{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,4,8]],"date-time":"2026-04-08T03:49:12Z","timestamp":1775620152209,"version":"3.50.1"},"publisher-location":"New York, NY, USA","reference-count":51,"publisher":"ACM","license":[{"start":{"date-parts":[[2024,11,6]],"date-time":"2024-11-06T00:00:00Z","timestamp":1730851200000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by-nc-nd\/4.0\/"}],"funder":[{"name":"Maof prize for outstanding young scientists"},{"name":"Blavatnik Interdisciplinary Cyber Research Center (ICRC)"},{"name":"Len Blavatnik and the Blavatnik Family foundation"},{"name":"United States-Israel Binational Science Foundation (BSF)","award":["2023641"],"award-info":[{"award-number":["2023641"]}]},{"name":"Ministry of Innovation, Science & Technology, Israel","award":["0603870071"],"award-info":[{"award-number":["0603870071"]}]},{"name":"KDDI Research, Inc."},{"DOI":"10.13039\/501100006374","name":"Intel Corporation via a Rising Star Award","doi-asserted-by":"publisher","id":[{"id":"10.13039\/501100006374","id-type":"DOI","asserted-by":"publisher"}]},{"name":"Tel Aviv University Center for AI and Data Science (TAD)"}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":[],"published-print":{"date-parts":[[2024,11,6]]},"DOI":"10.1145\/3689932.3694768","type":"proceedings-article","created":{"date-parts":[[2024,11,22]],"date-time":"2024-11-22T06:24:01Z","timestamp":1732256641000},"page":"31-41","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":2,"title":["Harmful Bias: A General Label-Leakage Attack on Federated Learning from Bias Gradients"],"prefix":"10.1145","author":[{"ORCID":"https:\/\/orcid.org\/0009-0002-6135-7970","authenticated-orcid":false,"given":"Nadav","family":"Gat","sequence":"first","affiliation":[{"name":"Tel Aviv University, Tel Aviv, Israel"}]},{"ORCID":"https:\/\/orcid.org\/0000-0001-7661-2220","authenticated-orcid":false,"given":"Mahmood","family":"Sharif","sequence":"additional","affiliation":[{"name":"Tel Aviv University, Tel Aviv, Israel"}]}],"member":"320","published-online":{"date-parts":[[2024,11,22]]},"reference":[{"key":"e_1_3_2_1_1_1","doi-asserted-by":"crossref","unstructured":"Martin Abadi Andy Chu Ian Goodfellow H Brendan McMahan Ilya Mironov Kunal Talwar and Li Zhang. 2016. Deep learning with differential privacy. In CCS.","DOI":"10.1145\/2976749.2978318"},{"key":"e_1_3_2_1_2_1","unstructured":"Eugene Bagdasaryan Andreas Veit Yiqing Hua Deborah Estrin and Vitaly Shmatikov. 2020. How to backdoor federated learning. In AISTATS."},{"key":"e_1_3_2_1_3_1","unstructured":"Gilad Baruch Moran Baruch and Yoav Goldberg. 2019. A little is enough: Circumventing defenses for distributed learning. In NeurIPS."},{"key":"e_1_3_2_1_4_1","volume-title":"Rachid Guerraoui, and Julien Stainer.","author":"Blanchard Peva","year":"2017","unstructured":"Peva Blanchard, El Mahdi El Mhamdi, Rachid Guerraoui, and Julien Stainer. 2017. Machine learning with adversaries: Byzantine tolerant gradient descent. In NeurIPS."},{"key":"e_1_3_2_1_5_1","doi-asserted-by":"crossref","unstructured":"Keith Bonawitz Vladimir Ivanov Ben Kreuter Antonio Marcedone H Brendan McMahan Sarvar Patel Daniel Ramage Aaron Segal and Karn Seth. 2017. Practical secure aggregation for privacy-preserving machine learning. In CCS.","DOI":"10.1145\/3133956.3133982"},{"key":"e_1_3_2_1_6_1","unstructured":"Nicholas Carlini Chang Liu \u00dalfar Erlingsson Jernej Kos and Dawn Song. 2019. The Secret Sharer: Evaluating and Testing Unintended Memorization in Neural Networks. In USENIX Security."},{"key":"e_1_3_2_1_7_1","unstructured":"Torch Contributors. [n. d.]