ExPLoit: Extracting Private Labels in Split Learning
This exposes a critical vulnerability in split learning, impacting privacy in federated learning systems, and is incremental as it builds on known attack methods.
The paper tackles the problem of privacy leakage in split learning for vertical federated learning by proposing ExPLoit, an attack that allows an adversarial input-owner to extract private labels from the label-owner, achieving near-perfect accuracy up to 99.96%.
Split learning is a popular technique used for vertical federated learning (VFL), where the goal is to jointly train a model on the private input and label data held by two parties. This technique uses a split-model, trained end-to-end, by exchanging the intermediate representations (IR) of the inputs and gradients of the IR between the two parties. We propose ExPLoit - a label-leakage attack that allows an adversarial input-owner to extract the private labels of the label-owner during split-learning. ExPLoit frames the attack as a supervised learning problem by using a novel loss function that combines gradient-matching and several regularization terms developed using key properties of the dataset and models. Our evaluations show that ExPLoit can uncover the private labels with near-perfect accuracy of up to 99.96%. Our findings underscore the need for better training techniques for VFL.