Defending Label Inference Attacks in Split Learning under Regression Setting

TL;DR

This paper introduces novel defense methods, RLE and MLE, to protect against label inference attacks in split learning for regression tasks, effectively reducing attack success while maintaining task accuracy.

Contribution

The paper proposes RLE and MLE, two new defense techniques that obfuscate labels in split learning to enhance privacy against gradient inversion attacks.

Findings

RLE significantly reduces attack model accuracy.

MLE preserves original label information while defending.

Both methods maintain task performance effectively.

Abstract

As a privacy-preserving method for implementing Vertical Federated Learning, Split Learning has been extensively researched. However, numerous studies have indicated that the privacy-preserving capability of Split Learning is insufficient. In this paper, we primarily focus on label inference attacks in Split Learning under regression setting, which are mainly implemented through the gradient inversion method. To defend against label inference attacks, we propose Random Label Extension (RLE), where labels are extended to obfuscate the label information contained in the gradients, thereby preventing the attacker from utilizing gradients to train an attack model that can infer the original labels. To further minimize the impact on the original task, we propose Model-based adaptive Label Extension (MLE), where original labels are preserved in the extended labels and dominate the training process. The experimental results show that compared to the basic defense methods, our proposed defense methods can significantly reduce the attack model's performance while preserving the original task's performance.