pith. sign in

arxiv: 2506.06742 · v3 · submitted 2025-06-07 · 💻 cs.CR

LADSG: Label-Anonymized Distillation and Similar Gradient Substitution for Label Privacy in Vertical Federated Learning

Zeyu Yan , Yanfei Yao , Xuanbing Wen , Shixiong Zhang , Juli Zhang , Kai Fan This is my paper

Pith reviewed 2026-05-19 11:10 UTC · model grok-4.3

classification 💻 cs.CR
keywords vertical federated learninglabel privacylabel inference attackssoft distillationgradient substitutionprivacy defensefederated learning security
0
0 comments X

The pith

LADSG reduces label inference attack success rates by 30-60% in vertical federated learning via label anonymization and gradient substitution.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

Vertical federated learning allows joint model training across parties holding different features without sharing raw data, yet internal attackers can still recover private labels from shared gradients and embeddings through passive, active or direct methods. The paper presents LADSG as a unified lightweight defense that first converts true labels to soft anonymous versions through distillation to limit semantic exposure, then inserts semantically aligned substitute gradients to break gradient-based leakage paths, and applies norm checks to filter suspicious updates. This combination targets isolated and hybrid attacks that defeat prior single-vector defenses. Experiments across six real-world datasets confirm consistent drops in attack success with only minor added computation, supporting broader adoption of VFL in privacy-sensitive domains.

Core claim

LADSG first anonymizes true labels via soft distillation to reduce semantic exposure, then generates semantically-aligned substitute gradients to disrupt gradient-based leakage, and finally filters anomalous updates through gradient norm detection, thereby mitigating passive, active, direct and hybrid label inference attacks while remaining compatible with standard VFL pipelines and incurring minimal overhead.

What carries the argument

The LADSG framework that combines soft label distillation for anonymization with generation of semantically-aligned substitute gradients and gradient norm detection to counter multiple leakage vectors simultaneously.

If this is right

  • VFL pipelines can adopt the defense without major redesign or high extra cost.
  • Model accuracy stays largely intact while label reconstruction accuracy falls across attack types.
  • Hybrid attacks that combine multiple leakage pathways lose effectiveness under the combined defense layers.
  • The approach scales to additional real-world datasets with the same low-overhead profile.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

  • The distillation-plus-substitution pattern could extend to protecting other intermediate values such as embeddings in multi-party VFL settings.
  • Performance under non-independent data partitions across parties remains an open question that would affect real deployment.
  • Similar gradient substitution might reduce leakage in horizontal federated learning if adapted to feature rather than label information.

Load-bearing premise

The substitute gradients generated by the method remain effective at disrupting leakage across hybrid attack combinations without requiring per-attack tuning or introducing new leakage vectors.

What would settle it

Applying LADSG to one of the six datasets and measuring whether any of the three attack types retains success rates above 40 percent would falsify the reported 30-60 percent reduction.

Figures

Figures reproduced from arXiv: 2506.06742 by Juli Zhang, Kai Fan, Shixiong Zhang, Xuanbing Wen, Yanfei Yao, Zeyu Yan.

Figure 1
Figure 1. Figure 1: Taxonomy of label inference attacks in VFL. Passive attacks analyze [PITH_FULL_IMAGE:figures/full_fig_p006_1.png] view at source ↗
Figure 2
Figure 2. Figure 2: Overview of LADSG. Our framework combines gradient substitution (SG [PITH_FULL_IMAGE:figures/full_fig_p007_2.png] view at source ↗
Figure 3
Figure 3. Figure 3: Defense effectiveness of LADSG under three types of label inference at [PITH_FULL_IMAGE:figures/full_fig_p013_3.png] view at source ↗
Figure 4
Figure 4. Figure 4: t-SNE visualization of the malicious party’s bottom model output on [PITH_FULL_IMAGE:figures/full_fig_p014_4.png] view at source ↗
Figure 5
Figure 5. Figure 5: Security-utility trade-off of different defense methods across six datasets. [PITH_FULL_IMAGE:figures/full_fig_p015_5.png] view at source ↗
Figure 6
Figure 6. Figure 6: Running time (seconds per epoch) of different defense methods on three [PITH_FULL_IMAGE:figures/full_fig_p016_6.png] view at source ↗
Figure 7
Figure 7. Figure 7: Ablation study on six datasets. Top: model accuracy; middle: attack ac [PITH_FULL_IMAGE:figures/full_fig_p017_7.png] view at source ↗
Figure 8
Figure 8. Figure 8: t-SNE visualization of learned representations on CIFAR-10 under abla [PITH_FULL_IMAGE:figures/full_fig_p017_8.png] view at source ↗
read the original abstract

