ML Security PapersLEA: Label Enumeration Attack in Vertical Federated Learning
Wenhao Jiang , Shaojing Fu , Yuchuan Luo , Lin Liu
Published on arXiv
2603.03777
Model Inversion Attack
OWASP ML Top 10 — ML03
Key Finding
Without any auxiliary dataset, LEA achieves 50–90% higher label inference accuracy than existing state-of-the-art VFL label inference attacks across multiple VFL settings.
LEA (Label Enumeration Attack) / Binary-LEA
Novel technique introduced
A typical Vertical Federated Learning (VFL) scenario involves several participants collaboratively training a machine learning model, where each party has different features for the same samples, with labels held exclusively by one party. Since labels contain sensitive information, VFL must ensure the privacy of labels. However, existing VFL-targeted label inference attacks are either limited to specific scenarios or require auxiliary data, rendering them impractical in real-world applications. We introduce a novel Label Enumeration Attack (LEA) that, for the first time, achieves applicability across multiple VFL scenarios and eschews the need for auxiliary data. Our intuition is that an adversary, employing clustering to enumerate mappings between samples and labels, ascertains the accurate label mappings by evaluating the similarity between the benign model and the simulated models trained under each mapping. To achieve that, the first challenge is how to measure model similarity, as models trained on the same data can have different weights. Drawing from our findings, we propose an efficient approach for assessing congruence based on the cosine similarity of the first-round loss gradients, which offers superior efficiency and precision compared to the comparison of parameter similarities. However, the computational cost may be prohibitive due to the necessity of training and comparing the vast number of simulated models generated through enumeration. To overcome this challenge, we propose Binary-LEA from the perspective of reducing the number of models and eliminating futile training, which lowers the number of enumerations from n! to n^3. Moreover, LEA is resilient against common defense mechanisms such as gradient noise and gradient compression.
Key Contributions
- Novel Label Enumeration Attack (LEA) that infers private VFL labels without auxiliary data by enumerating label-sample mappings and comparing gradient cosine similarity to a benign model
- Binary-LEA optimization that reduces enumeration complexity from O(n!) to O(n^3) by pruning futile simulated model training
- Demonstrated resilience against common defenses (gradient noise, gradient compression) with 50–90% accuracy improvement over state-of-the-art label inference attacks
🛡️ Threat Analysis
The passive party (adversary) reconstructs private training labels (sensitive data held exclusively by the active party) by exploiting gradient information shared during VFL training — a classic gradient leakage / data reconstruction attack in federated learning. The paper explicitly targets the privacy of label data via model similarity comparisons derived from first-round loss gradients.