GRAMSSAT:一种基于梯度匹配和半监督学习的有效的针对两方分裂学习的标签推理攻击

IF 3.7 2区 计算机科学 Q2 COMPUTER SCIENCE, INFORMATION SYSTEMS
Lixin Zhang, Xinyan Gao, Bihe Zhao, Zhenyu Guan, Song Bian
{"title":"GRAMSSAT:一种基于梯度匹配和半监督学习的有效的针对两方分裂学习的标签推理攻击","authors":"Lixin Zhang,&nbsp;Xinyan Gao,&nbsp;Bihe Zhao,&nbsp;Zhenyu Guan,&nbsp;Song Bian","doi":"10.1016/j.jisa.2025.104159","DOIUrl":null,"url":null,"abstract":"<div><div>As a novel privacy-preserving paradigm for protecting the privacy of participant data and realizing the utility of data, split learning (SL) has gained wide attention and applications in various fields such as healthcare and media advertising. SL aims to collaboratively train a model using private input and labeled data from multiple parties, while exchanging only intermediate representations and corresponding backward gradients. We propose GRAMSSAT, a label inference attack that trains a surrogate model to replace the label owner’s model. By leveraging a small amount of labeled auxiliary data, we treat the attack as a semi-supervised learning problem, designing a novel loss function that combines gradient matching, which enables the adversary to infer private labels during the SL process. Our experiments show that GRAMSSAT achieves label inference with improved efficiency and accuracy, enhancing attack performance by 9.14% to 42.77% compared to prior works e.g., Fu et al., USENIX Security 2022 across different datasets. In particular, in the case where the adversarial client’s knowledge is limited (only known 1 or 2 labels per class), the inference accuracy of our proposed GRAMSSAT on the CIFAR-100 test set improves by 20.43% and 17.19% compared to the prior work. We also implement several defense mechanisms, including gradient compression and differential privacy. Our findings highlight the privacy risks in split learning and the need for more secure training techniques.</div></div>","PeriodicalId":48638,"journal":{"name":"Journal of Information Security and Applications","volume":"93 ","pages":"Article 104159"},"PeriodicalIF":3.7000,"publicationDate":"2025-07-17","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":"{\"title\":\"GRAMSSAT: An efficient label inference attack against two-party split learning based on gradient matching and semi-supervised learning\",\"authors\":\"Lixin Zhang,&nbsp;Xinyan Gao,&nbsp;Bihe Zhao,&nbsp;Zhenyu Guan,&nbsp;Song Bian\",\"doi\":\"10.1016/j.jisa.2025.104159\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"<div><div>As a novel privacy-preserving paradigm for protecting the privacy of participant data and realizing the utility of data, split learning (SL) has gained wide attention and applications in various fields such as healthcare and media advertising. SL aims to collaboratively train a model using private input and labeled data from multiple parties, while exchanging only intermediate representations and corresponding backward gradients. We propose GRAMSSAT, a label inference attack that trains a surrogate model to replace the label owner’s model. By leveraging a small amount of labeled auxiliary data, we treat the attack as a semi-supervised learning problem, designing a novel loss function that combines gradient matching, which enables the adversary to infer private labels during the SL process. Our experiments show that GRAMSSAT achieves label inference with improved efficiency and accuracy, enhancing attack performance by 9.14% to 42.77% compared to prior works e.g., Fu et al., USENIX Security 2022 across different datasets. In particular, in the case where the adversarial client’s knowledge is limited (only known 1 or 2 labels per class), the inference accuracy of our proposed GRAMSSAT on the CIFAR-100 test set improves by 20.43% and 17.19% compared to the prior work. We also implement several defense mechanisms, including gradient compression and differential privacy. Our findings highlight the privacy risks in split learning and the need for more secure training techniques.</div></div>\",\"PeriodicalId\":48638,\"journal\":{\"name\":\"Journal of Information Security and Applications\",\"volume\":\"93 \",\"pages\":\"Article 104159\"},\"PeriodicalIF\":3.7000,\"publicationDate\":\"2025-07-17\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"0\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"Journal of Information Security and Applications\",\"FirstCategoryId\":\"94\",\"ListUrlMain\":\"https://www.sciencedirect.com/science/article/pii/S2214212625001966\",\"RegionNum\":2,\"RegionCategory\":\"计算机科学\",\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"Q2\",\"JCRName\":\"COMPUTER SCIENCE, INFORMATION SYSTEMS\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"Journal of Information Security and Applications","FirstCategoryId":"94","ListUrlMain":"https://www.sciencedirect.com/science/article/pii/S2214212625001966","RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q2","JCRName":"COMPUTER SCIENCE, INFORMATION SYSTEMS","Score":null,"Total":0}
引用次数: 0