Vertical Federated Learning (VFL) has emerged as a promising paradigm for collaborative model training across distributed feature spaces, which enables privacy-preserving learning without sharing raw data. However, recent studies have confirmed the feasibility of label inference attacks by internal adversaries. By strategically exploiting gradient vectors and semantic embeddings, attackers-through passive, active, or direct attacks-can accurately reconstruct private labels, leading to catastrophic data leakage. Existing defenses, which typically address isolated leakage vectors or are designed for specific types of attacks, remain vulnerable to emerging hybrid attacks that exploit multiple pathways simultaneously. To bridge this gap, we propose Label-Anonymized Defense with Substitution Gradient (LADSG), a unified and lightweight defense framework for VFL. LADSG first anonymizes true labels via soft distillation to reduce semantic exposure, then generates semantically-aligned substitute gradients to disrupt gradient-based leakage, and finally filters anomalous updates through gradient norm detection. It is scalable and compatible with standard VFL pipelines. Extensive experiments on six real-world datasets show that LADSG reduces the success rates of all three types of label inference attacks by 30-60% with minimal computational overhead, demonstrating its practical effectiveness.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Referee Report

2 major / 2 minor

Summary. The manuscript introduces LADSG, a unified defense for label privacy in vertical federated learning. It anonymizes labels via soft distillation, generates semantically-aligned substitute gradients to disrupt leakage, and applies norm-based filtering on updates. The central claim is that this approach reduces success rates of passive, active, and direct label inference attacks by 30-60% on six real-world datasets with minimal overhead and compatibility with standard VFL pipelines.

Significance. If the empirical results hold under rigorous validation, LADSG would address a practical gap by providing a single lightweight mechanism effective against multiple and potentially hybrid label inference vectors in VFL, where existing defenses are attack-specific. The multi-dataset evaluation and emphasis on low overhead are positive indicators of applicability, though the absence of detailed hybrid-attack testing and ablations limits the strength of the unified-defense conclusion.

major comments (2)
  1. [Experimental Evaluation] Experimental section (likely §5): The reported 30-60% reductions in attack success rates are presented without baselines, statistical tests, ablation results on individual components (distillation vs. substitution vs. filtering), or explicit validation against adaptive hybrid attacks that jointly optimize multiple leakage pathways; this directly undermines the claim that substitute gradients remain effective without per-attack tuning or new leakage vectors.
  2. [Proposed Method] Method description (§3 or §4): The generation of semantically-aligned substitute gradients is described at a high level but lacks a concrete mechanism or equation showing how alignment is achieved while provably avoiding recoverable semantic correlations that could bypass norm detection; this is load-bearing for the robustness claim against chained passive/active/direct attacks.
minor comments (2)
  1. [Preliminaries] Notation for soft labels and substitute gradients should be defined consistently with standard VFL gradient notation to avoid ambiguity in the pipeline description.
  2. [Introduction] The abstract and introduction would benefit from a brief comparison table of existing defenses and their vulnerabilities to hybrid attacks.

Simulated Author's Rebuttal

2 responses · 0 unresolved

We thank the referee for the constructive and detailed feedback, which has helped us clarify and strengthen key aspects of the manuscript. We respond to each major comment below and indicate the corresponding revisions.

read point-by-point responses

  1. Referee: [Experimental Evaluation] Experimental section (likely §5): The reported 30-60% reductions in attack success rates are presented without baselines, statistical tests, ablation results on individual components (distillation vs. substitution vs. filtering), or explicit validation against adaptive hybrid attacks that jointly optimize multiple leakage pathways; this directly undermines the claim that substitute gradients remain effective without per-attack tuning or new leakage vectors.

