Label Leakage and Protection in Two-party Split Learning

TL;DR

This paper investigates label leakage risks in two-party split learning, demonstrating attack methods and proposing the $ exttt{Marvell}$ perturbation technique to enhance privacy without significantly sacrificing utility.

Contribution

The work introduces a threat model for label leakage, presents effective attack strategies, and proposes the $ exttt{Marvell}$ method to mitigate privacy risks in split learning.

Findings

Effective label recovery attacks demonstrated

$ exttt{Marvell}$ reduces label leakage significantly

Improved privacy-utility tradeoffs shown empirically

Abstract

Two-party split learning is a popular technique for learning a model across feature-partitioned data. In this work, we explore whether it is possible for one party to steal the private label information from the other party during split training, and whether there are methods that can protect against such attacks. Specifically, we first formulate a realistic threat model and propose a privacy loss metric to quantify label leakage in split learning. We then show that there exist two simple yet effective methods within the threat model that can allow one party to accurately recover private ground-truth labels owned by the other party. To combat these attacks, we propose several random perturbation techniques, including $\texttt{Marvell}$, an approach that strategically finds the structure of the noise perturbation by minimizing the amount of label leakage (measured through our quantification metric) of a worst-case adversary. We empirically demonstrate the effectiveness of our protection techniques against the identified attacks, and show that $\texttt{Marvell}$ in particular has improved privacy-utility tradeoffs relative to baseline approaches.