Skip to main content
SpringerLink
Log in

MILSA: Model Interpretation Based Label Sniffing Attack in Federated Learning

  • Conference paper
  • First Online:
Information Systems Security (ICISS 2022)

Part of the book series: Lecture Notes in Computer Science ((LNCS,volume 13784))

Included in the following conference series:

Abstract

Federated learning allows multiple participants to come together and collaboratively train an intelligent model. It allows local model training, while keeping the data in-place to preserve privacy. In contrast, deep learning models learn by observing the training data. Consequently, local models produced by participants are not presumed to be secure and are susceptible to inference attacks. Existing inference attacks require training multiple shadow models, white-box knowledge of training models and auxiliary data preparation, which makes these attacks to be ineffective and infeasible. This paper proposes a model interpretation based label sniffing attack called MILSA, which does not interfere with learning of the main task but learns about the presence of a particular label in the target (participant’s) training model. MILSA uses Shapley based value functions for interpreting the training models to frame inference attacks. MILSA is evaluated on different datasets and the results show its effectiveness. Further, MILSA is evaluated against differentially-private local model updates, and it is observed that MILSA could successfully perform the inference attacks. We propose a secure training strategy to address these issues.

D. Manna, H. Kasyap, and S. Tripathy—All authors have equal contribution.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 54.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 69.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    https://christophm.github.io/interpretable-ml-book/shapley.html.

  2. 2.

    http://yann.lecun.com/exdb/mnist/.

  3. 3.

    https://github.com/slundberg/shap.

  4. 4.

    http://yann.lecun.com/exdb/mnist/.

  5. 5.

    https://github.com/zalandoresearch/fashion-mnist.

  6. 6.

    https://github.com/Project-MONAI/MONAI-extra-test-data/releases/download/0.8.1/MedNIST.tar.gz.

  7. 7.

    https://www.cs.toronto.edu/~kriz/cifar.html.

References

  1. Ganju, K., Wang, Q., Yang, W., Gunter, C.A., Borisov, N.: Property inference attacks on fully connected neural networks using permutation invariant representations. In: Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security, pp. 619–633 (2018)

    Google Scholar 

  2. Hao, M., Li, H., Luo, X., Xu, G., Yang, H., Liu, S.: Efficient and privacy-enhanced federated learning for industrial artificial intelligence. IEEE Trans. Ind. Inform. 16(10), 6532–6542 (2019)

    Article  Google Scholar 

  3. Hayes, J., Ohrimenko, O.: Contamination attacks and mitigation in multi-party machine learning. In: Advances in Neural Information Processing Systems 31 (2018)

    Google Scholar 

  4. Jere, M.S., Farnan, T., Koushanfar, F.: A taxonomy of attacks on federated learning. IEEE Secur. Priv. 19(2), 20–28 (2020)

    Article  Google Scholar 

  5. Kasyap, H., Tripathy, S.: Privacy-preserving decentralized learning framework for healthcare system. ACM Trans. Multimedia Computi. Commun. Appl. (TOMM) 17(2s), 1–24 (2021)

    Google Scholar 

  6. Kong, X., Gao, H., Shen, G., Duan, G., Das, S.K.: FedVCP: a federated-learning-based cooperative positioning scheme for social internet of vehicles. IEEE Trans. Comput. Soc. Syst. 9, 197–206 (2021)

    Article  Google Scholar 

  7. Kulkarni, P.P., Kasyap, H., Tripathy, S.: DNet: an efficient privacy-preserving distributed learning framework for healthcare systems. In: Goswami, D., Hoang, T.A. (eds.) ICDCIT 2021. LNCS, vol. 12582, pp. 145–159. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-65621-8_9

    Chapter  Google Scholar 

  8. Lundberg, S.M., Lee, S.I.: A unified approach to interpreting model predictions. In: Advances in Neural Information Processing Systems, pp. 4765–4774 (2017)

    Google Scholar 

  9. Luo, X., Wu, Y., Xiao, X., Ooi, B.C.: Feature inference attack on model predictions in vertical federated learning. In: 2021 IEEE 37th International Conference on Data Engineering (ICDE), pp. 181–192. IEEE (2021)

