Abstract
Recent works have proposed analytical attacks that can restore batch labels from gradients of a classification model in Federated Learning (FL). However, these studies rely on strict assumptions and do not show the scalability of other classification loss functions. In this paper, we propose a generalized label recovery attack by estimating the posterior probabilities. Beginning with the focal loss function, we derive the relationship among the gradients, labels and posterior probabilities in a concise form. We also empirically observe that positive or negative samples of a class have approximate probability distributions. This insight enables us to estimate the posterior probabilities of the target batch from some auxiliary data. Integrating the above elements, we present our label attack that can directly recover the class-wise batch labels in realistic FL settings. Evaluation results show that on an untrained model, our attack can achieve over 95% Instance-level label Accuracy (InsAcc) and 96% Class-level label Accuracy (ClsAcc) on different groups of datasets, models and activations. For a training model, our approach reaches more than 90\% InsAcc on different hyper-parameters.
| Original language | English |
|---|---|
| Publication status | Published - May 2024 |
| Event | Privacy Regulation and Protection in Machine Learning Workshop at The 12th International Conference on Learning Representations (ICLR 2024) - Duration: 1 May 2024 → 1 May 2024 |
Conference
| Conference | Privacy Regulation and Protection in Machine Learning Workshop at The 12th International Conference on Learning Representations (ICLR 2024) |
|---|---|
| Period | 1/05/24 → 1/05/24 |