with auxiliary information. The experimental environment is set up by PyTorch on Google Colab platform running on graphics processing unit with labeled faces in the wild and Canadian Institute For Advanced Research-10 data sets. Findings The paper assumes that the privacy leakage attack resides on the participant’s side, and the information in the parameter server contains too much knowledge to train a collaborative machine learning model. This study compares the success level of inference attack from model parameters based on GAN models. There are three GAN models, which are used in this method: condition GAN, control GAN and Wasserstein generative adversarial networks (WGAN). Of these three models, the WGAN model has proven to obtain the highest stability. Originality/value The concern about privacy and security for machine learning models are more important, especially for collaborative learning. The paper has contributed experimentally to private attack on the participant side in the collaborative learning model.

show abstract

Label Leakage from Gradients in Distributed Machine Learning

Cited by 15 publications

References 30 publications

Get Your Foes Fooled: Proximal Gradient Split Learning for Defense Against Model Inversion Attacks on IoMT Data

Get Your Foes Fooled: Proximal Gradient Split Learning for Defense Against Model Inversion Attacks on IoMT Data

User-Level Label Leakage from Gradients in Federated Learning

Inference attacks based on GAN in federated learning

Contact Info

Product

Resources

About