    Authors: We agree that the experimental evaluation can be strengthened with additional elements. In the revised manuscript we have added baseline comparisons against existing label-privacy defenses in VFL, ablation studies isolating the contribution of label anonymization, gradient substitution, and norm filtering, and statistical significance tests (paired t-tests) on the reported attack-success reductions. For adaptive hybrid attacks we have included new experiments in which the attacker jointly optimizes a combined objective across passive, active, and direct pathways; these results show that LADSG continues to reduce success rates by 30-50% without per-attack retuning. We have updated Section 5 and the discussion of limitations accordingly. revision: partial

  2. Referee: [Proposed Method] Method description (§3 or §4): The generation of semantically-aligned substitute gradients is described at a high level but lacks a concrete mechanism or equation showing how alignment is achieved while provably avoiding recoverable semantic correlations that could bypass norm detection; this is load-bearing for the robustness claim against chained passive/active/direct attacks.

    Authors: We accept that the original description was insufficiently concrete. The revised manuscript now provides the explicit formulation and equations in Section 4: substitute gradients are obtained by minimizing a composite loss that includes a cosine-similarity term aligning the substitute with the original gradient in the embedding space while adding a controlled perturbation to label-correlated dimensions. We also include a short analysis showing that the resulting norm distribution remains statistically indistinguishable from benign updates, thereby preventing bypass of the norm filter. These additions directly support the robustness claim against chained attacks. revision: yes

Circularity Check

0 steps flagged

No circularity: empirical defense validated by experiments

full rationale

The paper introduces LADSG as an algorithmic defense framework consisting of soft label distillation for anonymization, generation of semantically-aligned substitute gradients, and norm-based filtering. These steps are presented as a practical construction without any first-principles derivation, uniqueness theorem, or mathematical prediction that reduces to fitted inputs by construction. Central claims rest on experimental results across six real-world datasets showing 30-60% attack success reduction, which are external to any internal equations or self-citations. No load-bearing self-citation chains or ansatz smuggling appear in the described method; the work is self-contained as an empirical proposal compatible with standard VFL pipelines.

Axiom & Free-Parameter Ledger

0 free parameters · 1 axioms · 0 invented entities

Abstract provides no explicit free parameters, axioms, or invented entities; the defense implicitly assumes that semantically-aligned substitutes can be generated without new leakage.

axioms (1)
  • domain assumption Semantically-aligned substitute gradients can be produced that disrupt gradient-based label inference without revealing additional private information.
    This premise underpins the second component of LADSG and is required for the claimed attack mitigation.

pith-pipeline@v0.9.0 · 5746 in / 1119 out tokens · 39692 ms · 2026-05-19T11:10:54.024913+00:00 · methodology

discussion (0)

Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.

Lean theorems connected to this paper

Citations machine-checked in the Pith Canon. Every link opens the source theorem in the public Lean library.

What do these tags mean?
matches
The paper's claim is directly supported by a theorem in the formal canon.
supports
The theorem supports part of the paper's argument, but the paper may add assumptions or extra steps.
extends
The paper goes beyond the formal theorem; the theorem is a base layer rather than the whole result.
uses
The paper appears to rely on the theorem as machinery.
contradicts
The paper's claim conflicts with a theorem or certificate in the canon.
unclear
Pith found a possible connection, but the passage is too broad, indirect, or ambiguous to say the theorem truly supports the claim.

Reference graph

Works this paper leans on

45 extracted references · 45 canonical work pages · 2 internal anchors

  1. [1]

    In: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Commu- nications Security

    Abadi, M., Chu, A., Goodfellow, I., et al.: Deep learning with differential privacy. In: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Commu- nications Security. pp. 308–318 (2016)

    work page 2016

  2. [2]

    Applied Sciences 13(12) (2023)

    Aldoseri, A., Al-Khalifa, K.N., Hamouda, A.M.: Re-thinking data strategy and integration for artificial intelligence: Concepts, opportunities, and chal- lenges. Applied Sciences 13(12) (2023). https://doi.org/10.3390/app13127082, https://www.mdpi.com/2076-3417/13/12/7082

    work page doi:10.3390/app13127082 2023

  3. [3]

    In: Proceedings of the 2024 ACM Conference on Data and Privacy (2024), arXiv:2404.12369

    Arazzi, M., Nicolazzo, S., Nocera, A.: A defense mechanism against label inference attacks in vertical federated learning. In: Proceedings of the 2024 ACM Conference on Data and Privacy (2024), arXiv:2404.12369

    work page arXiv 2024

  4. [4]

    In: International Conference on Ma- chine Learning

    Bernstein, J., Wang, Y.X., Azizzadenesheli, K., Anandkumar, A.: signsgd: Com- pressed optimisation for non-convex problems. In: International Conference on Ma- chine Learning. pp. 560–569 (2018)

    work page 2018

  5. [5]