. MODELS AND PRE-TRAINED WEIGHTS. https:\/\/pytorch.org\/vision\/stable\/models.html. Last accessed on 09-01-2024."},{"key":"e_1_3_2_1_8_1","doi-asserted-by":"publisher","DOI":"10.5555\/2612156.2612159"},{"key":"e_1_3_2_1_9_1","unstructured":"Alexey Dosovitskiy Lucas Beyer Alexander Kolesnikov Dirk Weissenborn Xiaohua Zhai Thomas Unterthiner Mostafa Dehghani Matthias Minderer Georg Heigold Sylvain Gelly Jakob Uszkoreit and Neil Houlsby. 2021. An Image is Worth 16x16 Words: Transformers for Image Recognition at Scale. In ICLR."},{"key":"e_1_3_2_1_10_1","doi-asserted-by":"crossref","unstructured":"Cynthia Dwork. 2008. Differential privacy: A survey of results. In TAMC. 1--19.","DOI":"10.1007\/978-3-540-79228-4_1"},{"key":"e_1_3_2_1_11_1","unstructured":"Nadav Gat and Mahmood Sharif. 2024. Implementation of LLBG. https:\/\/github.com\/nadbag98\/LLBG."},{"key":"e_1_3_2_1_12_1","unstructured":"Jonas Geiping Hartmut Bauermeister Hannah Dr\u00f6ge and Michael Moeller. 2020. Inverting Gradients - How easy is it to break privacy in federated learning?. In NeurIPS."},{"key":"e_1_3_2_1_13_1","unstructured":"Rachid Guerraoui S\u00e9bastien Rouault et al. 2018. The hidden vulnerability of distributed learning in byzantium. In ICML."},{"key":"e_1_3_2_1_14_1","volume-title":"Weinberger","author":"Guo Chuan","year":"2017","unstructured":"Chuan Guo, Geoff Pleiss, Yu Sun, and Kilian Q. Weinberger. 2017. On Calibration of Modern Neural Networks. In ICML."},{"key":"e_1_3_2_1_15_1","unstructured":"Florian Hartmann. 2021. Predicting Text Selections with Federated Learning. https:\/\/ai.googleblog.com\/2021\/11\/predicting-text-selections-with.html. Last accessed on 09-01-2024."},{"key":"e_1_3_2_1_16_1","unstructured":"Florian Hartmann and Peter Kairouz. 2023. Distributed differential privacy for federated learning. https:\/\/ai.googleblog.com\/2023\/03\/distributed-differential-privacy-for.html. Last accessed on 09-01-2024."},{"key":"e_1_3_2_1_17_1","doi-asserted-by":"crossref","unstructured":"K. He X. Zhang S. Ren and J. Sun. 2016. Deep Residual Learning for Image Recognition. In CVPR. 770--778.","DOI":"10.1109\/CVPR.2016.90"},{"key":"e_1_3_2_1_18_1","volume-title":"Bridging Nonlinearities and Stochastic Regularizers with Gaussian Error Linear Units. arXiv preprint arXiv:1606.08415","author":"Hendrycks Dan","year":"2016","unstructured":"Dan Hendrycks and Kevin Gimpel. 2016. Bridging Nonlinearities and Stochastic Regularizers with Gaussian Error Linear Units. arXiv preprint arXiv:1606.08415 (2016)."},{"key":"e_1_3_2_1_19_1","unstructured":"Yangsibo Huang Samyak Gupta Zhao Song Kai Li and Sanjeev Arora. 2021. Evaluating Gradient Inversion Attacks and Defenses in Federated Learning. In NeurIPS."},{"key":"e_1_3_2_1_20_1","doi-asserted-by":"publisher","DOI":"10.1038\/s41467-020-16108-9"},{"key":"e_1_3_2_1_21_1","unstructured":"Alex Krizhevsky Geoffrey Hinton et al. 2009. Learning multiple layers of features from tiny images. University of Toronto (2009)."},{"key":"e_1_3_2_1_22_1","unstructured":"Alex Krizhevsky Ilya Sutskever and Geoffrey E Hinton. 2012. ImageNet Classification with Deep Convolutional Neural Networks. In NeurIPS."},{"key":"e_1_3_2_1_23_1","doi-asserted-by":"publisher","DOI":"10.1109\/5.726791"},{"key":"e_1_3_2_1_24_1","volume-title":"Deep gradient compression: Reducing the communication bandwidth for distributed training. arXiv preprint arXiv:1712.01887","author":"Lin Yujun","year":"2017","unstructured":"Yujun Lin, Song Han, Huizi Mao, Yu Wang, and William J Dally. 2017. Deep gradient compression: Reducing the communication bandwidth for distributed training. arXiv preprint arXiv:1712.01887 (2017)."