Label Leakage and Protection in Two-party Split Learning
This addresses privacy risks for parties in split learning, but it is incremental as it builds on existing split learning frameworks.
The paper tackles the problem of label leakage in two-party split learning, showing that simple methods can accurately recover private labels, and proposes random perturbation techniques like Marvell to protect against these attacks with improved privacy-utility tradeoffs.
Two-party split learning is a popular technique for learning a model across feature-partitioned data. In this work, we explore whether it is possible for one party to steal the private label information from the other party during split training, and whether there are methods that can protect against such attacks. Specifically, we first formulate a realistic threat model and propose a privacy loss metric to quantify label leakage in split learning. We then show that there exist two simple yet effective methods within the threat model that can allow one party to accurately recover private ground-truth labels owned by the other party. To combat these attacks, we propose several random perturbation techniques, including $\texttt{Marvell}$, an approach that strategically finds the structure of the noise perturbation by minimizing the amount of label leakage (measured through our quantification metric) of a worst-case adversary. We empirically demonstrate the effectiveness of our protection techniques against the identified attacks, and show that $\texttt{Marvell}$ in particular has improved privacy-utility tradeoffs relative to baseline approaches.