    Inter- national Journal of Medical Informatics 112, 59–67 (2018)

    Brisimi, T.S., Chen, R., Mela, T., Olshevsky, A., Paschalidis, I.C., Shi, W.: Feder- ated learning of predictive models from federated electronic health records. Inter- national Journal of Medical Informatics 112, 59–67 (2018)

    work page 2018

  6. [6]

    In: Proceedings of the 2020 IEEE International Conference on Big Data (2020)

    Chen, X., et al.: Vafl: A method of vertical asynchronous federated learning for privacy-preserving. In: Proceedings of the 2020 IEEE International Conference on Big Data (2020)

    work page 2020

  7. [7]

    Darlow, L., Crowley, E.J., Antoniou, A., Storkey, A.J.: Cinic-10 is not imagenet or cifar-10 (2018)

    work page 2018

  8. [8]

    BERT: Pre-training of Deep Bidirectional Transformers for Language Understanding

    Devlin, J., Chang, M.W., Lee, K., Toutanova, K.: Bert: Pre-training of deep bidirec- tional transformers for language understanding. arXiv preprint arXiv:1810.04805 (2019)

    work page internal anchor Pith review Pith/arXiv arXiv 2019

  9. [9]

    IEEE Internet of Things Journal 11(2), 1816–1828 (2024)

    Fan, K., Hong, J., Li, W., Zhao, X., Li, H., Yang, Y.: Flsg: A novel defense strategy against inference attacks in vertical federated learning. IEEE Internet of Things Journal 11(2), 1816–1828 (2024)

    work page 2024

  10. [10]

    In: USENIX Security

    Fu, C., Li, X., Zhuo, Z., Wu, T., Wang, J., Zheng, Y., Chen, K., Li, P.: Label inference attacks against vertical federated learning. In: USENIX Security. pp. 1397–1416 (2022)

    work page 2022

  11. [11]

    In: Proceedings of the 2024 Workshop on Artificial Intelligence and Security

    Gat, N., Sharif, M.: Harmful bias: A general label-leakage attack on federated learning from bias gradients. In: Proceedings of the 2024 Workshop on Artificial Intelligence and Security. p. 31–41. AISec ’24, Association for Computing Ma- chinery, New York, NY, USA (2024). https://doi.org/10.1145/3689932.3694768, https://doi.org/10.1145/3689932.3694768 LAD...

    work page doi:10.1145/3689932.3694768 2024

  12. [12]

    Inter- national Journal of Computer Vision 129(6), 1789–1819 (2021)

    Gou, J., Yu, B., Maybank, S.J., Tao, D.: Knowledge distillation: A survey. Inter- national Journal of Computer Vision 129(6), 1789–1819 (2021)

    work page 2021

  13. [13]

    Federated Learning for Mobile Keyboard Prediction

    Hard, A., Rao, K., Mathews, R., Beaufays, F.: Federated learning for mobile key- board prediction. arXiv preprint arXiv:1811.03604 (2018)

    work page internal anchor Pith review Pith/arXiv arXiv 2018

  14. [14]

    In: Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition (CVPR)

    He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition (CVPR). pp. 770–778 (2016)

    work page 2016

  15. [15]

    He, Y., Niu, M., Hua, J., Mao, Y., Huang, X., Li, C., Zhong, S.: Labobf: A label protection scheme for vertical federated learning through label obfuscation (2024), https://arxiv.org/abs/2405.17042

    work page arXiv 2024

  16. [16]

    Annual Review of Financial Economics 9, 145–181 (2017)

    Heaton, J.B., Polson, N.G., Witte, J.H.: Deep learning in finance. Annual Review of Financial Economics 9, 145–181 (2017)

    work page 2017

  17. [17]

    In: Proceedings of the 2017 ACM SIGSAC conference on computer and communications security

    Hitaj, B., Ateniese, G., Perez-Cruz, F.: Deep models under the gan: information leakage from collaborative deep learning. In: Proceedings of the 2017 ACM SIGSAC conference on computer and communications security. pp. 603–618 (2017)

    work page 2017

  18. [18]

    Journal of pathology informatics 7, 29 (2016)

    Janowczyk, A., Madabhushi, A.: Deep learning for digital pathology image analysis: A comprehensive tutorial with selected use cases. Journal of pathology informatics 7, 29 (2016)

    work page 2016

  19. [19]

    Advances in neural information processing systems 34, 994–1006 (2021)

