Go to DBLP homepageHFIA: a parasitic feature inference attack and gradient-based defense strategy in SplitNN-based vertical federated learning
Abstract: Vertical Federated Learning (VFL) is widely adopted in industries like healthcare, enabling collaborators to enhance model performance using disparate data sources. Split Neural Networks (SplitNN) are central to two-party VFL setups, providing enhanced data privacy during collaboration. However, an untrustworthy server owner, referred to as the host, may exploit its position to infer sensitive client-side features during training. Our research introduces Hitchhike Feature Inference Attack (HFIA), where the host leverages a minimal auxiliary dataset (less than 1% of total data) to infer sensitive features with high accuracy (up to 99%) before VFL training is completed. To mitigate this privacy risk, we propose a client-side defense strategy. Clients construct shadow models to simulate the attacker’s approach and introduce gradient-based adversarial noise to local embeddings, significantly reducing feature leakage. Experiments demonstrate that HFIA achieves high attack success rates, while defense method can reduce attack macro_auc to approximately 60%, with minimal impact (\(<5\%\) decrease) on the normal VFL task. The defense can reduce attack macro_auc by over 20% and does not impose restrictions on VFL model construction. In practical applications, participants can adopt this approach to effectively mitigate training-time privacy leakage and protect sensitive client-side data from malicious inference.
External IDs:dblp:journals/ml/DongZRHHZ25
Loading