},{"key":"e_1_3_2_1_25_1","unstructured":"Ningning Ma Xiangyu Zhang Hai-Tao Zheng and Jian Sun. 2018. ShuffleNet V2: Practical Guidelines for Efficient CNN Architecture Design. In ECCV."},{"key":"e_1_3_2_1_26_1","unstructured":"Brendan McMahan Eider Moore Daniel Ramage Seth Hampson and Blaise Aguera y Arcas. 2017. Communication-efficient learning of deep networks from decentralized data. In AISTATS."},{"key":"e_1_3_2_1_27_1","volume-title":"Emiliano De Cristofaro, and Vitaly Shmatikov","author":"Melis Luca","year":"2019","unstructured":"Luca Melis, Congzheng Song, Emiliano De Cristofaro, and Vitaly Shmatikov. 2019. Exploiting unintended feature leakage in collaborative learning. In IEEE S&P."},{"key":"e_1_3_2_1_28_1","doi-asserted-by":"publisher","DOI":"10.1109\/ACCESS.2022.3151670"},{"key":"e_1_3_2_1_29_1","unstructured":"Andrew Paverd Andrew Martin and Ian Brown. 2014. Modelling and automatically analysing privacy properties for honest-but-curious adversaries. Tech. Rep (2014)."},{"key":"e_1_3_2_1_30_1","doi-asserted-by":"publisher","DOI":"10.1016\/j.sysarc.2022.102819"},{"key":"e_1_3_2_1_31_1","doi-asserted-by":"publisher","DOI":"10.1007\/s11263-015-0816-y"},{"key":"e_1_3_2_1_32_1","volume-title":"Membership inference attacks against machine learning models","author":"Shokri Reza","unstructured":"Reza Shokri, Marco Stronati, Congzheng Song, and Vitaly Shmatikov. 2017. Membership inference attacks against machine learning models. In IEEE S&P."},{"key":"e_1_3_2_1_33_1","unstructured":"Karen Simonyan and Andrew Zisserman. 2015. Very Deep Convolutional Networks for Large-Scale Image Recognition. In ICLR."},{"key":"e_1_3_2_1_34_1","unstructured":"Christian Szegedy Wojciech Zaremba Ilya Sutskever Joan Bruna Dumitru Erhan Ian Goodfellow and Rob Fergus. 2014. Intriguing properties of neural networks. In ICLR."},{"key":"e_1_3_2_1_35_1","doi-asserted-by":"crossref","unstructured":"M. Tan B. Chen R. Pang V. Vasudevan M. Sandler A. Howard and Q. V. Le. 2019. MnasNet: Platform-Aware Neural Architecture Search for Mobile. In CVPR.","DOI":"10.1109\/CVPR.2019.00293"},{"key":"e_1_3_2_1_36_1","unstructured":"Mingxing Tan and Quoc Le. 2019. EfficientNet: Rethinking Model Scaling for Convolutional Neural Networks. In ICML."},{"key":"e_1_3_2_1_37_1","doi-asserted-by":"crossref","unstructured":"Aidmar Wainakh Till M\u00fc\u00dfig Tim Grube and Max M\u00fchlh\u00e4user. 2022. Label Leakage from Gradients in Distributed Machine Learning. In PETS.","DOI":"10.2478\/popets-2022-0043"},{"key":"e_1_3_2_1_38_1","doi-asserted-by":"publisher","DOI":"10.1109\/TIP.2003.819861"},{"key":"e_1_3_2_1_39_1","unstructured":"weiaicunzai and Yonghye Kwon. [n. d.]. PyTorch-CIFAR100: A PyTorch implementation for CIFAR-100. https:\/\/github.com\/weiaicunzai\/pytorch-cifar100. Last accessed on 09-01-2024."},{"key":"e_1_3_2_1_40_1","doi-asserted-by":"publisher","DOI":"10.1007\/s13042-022-01647-y"},{"key":"e_1_3_2_1_41_1","volume-title":"Gradient Leakage Attacks in Federated Learning: Research Frontiers, Taxonomy and Future Directions","author":"Yang Haomiao","year":"2023","unstructured":"Haomiao Yang, Mengyu Ge, Dongyun Xue, Kunlan Xiang, Hongwei Li, and Rongxing Lu. 2023. Gradient Leakage Attacks in Federated Learning: Research Frontiers, Taxonomy and Future Directions. IEEE Network (2023), 1--8."},{"key":"e_1_3_2_1_42_1","article-title":"Federated Machine Learning","volume":"10","author":"Yang Qiang","year":"2019","unstructured":"Qiang Yang, Yang Liu, Tianjian Chen, and Yongxin Tong. 2019. Federated Machine Learning: Concept and Applications. ACM Trans. Intell. Syst. Technol., Vol. 10, 2 (2019).","journal-title":"Concept and Applications. ACM Trans. Intell. Syst. Technol."