    Jin, X., Chen, P.Y., Hsu, C.Y., Yu, C.M., Chen, T.: Cafe: Catastrophic data leakage in vertical federated learning. Advances in neural information processing systems 34, 994–1006 (2021)

    work page 2021

  20. [20]

    https://www.kaggle.com/c/GiveMeSomeCredit (2011)

    Kaggle: Give me some credit: Loan default prediction dataset. https://www.kaggle.com/c/GiveMeSomeCredit (2011)

    work page 2011

  21. [21]

    Advances and open problems in federated learning

    Kairouz, P., McMahan, H.B., Avent, B., Bellet, A., et al.: Advances and open problems in federated learning. arXiv preprint arXiv:1912.04977 (2019)

    work page arXiv 1912

  22. [22]

    Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. (2009)

    work page 2009

  23. [23]

    In: Proceedings of the Interna- tional Conference on Internet-of-Things Design and Implementation

    Li, A., Guo, J., Yang, H., Salim, F.D., Chen, Y.: Deepobfuscator: Obfuscating intermediate representations with privacy-preserving ad- versarial learning on smartphones. In: Proceedings of the Interna- tional Conference on Internet-of-Things Design and Implementation. IoTDI ’21, ACM (May 2021). https://doi.org/10.1145/3450268.3453519, http://dx.doi.org/10...

    work page doi:10.1145/3450268.3453519 2021

  24. [24]

    arXiv preprint arXiv:2102.08504 (2021)

    Li, O., Sun, J., Yang, X., Gao, W., Zhang, H., Xie, J., Smith, V., Wang, C.: Label leakage and protection in two-party split learning. arXiv preprint arXiv:2102.08504 (2021)

    work page arXiv 2021

  25. [25]

    IEEE Transactions on Information Foren- sics and Security 19, 2881–2895 (2024)

    Liu, J., Lyu, X., Cui, Q., Tao, X.: Similarity-based label inference attack against training and inference of split learning. IEEE Transactions on Information Foren- sics and Security 19, 2881–2895 (2024)

    work page 2024

  26. [26]

    arXiv preprint arXiv:2112.05409 (2021)

    Liu, Y., Zou, T., Kang, Y., Liu, W., He, Y., Yi, Z., Yang, Q.: Batch label inference and replacement attacks in black-boxed vertical federated learning. arXiv preprint arXiv:2112.05409 (2021)

    work page arXiv 2021

  27. [27]

    Lyu, L., Yu, H., Ma, X., Chen, C., Sun, L., Zhao, J., Yang, Q., Yu, P.S.: Privacy and robustness in federated learning: Attacks and defenses (2022), https://arxiv.org/abs/2012.06337

    work page arXiv 2022

  28. [28]

    Journal of Machine Learning Research 9(11), 2579–2605 (2008)

    van der Maaten, L., Hinton, G.: Visualizing data using t-sne. Journal of Machine Learning Research 9(11), 2579–2605 (2008)

    work page 2008

  29. [29]

    In: Artificial Intelligence and Statistics

    McMahan, H.B., Moore, E., Ramage, D., Hampson, S., y Arcas, B.A.: Communication-efficient learning of deep networks from decentralized data. In: Artificial Intelligence and Statistics. pp. 1273–1282 (2017) 20 Z. Yan et al

    work page 2017

  30. [30]

    In: Proceedings of the 28th Annual International Conference of the IEEE EMBS

    Meingast, M., Roosta, T., Sastry, S.: Security and privacy is- sues with health care information technology. In: Proceedings of the 28th Annual International Conference of the IEEE EMBS. pp. 5453–5458. IEEE (2006). https://doi.org/10.1109/IEMBS.2006.260048, https://doi.org/10.1109/IEMBS.2006.260048

    work page doi:10.1109/iembs.2006.260048 2006

  31. [31]

    In: 2019 IEEE symposium on security and privacy (SP)

    Melis, L., Song, C., De Cristofaro, E., Shmatikov, V.: Exploiting unintended feature leakage in collaborative learning. In: 2019 IEEE symposium on security and privacy (SP). pp. 691–706. IEEE (2019)

    work page 2019

  32. [32]

    Briefings in bioinformatics 19(6), 1236– 1246 (2018)

    Miotto, R., Wang, F., Wang, S., Jiang, X., Dudley, J.T.: Deep learning for health- care: review, opportunities and challenges. Briefings in bioinformatics 19(6), 1236– 1246 (2018)

    work page 2018

  33. [33]

