A Stealthy Wrongdoer: Feature-Oriented Reconstruction Attack against Split Learning

TL;DR

This paper introduces a new semi-honest Data Reconstruction Attack on SL, named Feature-Oriented Reconstruction Attack (FORA), which relies on limited prior knowledge, specifically that the server utilizes auxiliary samples from the public without knowing any client's private information.

Abstract

Split Learning (SL) is a distributed learning framework renowned for its privacy-preserving features and minimal computational requirements. Previous research consistently highlights the potential privacy breaches in SL systems by server adversaries reconstructing training data. However, these studies often rely on strong assumptions or compromise system utility to enhance attack performance. This paper introduces a new semi-honest Data Reconstruction Attack on SL, named Feature-Oriented Reconstruction Attack (FORA). In contrast to prior works, FORA relies on limited prior knowledge, specifically that the server utilizes auxiliary samples from the public without knowing any client's private information. This allows FORA to conduct the attack stealthily and achieve robust performance. The key vulnerability exploited by FORA is the revelation of the model representation preference in the smashed data output by victim client. FORA constructs a substitute client through feature-level transfer learning, aiming to closely mimic the victim client's representation preference. Leveraging this substitute client, the server trains the attack model to effectively reconstruct private data. Extensive experiments showcase FORA's superior performance compared to state-of-the-art methods. Furthermore, the paper systematically evaluates the proposed method's applicability across diverse settings and advanced defense strategies.

Figures (15)

• Figure 1: Architecture of two-part split learning.
• Figure 2: Input image and behavior visualization by Grad-CAM selvaraju2017grad. All the models are trained in CelebA with the task of smiling classification. The figure displays the original images and the representation preferences of three models trained under the same hyperparameter settings but with different random seeds.
• Figure 3: Attack pipeline of Feature-Oriented Reconstruction Attack (FORA) against SL. (a) shows the substitute model training phase. The attacker constructs a substitute model $\hat{F_c}$ using $\mathcal{L}_{DISC}$ and $\mathcal{L}_{MK-MMD}$ to mimic the behavior of the client model $F_c$. (b) means training an inverse network $f^{-1}_{c}$ using public data $X_{aux}$. (c) represents the final attack phase using the attack model to reconstruct training data from snapshot $Z_{snap}$ of target smashed data.
• Figure 4: Attack performance comparison of FSHA pasquini2021unleashing and FORA on CIFAR-10 with layer 2. (a) shows the detection score of two attacks detected by GS. (b) represents the reconstruction results of two attacks, and FSHA-GS is the reconstructed images when detected by GS.
• Figure 5: Effects of varying auxiliary data size on FORA performed on CIFAR-10 and CelebA at layer 2.