GRAMSSAT: An efficient label inference attack against two-party split learning based on gradient matching and semi-supervised learning

IF 3.8 2区计算机科学 Q2 COMPUTER SCIENCE, INFORMATION SYSTEMS

Journal of Information Security and Applications Pub Date : 2025-07-17 DOI:10.1016/j.jisa.2025.104159

Lixin Zhang, Xinyan Gao, Bihe Zhao, Zhenyu Guan, Song Bian

{"title":"GRAMSSAT: An efficient label inference attack against two-party split learning based on gradient matching and semi-supervised learning","authors":"Lixin Zhang, Xinyan Gao, Bihe Zhao, Zhenyu Guan, Song Bian","doi":"10.1016/j.jisa.2025.104159","DOIUrl":null,"url":null,"abstract":"<div><div>As a novel privacy-preserving paradigm for protecting the privacy of participant data and realizing the utility of data, split learning (SL) has gained wide attention and applications in various fields such as healthcare and media advertising. SL aims to collaboratively train a model using private input and labeled data from multiple parties, while exchanging only intermediate representations and corresponding backward gradients. We propose GRAMSSAT, a label inference attack that trains a surrogate model to replace the label owner’s model. By leveraging a small amount of labeled auxiliary data, we treat the attack as a semi-supervised learning problem, designing a novel loss function that combines gradient matching, which enables the adversary to infer private labels during the SL process. Our experiments show that GRAMSSAT achieves label inference with improved efficiency and accuracy, enhancing attack performance by 9.14% to 42.77% compared to prior works e.g., Fu et al., USENIX Security 2022 across different datasets. In particular, in the case where the adversarial client’s knowledge is limited (only known 1 or 2 labels per class), the inference accuracy of our proposed GRAMSSAT on the CIFAR-100 test set improves by 20.43% and 17.19% compared to the prior work. We also implement several defense mechanisms, including gradient compression and differential privacy. Our findings highlight the privacy risks in split learning and the need for more secure training techniques.</div></div>","PeriodicalId":48638,"journal":{"name":"Journal of Information Security and Applications","volume":"93 ","pages":"Article 104159"},"PeriodicalIF":3.8000,"publicationDate":"2025-07-17","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Journal of Information Security and Applications","FirstCategoryId":"94","ListUrlMain":"https://www.sciencedirect.com/science/article/pii/S2214212625001966","RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q2","JCRName":"COMPUTER SCIENCE, INFORMATION SYSTEMS","Score":null,"Total":0}

引用次数: 0

Abstract

As a novel privacy-preserving paradigm for protecting the privacy of participant data and realizing the utility of data, split learning (SL) has gained wide attention and applications in various fields such as healthcare and media advertising. SL aims to collaboratively train a model using private input and labeled data from multiple parties, while exchanging only intermediate representations and corresponding backward gradients. We propose GRAMSSAT, a label inference attack that trains a surrogate model to replace the label owner’s model. By leveraging a small amount of labeled auxiliary data, we treat the attack as a semi-supervised learning problem, designing a novel loss function that combines gradient matching, which enables the adversary to infer private labels during the SL process. Our experiments show that GRAMSSAT achieves label inference with improved efficiency and accuracy, enhancing attack performance by 9.14% to 42.77% compared to prior works e.g., Fu et al., USENIX Security 2022 across different datasets. In particular, in the case where the adversarial client’s knowledge is limited (only known 1 or 2 labels per class), the inference accuracy of our proposed GRAMSSAT on the CIFAR-100 test set improves by 20.43% and 17.19% compared to the prior work. We also implement several defense mechanisms, including gradient compression and differential privacy. Our findings highlight the privacy risks in split learning and the need for more secure training techniques.

Abstract Image

查看原文本刊更多论文

GRAMSSAT：一种基于梯度匹配和半监督学习的有效的针对两方分裂学习的标签推理攻击

作为一种保护参与者数据隐私和实现数据效用的新型隐私保护范式，拆分学习（split learning， SL）在医疗保健、媒体广告等各个领域得到了广泛关注和应用。SL旨在使用来自多方的私有输入和标记数据协同训练模型，同时仅交换中间表示和相应的向后梯度。我们提出了GRAMSSAT，一种标签推理攻击，它训练一个代理模型来取代标签所有者的模型。通过利用少量标记辅助数据，我们将攻击视为半监督学习问题，设计了一种结合梯度匹配的新型损失函数，使攻击者能够在SL过程中推断私有标签。我们的实验表明，与Fu等人在不同数据集上的USENIX Security 2022等先前的工作相比，GRAMSSAT以更高的效率和准确性实现了标签推理，将攻击性能提高了9.14%至42.77%。特别是，在对抗客户的知识有限的情况下（每个类只知道1或2个标签），我们提出的GRAMSSAT在CIFAR-100测试集上的推理精度比之前的工作提高了20.43%和17.19%。我们还实现了几种防御机制，包括梯度压缩和差分隐私。我们的研究结果强调了分裂学习中的隐私风险以及对更安全的培训技术的需求。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

Journal of Information Security and Applications Computer Science-Computer Networks and Communications

CiteScore

10.90

自引率

5.40%

发文量

206

审稿时长

56 days

期刊介绍： Journal of Information Security and Applications (JISA) focuses on the original research and practice-driven applications with relevance to information security and applications. JISA provides a common linkage between a vibrant scientific and research community and industry professionals by offering a clear view on modern problems and challenges in information security, as well as identifying promising scientific and "best-practice" solutions. JISA issues offer a balance between original research work and innovative industrial approaches by internationally renowned information security experts and researchers.