Eavesdrop the Composition Proportion of Training Labels in Federated Learning

TL;DR

This paper reveals new inference attack methods in federated learning that can deduce the presence and proportion of training labels, posing privacy risks despite FL's data privacy design.

Contribution

It introduces three novel attack types that can infer label presence and proportions in federated learning, highlighting vulnerabilities and potential privacy breaches.

Findings

Attacks effectively detect label presence and proportions across datasets.

Hyper-parameter analysis reveals factors influencing attack success.

Discusses potential defenses against label inference attacks.

Abstract

Federated learning (FL) has recently emerged as a new form of collaborative machine learning, where a common model can be learned while keeping all the training data on local devices. Although it is designed for enhancing the data privacy, we demonstrated in this paper a new direction in inference attacks in the context of FL, where valuable information about training data can be obtained by adversaries with very limited power. In particular, we proposed three new types of attacks to exploit this vulnerability. The first type of attack, Class Sniffing, can detect whether a certain label appears in training. The other two types of attacks can determine the quantity of each label, i.e., Quantity Inference attack determines the composition proportion of the training label owned by the selected clients in a single round, while Whole Determination attack determines that of the whole training process. We evaluated our attacks on a variety of tasks and datasets with different settings, and the corresponding results showed that our attacks work well generally. Finally, we analyzed the impact of major hyper-parameters to our attacks and discussed possible defenses.