LabObf: A Label Protection Scheme for Vertical Federated Learning Through Label Obfuscation

TL;DR

LabObf introduces a label obfuscation method for vertical federated learning that enhances privacy by making label inference significantly more difficult for attackers without compromising model accuracy.

Contribution

The paper proposes LabObf, a novel label obfuscation scheme that defends against label inference attacks in vertical federated learning, addressing a key privacy vulnerability.

Findings

LabObf reduces attack success rates significantly.

Model accuracy remains high with LabObf.

Embedding extension attack exposes vulnerabilities in existing defenses.

Abstract

Split Neural Network, as one of the most common architectures used in vertical federated learning, is popular in industry due to its privacy-preserving characteristics. In this architecture, the party holding the labels seeks cooperation from other parties to improve model performance due to insufficient feature data. Each of these participants has a self-defined bottom model to learn hidden representations from its own feature data and uploads the embedding vectors to the top model held by the label holder for final predictions. This design allows participants to conduct joint training without directly exchanging data. However, existing research points out that malicious participants may still infer label information from the uploaded embeddings, leading to privacy leakage. In this paper, we first propose an embedding extension attack manipulating embeddings to undermine existing defense strategies, which rely on constraining the correlation between the embeddings uploaded by participants and the labels. Subsequently, we propose a new label obfuscation defense strategy, called `LabObf', which randomly maps each original integer-valued label to multiple real-valued soft labels with values intertwined, significantly increasing the difficulty for attackers to infer the labels. We conduct experiments on four different types of datasets, and the results show that LabObf significantly reduces the attacker's success rate compared to raw models while maintaining desirable model accuracy.