摘要

作为一种保护参与者数据隐私和实现数据效用的新型隐私保护范式,拆分学习(split learning, SL)在医疗保健、媒体广告等各个领域得到了广泛关注和应用。SL旨在使用来自多方的私有输入和标记数据协同训练模型,同时仅交换中间表示和相应的向后梯度。我们提出了GRAMSSAT,一种标签推理攻击,它训练一个代理模型来取代标签所有者的模型。通过利用少量标记辅助数据,我们将攻击视为半监督学习问题,设计了一种结合梯度匹配的新型损失函数,使攻击者能够在SL过程中推断私有标签。我们的实验表明,与Fu等人在不同数据集上的USENIX Security 2022等先前的工作相比,GRAMSSAT以更高的效率和准确性实现了标签推理,将攻击性能提高了9.14%至42.77%。特别是,在对抗客户的知识有限的情况下(每个类只知道1或2个标签),我们提出的GRAMSSAT在CIFAR-100测试集上的推理精度比之前的工作提高了20.43%和17.19%。我们还实现了几种防御机制,包括梯度压缩和差分隐私。我们的研究结果强调了分裂学习中的隐私风险以及对更安全的培训技术的需求。
本文章由计算机程序翻译,如有差异,请以英文原文为准。

GRAMSSAT: An efficient label inference attack against two-party split learning based on gradient matching and semi-supervised learning

GRAMSSAT: An efficient label inference attack against two-party split learning based on gradient matching and semi-supervised learning
As a novel privacy-preserving paradigm for protecting the privacy of participant data and realizing the utility of data, split learning (SL) has gained wide attention and applications in various fields such as healthcare and media advertising. SL aims to collaboratively train a model using private input and labeled data from multiple parties, while exchanging only intermediate representations and corresponding backward gradients. We propose GRAMSSAT, a label inference attack that trains a surrogate model to replace the label owner’s model. By leveraging a small amount of labeled auxiliary data, we treat the attack as a semi-supervised learning problem, designing a novel loss function that combines gradient matching, which enables the adversary to infer private labels during the SL process. Our experiments show that GRAMSSAT achieves label inference with improved efficiency and accuracy, enhancing attack performance by 9.14% to 42.77% compared to prior works e.g., Fu et al., USENIX Security 2022 across different datasets. In particular, in the case where the adversarial client’s knowledge is limited (only known 1 or 2 labels per class), the inference accuracy of our proposed GRAMSSAT on the CIFAR-100 test set improves by 20.43% and 17.19% compared to the prior work. We also implement several defense mechanisms, including gradient compression and differential privacy. Our findings highlight the privacy risks in split learning and the need for more secure training techniques.
求助全文
通过发布文献求助,成功后即可免费获取论文全文。 去求助
来源期刊
Journal of Information Security and Applications
Journal of Information Security and Applications Computer Science-Computer Networks and Communications
CiteScore
10.90
自引率
5.40%
发文量
206
审稿时长
56 days
期刊介绍: Journal of Information Security and Applications (JISA) focuses on the original research and practice-driven applications with relevance to information security and applications. JISA provides a common linkage between a vibrant scientific and research community and industry professionals by offering a clear view on modern problems and challenges in information security, as well as identifying promising scientific and "best-practice" solutions. JISA issues offer a balance between original research work and innovative industrial approaches by internationally renowned information security experts and researchers.
×
引用
GB/T 7714-2015
复制
MLA
复制
APA
复制
导出至
BibTeX EndNote RefMan NoteFirst NoteExpress
×
提示
您的信息不完整,为了账户安全,请先补充。
现在去补充
×
提示
您因"违规操作"
具体请查看互助需知
我知道了
×
提示
确定
请完成安全验证×
copy
已复制链接
快去分享给好友吧!
我知道了
右上角分享
点击右上角分享
0
联系我们:info@booksci.cn Book学术提供免费学术资源搜索服务,方便国内外学者检索中英文文献。致力于提供最便捷和优质的服务体验。 Copyright © 2023 布克学术 All rights reserved.
京ICP备2023020795号-1
ghs 京公网安备 11010802042870号
Book学术文献互助
Book学术文献互助群
群 号:604180095
Book学术官方微信