Catastrophic Data Leakage in Vertical Federated Learning

Recent studies show that private training data can be leaked through the gradients sharing mechanism deployed in distributed machine learning systems, such as federated learning (FL). Increasing batch size to complicate data recovery is often viewed as a promising defense strategy against data leakage. In this paper, we revisit this defense premise and propose an advanced data leakage attack with theoretical justification to efficiently recover batch data from the shared aggregated gradients. We name our proposed method as catastrophic data leakage in vertical federated learning (CAFE). Comparing to existing data leakage attacks, our extensive experimental results on vertical FL settings demonstrate the effectiveness of CAFE to perform large-batch data leakage attack with improved data recovery quality. We also propose a practical countermeasure to mitigate CAFE. Our results suggest that private data participated in standard FL, especially the vertical case, have a high risk of being leaked from the training gradients. Our analysis implies unprecedented and practical data leakage risks in those learning settings. The code of our work is available at https://github.com/DeRafael/CAFE . Table 1: Comparison of CAFE with state-of-the-art data leakage attack methods in FL. Method Optimization terms Reported maximal batch size Training while attacking Theoretical guarantee Additional information other than gradients DLG [33] 2 distance between real and fake gradients 8 No No No iDLG [31] 2 distance 8 No Yes No Inverting Gradients [11] Cosine similarity, TV norm 8 100 (Mostly unrecognizable) Yes Yes Number of local updates A Framework for Evaluating Gradient Leakage [27] 2 distance, label based regualrizer 8 No Yes No SAPAG [26] Gaussian kernel based funciton 8 No No No R-GAP [32] recursive gradient loss 5 No Yes The rank of matrix A defined in [32] Theory oriented [22] 2 distance, 1 distances of the recovered feature map 32 No Yes Number of Exclusive activated neurons GradInversion[30] Fidelity regularizers, Group consistency regularizers 48 No No Batch size number of classes & Non repeating labels in a batch CAFE (ours)