},{"key":"e_1_3_2_1_43_1","volume-title":"Gradients: Image Batch Recovery via GradInversion. In CVPR.","author":"Yin H.","year":"2021","unstructured":"H. Yin, A. Mallya, A. Vahdat, J. M. Alvarez, J. Kautz, and P. Molchanov. 2021. See through Gradients: Image Batch Recovery via GradInversion. In CVPR."},{"key":"e_1_3_2_1_44_1","doi-asserted-by":"crossref","unstructured":"Richard Zhang Phillip Isola Alexei A Efros Eli Shechtman and Oliver Wang. 2018. The unreasonable effectiveness of deep features as a perceptual metric. In CVPR.","DOI":"10.1109\/CVPR.2018.00068"},{"key":"e_1_3_2_1_45_1","volume-title":"Safelearning: Secure aggregation in federated learning with backdoor detectability","author":"Zhang Zhuosheng","year":"2023","unstructured":"Zhuosheng Zhang, Jiarui Li, Shucheng Yu, and Christian Makaya. 2023. Safelearning: Secure aggregation in federated learning with backdoor detectability. IEEE Transactions on Information Forensics and Security (2023)."},{"key":"e_1_3_2_1_46_1","volume-title":"Konda Reddy Mopuri, and Hakan Bilen","author":"Zhao Bo","year":"2020","unstructured":"Bo Zhao, Konda Reddy Mopuri, and Hakan Bilen. 2020. iDLG: Improved Deep Leakage from Gradients. arXiv preprint arXiv:2001.02610 (2020)."},{"key":"e_1_3_2_1_47_1","volume-title":"Atul Sharma, Yahya H Ezzeldin, Salman Avestimehr, and Saurabh Bagchi.","author":"Zhao Joshua C","year":"2023","unstructured":"Joshua C Zhao, Ahmed Roushdy Elkordy, Atul Sharma, Yahya H Ezzeldin, Salman Avestimehr, and Saurabh Bagchi. 2023. The Resource Problem of Using Linear Layer Leakage Attack in Federated Learning. In CVPR."},{"key":"e_1_3_2_1_48_1","volume-title":"Yahya H Ezzeldin, Salman Avestimehr, and Saurabh Bagchi.","author":"Zhao Joshua C","year":"2023","unstructured":"Joshua C Zhao, Atul Sharma, Ahmed Roushdy Elkordy, Yahya H Ezzeldin, Salman Avestimehr, and Saurabh Bagchi. 2023. Secure aggregation in federated learning is not private: Leaking user data at large scale through model modification. arXiv preprint arXiv:2303.12233 (2023)."},{"key":"e_1_3_2_1_49_1","doi-asserted-by":"crossref","unstructured":"Lun Zhao Siquan Hu and Zhiguo Shi. 2023. Federated Learning Scheme Based on Gradient Compression and Local Differential Privacy. In ICCECT.","DOI":"10.1109\/ICCECT57938.2023.10140219"},{"key":"e_1_3_2_1_50_1","doi-asserted-by":"publisher","DOI":"10.1145\/3490237"},{"key":"e_1_3_2_1_51_1","doi-asserted-by":"crossref","unstructured":"Ligeng Zhu Zhijian Liu and Song Han. 2019. Deep Leakage from Gradients. In NeurIPS.","DOI":"10.1007\/978-3-030-63076-8_2"}],"event":{"name":"CCS '24: ACM SIGSAC Conference on Computer and Communications Security","location":"Salt Lake City UT USA","acronym":"CCS '24","sponsor":["SIGSAC ACM Special Interest Group on Security, Audit, and Control"]},"container-title":["Proceedings of the 2024 Workshop on Artificial Intelligence and Security"],"original-title":[],"link":[{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3689932.3694768","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3689932.3694768","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,8,23]],"date-time":"2025-08-23T02:08:02Z","timestamp":1755914882000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3689932.3694768"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2024,11,6]]},"references-count":51,"alternative-id":["10.1145\/3689932.3694768","10.1145\/3689932"],"URL":"https:\/\/doi.org\/10.1145\/3689932.3694768","relation":{},"subject":[],"published":{"date-parts":[[2024,11,6]]},"assertion":[{"value":"2024-11-22","order":3,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}