Make Split, not Hijack: Preventing Feature-Space Hijacking Attacks in Split Learning
Tanveer Khan, Mindaugas Budzys, Antonis Michalas
TL;DR
This work addresses privacy risks in Split Learning, notably feature-space hijacking and visual invertibility threats, by integrating Function Secret Sharing to compute server-side layers on secret-shared functions. The proposed private vanilla SL protocol masks the client's activation maps with a random mask and processes them via two non-colluding servers, ensuring forward and backward passes do not reveal raw data. The approach achieves accuracy on MNIST comparable to plaintext methods (≥ roughly 96%) while delivering substantial reductions in communication and training time compared to FSS-only baselines, and it provides formal security arguments against FSHA and VIIA. Overall, the hybrid SL+FSS framework delivers practical privacy-preserving ML with strong protection against key leakage channels and improved efficiency for collaborative training.
Abstract
The popularity of Machine Learning (ML) makes the privacy of sensitive data more imperative than ever. Collaborative learning techniques like Split Learning (SL) aim to protect client data while enhancing ML processes. Though promising, SL has been proved to be vulnerable to a plethora of attacks, thus raising concerns about its effectiveness on data privacy. In this work, we introduce a hybrid approach combining SL and Function Secret Sharing (FSS) to ensure client data privacy. The client adds a random mask to the activation map before sending it to the servers. The servers cannot access the original function but instead work with shares generated using FSS. Consequently, during both forward and backward propagation, the servers cannot reconstruct the client's raw data from the activation map. Furthermore, through visual invertibility, we demonstrate that the server is incapable of reconstructing the raw image data from the activation map when using FSS. It enhances privacy by reducing privacy leakage compared to other SL-based approaches where the server can access client input information. Our approach also ensures security against feature space hijacking attack, protecting sensitive information from potential manipulation. Our protocols yield promising results, reducing communication overhead by over 2x and training time by over 7x compared to the same model with FSS, without any SL. Also, we show that our approach achieves >96% accuracy and remains equivalent to the plaintext models.