Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Constructing Adversarial Examples for Vertical Federated Learning: Optimal Client Corruption through Multi-Armed Bandit

Duanyi Yao, Songze Li, Ye Xue, Jin Liu

TL;DR

This work analyzes adversarial vulnerability in vertical federated learning (VFL) where an adaptive attacker can corrupt up to $C$ clients during inference. It decomposes the attack into an inner adversarial-example generation (AEG) problem solved by natural evolution strategies (NES) and an outer corruption-pattern selection (CPS) problem cast as a combinatorial multi-armed bandit (MAB); a novel Thompson sampling variant, called Thompson sampling with empirical maximum reward (E-TS), confines exploration to competitive arms and provides a practical regret bound. Theoretical results show that non-competitive arms incur constant exploration while competitive arms yield logarithmic-in-$T$ regret, yielding an overall bound that scales with the number of competitive arms. Empirically, E-TS achieves high attack success rates across six VFL tasks, converges faster than baselines, and remains effective under defenses such as manifold projection, underscoring security implications for VFL deployments.

Abstract

Vertical federated learning (VFL), where each participating client holds a subset of data features, has found numerous applications in finance, healthcare, and IoT systems. However, adversarial attacks, particularly through the injection of adversarial examples (AEs), pose serious challenges to the security of VFL models. In this paper, we investigate such vulnerabilities through developing a novel attack to disrupt the VFL inference process, under a practical scenario where the adversary is able to adaptively corrupt a subset of clients. We formulate the problem of finding optimal attack strategies as an online optimization problem, which is decomposed into an inner problem of adversarial example generation (AEG) and an outer problem of corruption pattern selection (CPS). Specifically, we establish the equivalence between the formulated CPS problem and a multi-armed bandit (MAB) problem, and propose the Thompson sampling with Empirical maximum reward (E-TS) algorithm for the adversary to efficiently identify the optimal subset of clients for corruption. The key idea of E-TS is to introduce an estimation of the expected maximum reward for each arm, which helps to specify a small set of competitive arms, on which the exploration for the optimal arm is performed. This significantly reduces the exploration space, which otherwise can quickly become prohibitively large as the number of clients increases. We analytically characterize the regret bound of E-TS, and empirically demonstrate its capability of efficiently revealing the optimal corruption pattern with the highest attack success rate, under various datasets of popular VFL tasks.

Constructing Adversarial Examples for Vertical Federated Learning: Optimal Client Corruption through Multi-Armed Bandit

TL;DR

This work analyzes adversarial vulnerability in vertical federated learning (VFL) where an adaptive attacker can corrupt up to clients during inference. It decomposes the attack into an inner adversarial-example generation (AEG) problem solved by natural evolution strategies (NES) and an outer corruption-pattern selection (CPS) problem cast as a combinatorial multi-armed bandit (MAB); a novel Thompson sampling variant, called Thompson sampling with empirical maximum reward (E-TS), confines exploration to competitive arms and provides a practical regret bound. Theoretical results show that non-competitive arms incur constant exploration while competitive arms yield logarithmic-in- regret, yielding an overall bound that scales with the number of competitive arms. Empirically, E-TS achieves high attack success rates across six VFL tasks, converges faster than baselines, and remains effective under defenses such as manifold projection, underscoring security implications for VFL deployments.

Abstract

Vertical federated learning (VFL), where each participating client holds a subset of data features, has found numerous applications in finance, healthcare, and IoT systems. However, adversarial attacks, particularly through the injection of adversarial examples (AEs), pose serious challenges to the security of VFL models. In this paper, we investigate such vulnerabilities through developing a novel attack to disrupt the VFL inference process, under a practical scenario where the adversary is able to adaptively corrupt a subset of clients. We formulate the problem of finding optimal attack strategies as an online optimization problem, which is decomposed into an inner problem of adversarial example generation (AEG) and an outer problem of corruption pattern selection (CPS). Specifically, we establish the equivalence between the formulated CPS problem and a multi-armed bandit (MAB) problem, and propose the Thompson sampling with Empirical maximum reward (E-TS) algorithm for the adversary to efficiently identify the optimal subset of clients for corruption. The key idea of E-TS is to introduce an estimation of the expected maximum reward for each arm, which helps to specify a small set of competitive arms, on which the exploration for the optimal arm is performed. This significantly reduces the exploration space, which otherwise can quickly become prohibitively large as the number of clients increases. We analytically characterize the regret bound of E-TS, and empirically demonstrate its capability of efficiently revealing the optimal corruption pattern with the highest attack success rate, under various datasets of popular VFL tasks.
Paper Structure (22 sections, 6 theorems, 22 equations, 9 figures, 1 table, 2 algorithms)

This paper contains 22 sections, 6 theorems, 22 equations, 9 figures, 1 table, 2 algorithms.

Table of Contents

  1. Introduction
  2. Preliminaries
  3. Threat Model
  4. Problem Definition
  5. Methodology
  6. AE generation by solving the AEG problem
  7. Thompson sampling with the empirical maximum reward for solving the CPS problem
  8. Regret Analysis
  9. Experimental Evaluations
  10. Setup
  11. Results
  12. Related work
  13. Conclusion
  14. AE generation algorithm
  15. Proofs in Section Regret analysis
  16. ...and 7 more sections

Key Result

Lemma 1

Under the above assumption, for a non-competitive arm $k^{nc}\neq 1$ with $\Tilde{\Delta}_{k^{nc},1}<0$, the expected number of pulling times in $T$ rounds, i,e., $\mathbb{E}[n_{k^{nc}}(T)]$, is bounded by $\mathbb{E}[n_{k^{nc}}(T)] \leq \mathcal{O}(1).$

Figures (9)

  • Figure 1: Attack performance on six datasets of distinct VFL tasks.
  • Figure 2: Attack performance on FashionMNIST under different defense strategies.
  • Figure 3: Targeted attack performance on FashionMNIST using different parameters.
  • Figure 4: Targeted attack performance on FashionMNIST with larger search space
  • Figure 5: ASR using different number of corrupted clients.
  • ...and 4 more figures

Theorems & Definitions (18)

  • Definition 1: Competitive arm
  • Definition 2: Empirical best arm and empirical maximum reward
  • Remark 1
  • Lemma 1: Expected pulling times of a non-competitive arm
  • Lemma 2: Expected pulling times of a competitive but sub-optimal arm
  • Theorem 1: Upper bound on expected regret of E-TS
  • proof : Proof sketch
  • Remark 2
  • Definition 3: Events $E_1(t)$ and $E_2(t)$
  • Lemma 3
  • ...and 8 more