Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

VFLIP: A Backdoor Defense for Vertical Federated Learning via Identification and Purification

Yungi Cho, Woorim Han, Miseon Yu, Younghan Lee, Ho Bae, Yunheung Paek

TL;DR

This work addresses backdoor vulnerabilities in Vertical Federated Learning (VFL) by introducing VFLIP, an inference-time defense that operates with a Masked Auto-Encoder (MAE). VFLIP identifies backdoor-triggered embeddings via participant-wise anomaly scores and majority voting, then purifies the embeddings by removing malicious ones and reconstructing the rest with MAE before the top model prediction. The approach offers two MAE training strategies, standardization and dropout, and relies on anomaly-score thresholds derived from clean training data. Across five diverse datasets, VFLIP substantially reduces attack success rates with only modest reductions in clean accuracy, and remains robust under multi-attacker and adaptive attack scenarios, highlighting its practical potential for VFL-based deployments.

Abstract

Vertical Federated Learning (VFL) focuses on handling vertically partitioned data over FL participants. Recent studies have discovered a significant vulnerability in VFL to backdoor attacks which specifically target the distinct characteristics of VFL. Therefore, these attacks may neutralize existing defense mechanisms designed primarily for Horizontal Federated Learning (HFL) and deep neural networks. In this paper, we present the first backdoor defense, called VFLIP, specialized for VFL. VFLIP employs the identification and purification techniques that operate at the inference stage, consequently improving the robustness against backdoor attacks to a great extent. VFLIP first identifies backdoor-triggered embeddings by adopting a participant-wise anomaly detection approach. Subsequently, VFLIP conducts purification which removes the embeddings identified as malicious and reconstructs all the embeddings based on the remaining embeddings. We conduct extensive experiments on CIFAR10, CINIC10, Imagenette, NUS-WIDE, and BankMarketing to demonstrate that VFLIP can effectively mitigate backdoor attacks in VFL. https://github.com/blingcho/VFLIP-esorics24

VFLIP: A Backdoor Defense for Vertical Federated Learning via Identification and Purification

TL;DR

This work addresses backdoor vulnerabilities in Vertical Federated Learning (VFL) by introducing VFLIP, an inference-time defense that operates with a Masked Auto-Encoder (MAE). VFLIP identifies backdoor-triggered embeddings via participant-wise anomaly scores and majority voting, then purifies the embeddings by removing malicious ones and reconstructing the rest with MAE before the top model prediction. The approach offers two MAE training strategies, standardization and dropout, and relies on anomaly-score thresholds derived from clean training data. Across five diverse datasets, VFLIP substantially reduces attack success rates with only modest reductions in clean accuracy, and remains robust under multi-attacker and adaptive attack scenarios, highlighting its practical potential for VFL-based deployments.

Abstract

Vertical Federated Learning (VFL) focuses on handling vertically partitioned data over FL participants. Recent studies have discovered a significant vulnerability in VFL to backdoor attacks which specifically target the distinct characteristics of VFL. Therefore, these attacks may neutralize existing defense mechanisms designed primarily for Horizontal Federated Learning (HFL) and deep neural networks. In this paper, we present the first backdoor defense, called VFLIP, specialized for VFL. VFLIP employs the identification and purification techniques that operate at the inference stage, consequently improving the robustness against backdoor attacks to a great extent. VFLIP first identifies backdoor-triggered embeddings by adopting a participant-wise anomaly detection approach. Subsequently, VFLIP conducts purification which removes the embeddings identified as malicious and reconstructs all the embeddings based on the remaining embeddings. We conduct extensive experiments on CIFAR10, CINIC10, Imagenette, NUS-WIDE, and BankMarketing to demonstrate that VFLIP can effectively mitigate backdoor attacks in VFL. https://github.com/blingcho/VFLIP-esorics24
Paper Structure (27 sections, 5 equations, 13 figures, 5 tables)

This paper contains 27 sections, 5 equations, 13 figures, 5 tables.

Table of Contents

  1. Introduction
  2. Preliminaries
  3. Vertical Federated Learning
  4. Backdoor Attacks in VFL
  5. Threat Model
  6. Method
  7. MAE Training
  8. Training strategies
  9. Standardization and drop-out
  10. VFLIP mechanism
  11. Identification
  12. Purification
  13. Experiments
  14. Experiments Setup
  15. Main Results
  16. ...and 12 more sections

Figures (13)

  • Figure 1: An illustration of VFL with the split neural network
  • Figure 2: A brief summary of VFLIP. VFLIP identifies the backdoor-triggered embeddings and purifies all the embeddings through removal and reconstruction.
  • Figure 3: An overview of VFLIP. VFLIP calculates the anomaly scores for each embedding with the MAE. The voting mechanism is conducted based on the anomaly scores to determine whether an embedding is malicious. Embeddings identified as malicious are removed, and then all the embedding is reconstructed through MAE.
  • Figure 4: VFLIP MAE Training
  • Figure 5: VFLIP mechanism
  • ...and 8 more figures