Posterior Probability-based Label Recovery Attack in Federated Learning

Recent works have proposed analytical attacks that can restore batch labels from gradients of a classification model in Federated Learning (FL). However, these studies rely on strict assumptions and do not show the scalability of other classification loss functions. In this paper, we propose a generalized label recovery attack by estimating the posterior probabilities. Beginning with the focal loss function, we derive the relationship among the gradients, labels and posterior probabilities in a concise form. We also empirically observe that positive or negative samples of a class have approximate probability distributions. This insight enables us to estimate the posterior probabilities of the target batch from some auxiliary data. Integrating the above elements, we present our label attack that can directly recover the class-wise batch labels in realistic FL settings. Evaluation results show that on an untrained model, our attack can achieve over 95% Instance-level label Accuracy (InsAcc) and 96% Class-level label Accuracy (ClsAcc) on different groups of datasets, models and activations. For a training model, our approach reaches more than 90\% InsAcc on different hyper-parameters.