User-Level Label Leakage from Gradients in Federated Learning

Aidmar Wainakh; Fabrizio Ventola; Till Müßig; Jens Keim; Carlos Garcia Cordero; Ephraim Zimmer; Tim Grube; Kristian Kersting; Max Mühlhäuser

User-Level Label Leakage from Gradients in Federated Learning

Authors: Aidmar Wainakh (Telecooperation Lab, Technical University of Darmstadt), Fabrizio Ventola (Artificial Intelligence and Machine Learning Lab, Technical University of Darmstadt), Till Müßig (Technical University of Darmstadt), Jens Keim (Technical University of Darmstadt), Carlos Garcia Cordero (Telecooperation Lab, Technical University of Darmstadt), Ephraim Zimmer (Telecooperation Lab, Technical University of Darmstadt), Tim Grube (Telecooperation Lab, Technical University of Darmstadt), Kristian Kersting (Artificial Intelligence and Machine Learning Lab, Technical University of Darmstadt), Max Mühlhäuser (Telecooperation Lab, Technical University of Darmstadt)

Volume: 2022
Issue: 2
Pages: 227–244
DOI: https://doi.org/10.2478/popets-2022-0043

Download PDF

Abstract: Federated learning enables multiple users to build a joint model by sharing their model updates (gradients), while their raw data remains local on their devices. In contrast to the common belief that this provides privacy benefits, we here add to the very recent results on privacy risks when sharing gradients. Specifically, we investigate Label Leakage from Gradients (LLG), a novel attack to extract the labels of the users’ training data from their shared gradients. The attack exploits the direction and magnitude of gradients to determine the presence or absence of any label. LLG is simple yet effective, capable of leaking potential sensitive information represented by labels, and scales well to arbitrary batch sizes and multiple classes. We mathematically and empirically demonstrate the validity of the attack under different settings. Moreover, empirical results show that LLG successfully extracts labels with high accuracy at the early stages of model training. We also discuss different defense mechanisms against such leakage. Our findings suggest that gradient compression is a practical technique to mitigate the attack.

Keywords: Label leakage, federated learning, gradient attack, privacy attack.

Copyright in PoPETs articles are held by their authors. This article is published under a Creative Commons Attribution-NonCommercial-NoDerivs 3.0 license.