KDk: A Defense Mechanism Against Label Inference Attacks in Vertical Federated Learning

TL;DR

This paper introduces KDk, a novel defense framework combining Knowledge Distillation and k-anonymity, effectively reducing label inference attacks in Vertical Federated Learning while preserving model accuracy.

Contribution

The paper proposes KDk, a new method that defends against label inference attacks in VFL by integrating Knowledge Distillation and k-anonymity, with demonstrated effectiveness.

Findings

Reduces label inference attack success rate by over 60%.

Maintains near-original model accuracy after applying KDk.

Effective defense demonstrated through extensive experiments.

Abstract

Vertical Federated Learning (VFL) is a category of Federated Learning in which models are trained collaboratively among parties with vertically partitioned data. Typically, in a VFL scenario, the labels of the samples are kept private from all the parties except for the aggregating server, that is the label owner. Nevertheless, recent works discovered that by exploiting gradient information returned by the server to bottom models, with the knowledge of only a small set of auxiliary labels on a very limited subset of training data points, an adversary can infer the private labels. These attacks are known as label inference attacks in VFL. In our work, we propose a novel framework called KDk, that combines Knowledge Distillation and k-anonymity to provide a defense mechanism against potential label inference attacks in a VFL scenario. Through an exhaustive experimental campaign we demonstrate that by applying our approach, the performance of the analyzed label inference attacks decreases consistently, even by more than 60%, maintaining the accuracy of the whole VFL almost unaltered.