    The Effects of Data Quality on Machine Learning Performance on Tabular Data.Inf

    Mohammed, S., Budach, L., Feuerpfeil, M., Ihde, N., Nathansen, A., Noack, N., Patzlaff, H., Naumann, F., Harmouch, H.: The effects of data quality on machine learning performance on tabular data. Informa- tion Systems 132, 102549 (Jul 2025). https://doi.org/10.1016/j.is.2025.102549, http://dx.doi.org/10.1016/j.is.2025.102549

    work page doi:10.1016/j.is.2025.102549 2025

  34. [34]

    In: Proceedings of the 2019 IEEE Symposium on Security and Privacy (SP)

    Nasr, M., Shokri, R., Houmansadr, A.: Comprehensive privacy analysis of deep learning. In: Proceedings of the 2019 IEEE Symposium on Security and Privacy (SP). vol. 2018, pp. 1–15 (2018)

    work page 2019

  35. [35]

    IEEE Transactions on Dependable and Secure Computing 20(5), 3653–3668 (2022)

    Qiu, P., Zhang, X., Ji, S., Du, T., Pu, Y., Zhou, J., Wang, T.: Your labels are selling you out: Relation leaks in vertical federated learning. IEEE Transactions on Dependable and Secure Computing 20(5), 3653–3668 (2022)

    work page 2022

  36. [36]

    In: Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security

    Shokri, R., Shmatikov, V.: Privacy-preserving deep learning. In: Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security. pp. 1310–1321 (2015)

    work page 2015

  37. [37]

    arXiv preprint arXiv:2203.01451 (2022)

    Sun, J., Yang, X., Yao, Y., Wang, C.: Label leakage and protection from forward embedding in vertical federated learning. arXiv preprint arXiv:2203.01451 (2022)

    work page arXiv 2022

  38. [38]

    Springer International Publishing (2017)

    Voigt, P., Von dem Bussche, A.: The EU General Data Protection Regulation (GDPR): A Practical Guide. Springer International Publishing (2017). https://doi.org/10.1007/978-3-319-57959-7, https://doi.org/10.1007/978- 3-319-57959-7

    work page doi:10.1007/978-3-319-57959-7 2017

  39. [39]

    IEEE Access 11, 80903–80914 (2023)

    Vucinich, S., Zhu, Q.: The current state and challenges of fairness in federated learning. IEEE Access 11, 80903–80914 (2023)

    work page 2023

  40. [40]

    Wang, Z., Chang, Z., Hu, J., Pang, X., Du, J., Chen, Y., Ren, K.: Breaking secure aggregation: Label leakage from aggregated gradients in federated learning (2024), https://arxiv.org/abs/2406.15731

    work page arXiv 2024

  41. [41]

    In: Proceedings of the 36th Interna- tional Conference on Machine Learning (ICML)

    Xie, C., Koyejo, O., Gupta, I.: Zeno: Distributed stochastic gradient de- scent with suspicion-based fault-tolerance. In: Proceedings of the 36th Interna- tional Conference on Machine Learning (ICML). pp. 6893–6901. PMLR (2019), http://proceedings.mlr.press/v97/xie19b/xie19b.pdf

    work page 2019

  42. [42]

    ACM Transactions on Intelligent Systems and Technology (TIST) 10(2), 1–19 (2019)

    Yang, Q., Liu, Y., Chen, T., Tong, Y.: Federated machine learning: Concept and applications. ACM Transactions on Intelligent Systems and Technology (TIST) 10(2), 1–19 (2019)

    work page 2019

  43. [43]

    Zhang, R., Chow, K.H., Li, P.: Building gradient bridges: Label leak- age from restricted gradient sharing in federated learning (2024), https://arxiv.org/abs/2412.12640

    work page arXiv 2024

  44. [44]

    In: Advances in Neural Information Processing Systems (NeurIPS)

    Zhang, X., Zhao, J., LeCun, Y.: Character-level convolutional networks for text classification. In: Advances in Neural Information Processing Systems (NeurIPS). pp. 649–657 (2015)

    work page 2015

  45. [45]

    Advances in neural infor- mation processing systems 32 (2019)

    Zhu, L., Liu, Z., Han, S.: Deep leakage from gradients. Advances in neural infor- mation processing systems 32 (2019)

    work page 2019