Split learning is deemed as a promising paradigm for privacy-preserving distributed learning, where the learning model can be cut into multiple portions to be trained at the participants collaboratively. The participants only exchange the intermediate learning results at the cut layer, including smashed data via forward-pass (i.e., features extracted from the raw data) and gradients during backward-propagation.Understanding the security performance of split learning is critical for various privacy-sensitive applications.With the emphasis on private labels, this paper proposes a passive clustering label inference attack for practical split learning. The adversary (either clients or servers) can accurately retrieve the private labels by collecting the exchanged gradients and smashed data.We mathematically analyse potential label leakages in split learning and propose the cosine and Euclidean similarity measurements for clustering attack. Experimental results validate that the proposed approach is scalable and robust under different settings (e.g., cut layer positions, epochs, and batch sizes) for practical split learning.The adversary can still achieve accurate predictions, even when differential privacy and gradient compression are adopted for label protections.

本文针对隐私敏感的应用，提出了一种针对实际分割学习的被动聚类标签推断攻击，该攻击可以通过收集交换的梯度和压碎数据来精确检索私有标签，并使用余弦和欧几里得相似度度量来分析潜在的标签泄露。实验结果表明，即使对标签进行差分隐私和梯度压缩的保护，攻击者仍然可以在不同的设置下（例如，切割层位置，时代和批量大小）实现准确的预测。

实用分散式学习对聚类标签推断攻击