SplitAUM: Auxiliary Model-Based Label Inference Attack Against Split Learning

IF 4.7 2区计算机科学 Q1 COMPUTER SCIENCE, INFORMATION SYSTEMS

IEEE Transactions on Network and Service Management Pub Date : 2024-10-07 DOI:10.1109/TNSM.2024.3474717

Kai Zhao;Xiaowei Chuo;Fangchao Yu;Bo Zeng;Zhi Pang;Lina Wang

{"title":"SplitAUM: Auxiliary Model-Based Label Inference Attack Against Split Learning","authors":"Kai Zhao;Xiaowei Chuo;Fangchao Yu;Bo Zeng;Zhi Pang;Lina Wang","doi":"10.1109/TNSM.2024.3474717","DOIUrl":null,"url":null,"abstract":"Split learning has emerged as a practical and efficient privacy-preserving distributed machine learning paradigm. Understanding the privacy risks of split learning is critical for its application in privacy-sensitive scenarios. However, previous attacks against split learning generally depended on unduly strong assumptions or non-standard settings advantageous to the attacker. This paper proposes a novel auxiliary model-based label inference attack framework against learning, named <monospace>SplitAUM</monospace>. <monospace>SplitAUM</monospace> first builds an auxiliary model on the client side using intermediate representations of the cut layer and a small number of dummy labels. Then, the learning regularization objective is carefully designed to train the auxiliary model and transfer the knowledge of the server model to the client. Finally, <monospace>SplitAUM</monospace> uses the auxiliary model output on local data to infer the server’s privacy label. In addition, to further improve the attack effect, we use semi-supervised clustering to initialize the dummy labels of the auxiliary model. Since <monospace>SplitAUM</monospace> relies only on auxiliary models, it is highly scalable. We conduct extensive experiments on three different categories of datasets, comparing four typical attacks. Experimental results demonstrate that <monospace>SplitAUM</monospace> can effectively infer privacy labels and outperform existing attack frameworks in challenging yet practical scenarios. We hope our work paves the way for future analyses of the security of split learning.","PeriodicalId":13423,"journal":{"name":"IEEE Transactions on Network and Service Management","volume":"22 1","pages":"930-940"},"PeriodicalIF":4.7000,"publicationDate":"2024-10-07","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"IEEE Transactions on Network and Service Management","FirstCategoryId":"94","ListUrlMain":"https://ieeexplore.ieee.org/document/10706105/","RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q1","JCRName":"COMPUTER SCIENCE, INFORMATION SYSTEMS","Score":null,"Total":0}

引用次数: 0

Abstract

Split learning has emerged as a practical and efficient privacy-preserving distributed machine learning paradigm. Understanding the privacy risks of split learning is critical for its application in privacy-sensitive scenarios. However, previous attacks against split learning generally depended on unduly strong assumptions or non-standard settings advantageous to the attacker. This paper proposes a novel auxiliary model-based label inference attack framework against learning, named SplitAUM. SplitAUM first builds an auxiliary model on the client side using intermediate representations of the cut layer and a small number of dummy labels. Then, the learning regularization objective is carefully designed to train the auxiliary model and transfer the knowledge of the server model to the client. Finally, SplitAUM uses the auxiliary model output on local data to infer the server’s privacy label. In addition, to further improve the attack effect, we use semi-supervised clustering to initialize the dummy labels of the auxiliary model. Since SplitAUM relies only on auxiliary models, it is highly scalable. We conduct extensive experiments on three different categories of datasets, comparing four typical attacks. Experimental results demonstrate that SplitAUM can effectively infer privacy labels and outperform existing attack frameworks in challenging yet practical scenarios. We hope our work paves the way for future analyses of the security of split learning.

查看原文本刊更多论文

求助全文

约1分钟内获得全文求助全文

来源期刊

IEEE Transactions on Network and Service Management Computer Science-Computer Networks and Communications

CiteScore

9.30

自引率

15.10%

发文量

325

期刊介绍： IEEE Transactions on Network and Service Management will publish (online only) peerreviewed archival quality papers that advance the state-of-the-art and practical applications of network and service management. Theoretical research contributions (presenting new concepts and techniques) and applied contributions (reporting on experiences and experiments with actual systems) will be encouraged. These transactions will focus on the key technical issues related to: Management Models, Architectures and Frameworks; Service Provisioning, Reliability and Quality Assurance; Management Functions; Enabling Technologies; Information and Communication Models; Policies; Applications and Case Studies; Emerging Technologies and Standards.