User-Level Label Leakage from Gradients in Federated Learning

Wainakh, Aidmar; Ventola, Fabrizio; Müßig, Till; Keim, Jens; Cordero, Carlos García; Zimmer, Ephraim; Grube, Tim; Kersting, Kristian; Mühlhäuser, Max

doi:10.2478/popets-2022-0043

Cited by 33 publications

(15 citation statements)

References 32 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Several model inversion attacks reconstruct the training data by exploiting the shared gradients [ 22 , 78 , 97 ]. In particular, they exploit the mathematical properties of gradients in specific model architectures to infer information about the input data.…”

Section: Discussionmentioning

confidence: 99%

Federated Learning Attacks Revisited: A Critical Discussion of Gaps, Assumptions, and Evaluation Setups

Wainakh

Zimmer

Subedi

et al. 2022

Sensors

Self Cite

View full text Add to dashboard Cite

Deep learning pervades heavy data-driven disciplines in research and development. The Internet of Things and sensor systems, which enable smart environments and services, are settings where deep learning can provide invaluable utility. However, the data in these systems are very often directly or indirectly related to people, which raises privacy concerns. Federated learning (FL) mitigates some of these concerns and empowers deep learning in sensor-driven environments by enabling multiple entities to collaboratively train a machine learning model without sharing their data. Nevertheless, a number of works in the literature propose attacks that can manipulate the model and disclose information about the training data in FL. As a result, there has been a growing belief that FL is highly vulnerable to severe attacks. Although these attacks do indeed highlight security and privacy risks in FL, some of them may not be as effective in production deployment because they are feasible only given special—sometimes impractical—assumptions. In this paper, we investigate this issue by conducting a quantitative analysis of the attacks against FL and their evaluation settings in 48 papers. This analysis is the first of its kind to reveal several research gaps with regard to the types and architectures of target models. Additionally, the quantitative analysis allows us to highlight unrealistic assumptions in some attacks related to the hyper-parameters of the model and data distribution. Furthermore, we identify fallacies in the evaluation of attacks which raise questions about the generalizability of the conclusions. As a remedy, we propose a set of recommendations to promote adequate evaluations.

show abstract

Section: Discussionmentioning

confidence: 99%

Federated Learning Attacks Revisited: A Critical Discussion of Gaps, Assumptions, and Evaluation Setups

Wainakh

Zimmer

Subedi

et al. 2022

Sensors

Self Cite

View full text Add to dashboard Cite

show abstract

“…Similarly to tabular or image data, FL was applied on many time-series applications such as load forecasting [36], natural language processing [24], [49], traffic flow prediction, [78], and healthcare systems [42]. However, recent research has shown that sharing gradients and local model updates in FL lead to severe privacy leakage because membership inference and data/label reconstruction attacks are effective [53], [126], [139], [85], [95], [136], [44], [61], [125], [32], [34].…”

Section: B Privacy-preserving Federated Training Of Machine Learning ...mentioning

confidence: 99%

“…Although FL provides collaborative learning without data sharing, it still raises privacy issues: The shared intermediate model is vulnerable to privacy attacks that can reconstruct parties' input data or infer the membership of data samples in the training set, hence needs to be protected during the training process [53], [126], [139], [85], [95], [136], [44], [61], [125], [32], [34]. Moreover, it was recently shown that RNNs are particularly vulnerable to inference attacks (e.g., membership inference) compared to traditional neural networks [130].…”

Section: Introductionmentioning

confidence: 99%

Privacy-Preserving Federated Recurrent Neural Networks

Sav¹,

Abdulrahman²,

Pyrgelis³

et al. 2022

Preprint

View full text Add to dashboard Cite

We present RHODE, a novel system that enables privacy-preserving training of and prediction on Recurrent Neural Networks (RNNs) in a federated learning setting by relying on multiparty homomorphic encryption (MHE). RHODE preserves the confidentiality of the training data, the model, and the prediction data; and it mitigates the federated learning attacks that target the gradients under a passive-adversary threat model. We propose a novel packing scheme, multi-dimensional packing, for a better utilization of Single Instruction, Multiple Data (SIMD) operations under encryption. With multi-dimensional packing, RHODE enables the efficient processing, in parallel, of a batch of samples. To avoid the exploding gradients problem, we also provide several clip-by-value approximations for enabling gradient clipping under encryption. We experimentally show that the model performance with RHODE remains similar to non-secure solutions both for homogeneous and heterogeneous data distribution among the data holders. Our experimental evaluation shows that RHODE scales linearly with the number of data holders and the number of timesteps, sub-linearly and sub-quadratically with the number of features and the number of hidden units of RNNs, respectively. To the best of our knowledge, RHODE is the first system that provides the building blocks for the training of RNNs and its variants, under encryption in a federated learning setting.

show abstract

“…The iDLG [23] further demonstrates that the last layer of shared gradients must leak ground truth labels when the activation function is non-negative. Wainakh et al [37] further explored the properties of gradient-based leakage of true labels under large batch. Common techniques for protecting privacy include adding noise, gradient compression, discretization, and differential privacypreserving.…”

Section: Leakage From Gradientsmentioning

confidence: 99%

MpFedcon : Model-Contrastive Personalized Federated Learning with the Class Center

Fang

SHI

2022

Wuhan Univ. J. Nat. Sci.

View full text Add to dashboard Cite

Federated learning is an emerging distributed privacy-preserving framework in which parties are trained collaboratively by sharing model or gradient updates instead of sharing private data. However, the heterogeneity of local data distribution poses a significant challenge. This paper focuses on the label distribution skew, where each party can only access a partial set of the whole class set. It makes global updates drift while aggregating these biased local models. In addition, many studies have shown that deep leakage from gradients endangers the reliability of federated learning. To address these challenges, this paper propose a new personalized federated learning method named MpFedcon. It addresses the data heterogeneity problem and privacy leakage problem from global and local perspectives. Our extensive experimental results demonstrate that MpFedcon yields effective resists on the label leakage problem and better performance on various image classification tasks, robust in partial participation settings, non-iid data, and heterogeneous parties.

show abstract

User-Level Label Leakage from Gradients in Federated Learning

Cited by 33 publications

References 32 publications

Federated Learning Attacks Revisited: A Critical Discussion of Gaps, Assumptions, and Evaluation Setups

Federated Learning Attacks Revisited: A Critical Discussion of Gaps, Assumptions, and Evaluation Setups

Privacy-Preserving Federated Recurrent Neural Networks

MpFedcon : Model-Contrastive Personalized Federated Learning with the Class Center

Contact Info

Product

Resources

About