    Google Scholar 

  10. Manna, A., Kasyap, H., Tripathy, S.: Moat: model agnostic defense against targeted poisoning attacks in federated learning. In: Gao, D., Li, Q., Guan, X., Liao, X. (eds.) ICICS 2021. LNCS, vol. 12918, pp. 38–55. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-86890-1_3

    Chapter  Google Scholar 

  11. McMahan, B., Moore, E., Ramage, D., Hampson, S., y Arcas, B.A.: Communication-efficient learning of deep networks from decentralized data. In: Artificial Intelligence and Statistics, pp. 1273–1282. PMLR (2017)

    Google Scholar 

  12. McMahan, H.B., Moore, E., Ramage, D., y Arcas, B.A.: Federated learning of deep networks using model averaging. CoRR abs/1602.05629 (2016). http://arxiv.org/abs/1602.05629

  13. Nasr, M., Shokri, R., Houmansadr, A.: Comprehensive privacy analysis of deep learning: passive and active white-box inference attacks against centralized and federated learning. In: 2019 IEEE Symposium on Security and Privacy (SP), pp. 739–753 (2019). https://doi.org/10.1109/SP.2019.00065

  14. Rieke, N., et al.: The future of digital health with federated learning. NPJ Digit. Med. 3(1), 1–7 (2020)

    Article  Google Scholar 

  15. Shamir, A.: How to share a secret. Commun. ACM 22(11), 612–613 (1979)

    Article  MathSciNet  MATH  Google Scholar 

  16. Shokri, R., Stronati, M., Song, C., Shmatikov, V.: Membership inference attacks against machine learning models. In: 2017 IEEE Symposium on Security and Privacy (SP), pp. 3–18. IEEE (2017)

    Google Scholar 

  17. Singh, N., Kasyap, H., Tripathy, S.: Collaborative learning based effective malware detection system. In: Koprinska, I., et al. (eds.) ECML PKDD 2020. CCIS, vol. 1323, pp. 205–219. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-65965-3_13

    Chapter  Google Scholar 

  18. Wang, L., Xu, S., Wang, X., Zhu, Q.: Eavesdrop the composition proportion of training labels in federated learning. arXiv preprint arXiv:1910.06044 (2019)

  19. Wei, K., et al.: Federated learning with differential privacy: algorithms and performance analysis. IEEE Trans. Inf. Forensics Secur. 15, 3454–3469 (2020)

    Article  Google Scholar 

  20. Xu, G., Li, H., Liu, S., Yang, K., Lin, X.: VerifyNet: Secure and verifiable federated learning. IEEE Trans. Inf. Forensics Secur. 15, 911–926 (2019)

    Article  Google Scholar 

  21. Zhou, C., et al.: PPA: preference profiling attack against federated learning. arXiv preprint arXiv:2202.04856 (2022)

Download references

Acknowledgement

We acknowledge the Ministry of Education, Government of India, for providing fellowship to complete this work.

Author information

Authors and Affiliations

  1. Department of Computer Science and Engineering, Indian Institute of Technology Patna, Patna, India

    Debasmita Manna, Harsh Kasyap & Somanath Tripathy

Authors
  1. Debasmita Manna
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Harsh Kasyap
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Somanath Tripathy
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Harsh Kasyap .

Editor information

Editors and Affiliations

  1. Indian Institute of Technology Tirupati, Tirupati, India

    Venkata Ramana Badarla

  2. CSIRO Data61, Sydney, NSW, Australia

    Surya Nepal

  3. Indian Institute of Technology Bombay, Mumbai, Maharashtra, India

    Rudrapatna K. Shyamasundar

Rights and permissions

Reprints and permissions

Copyright information

© 2022 The Author(s), under exclusive license to Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Manna, D., Kasyap, H., Tripathy, S. (2022). MILSA: Model Interpretation Based Label Sniffing Attack in Federated Learning. In: Badarla, V.R., Nepal, S., Shyamasundar, R.K. (eds) Information Systems Security. ICISS 2022. Lecture Notes in Computer Science, vol 13784. Springer, Cham. https://doi.org/10.1007/978-3-031-23690-7_8

Download citation

  • DOI: https://doi.org/10.1007/978-3-031-23690-7_8

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-031-23689-1

  • Online ISBN: 978-3-031-23690-7

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation