Federated Learning (FL) exhibits privacy vulnerabilities under gradient inversion attacks (GIAs), which can extract private information from individual gradients. To enhance privacy, FL incorporates Secure Aggregation (SA) to prevent the server from obtaining individual gradients, thus effectively resisting GIAs. In this paper, we propose a stealthy label inference attack to bypass SA and recover individual clients' private labels. Specifically, we conduct a theoretical analysis of label inference from the aggregated gradients that are exclusively obtained after implementing SA. The analysis results reveal that the inputs (embeddings) and outputs (logits) of the final fully connected layer (FCL) contribute to gradient disaggregation and label restoration. To preset the embeddings and logits of FCL, we craft a fishing model by solely modifying the parameters of a single batch normalization (BN) layer in the original model. Distributing client-specific fishing models, the server can derive the individual gradients regarding the bias of FCL by resolving a linear system with expected embeddings and the aggregated gradients as coefficients. Then the labels of each client can be precisely computed based on preset logits and gradients of FCL's bias. Extensive experiments show that our attack achieves large-scale label recovery with 100\% accuracy on various datasets and model architectures.

翻译：联邦学习（FL）在梯度反演攻击（GIAs）下存在隐私漏洞，此类攻击可从个体梯度中提取私有信息。为增强隐私性，FL采用安全聚合（SA）以防止服务器获取个体梯度，从而有效抵抗GIAs。本文提出一种隐蔽的标签推断攻击，以绕过SA并恢复个体客户端的私有标签。具体而言，我们对实施SA后唯一获得的聚合梯度进行标签推断的理论分析。分析结果表明，最终全连接层（FCL）的输入（嵌入向量）和输出（逻辑值）共同促成了梯度解聚合与标签恢复。为预设FCL的嵌入向量和逻辑值，我们通过仅修改原始模型中单个批归一化（BN）层的参数，构建了一个钓鱼模型。通过分发客户端特定的钓鱼模型，服务器可利用期望嵌入向量和聚合梯度作为系数求解线性方程组，从而推导出关于FCL偏置项的个体梯度。随后，基于预设的逻辑值和FCL偏置项的梯度，可精确计算每个客户端的标签。大量实验表明，我们的攻击在多种数据集和模型架构上实现了大规模标签恢复，且准确率达到100%。