Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

SafeSplit: A Novel Defense Against Client-Side Backdoor Attacks in Split Learning (Full Version)

Phillip Rieger, Alessandro Pegoraro, Kavita Kumari, Tigist Abera, Jonathan Knauer, Ahmad-Reza Sadeghi

TL;DR

This paper tackles client-side backdoor attacks in Split Learning (SL) by introducing SafeSplit, a server-side defense that performs circular rollback to benign backbone checkpoints. SafeSplit combines static frequency-domain analysis via a 2-D Discrete Cosine Transform and a dynamic rotational distance metric to detect poisoned updates, selecting a benign checkpoint and skipping malicious contributions without permanently excluding clients. The evaluation shows that SafeSplit dramatically reduces Backdoor Accuracy (BA) to near 0% across semantic and pixel triggers while preserving Main Task Accuracy (MA) across multiple datasets (CIFAR-10, MNIST, FMNIST, GTSRB, CIFAR-100) and architectures (ResNet-18, GoogLeNet, VGG11, Wide-ResNet50, MicronNet), even under adaptive attacks. Compared with defenses adapted from Federated Learning, SafeSplit provides robust backdoor mitigation tailored to SL’s sequential training, with a practical runtime and generalization across data distributions and model sizes. This work establishes SafeSplit as a foundational approach for securing SL deployments against client-side backdoors, enabling safer privacy-preserving collaborative learning in resource-constrained settings.

Abstract

Split Learning (SL) is a distributed deep learning approach enabling multiple clients and a server to collaboratively train and infer on a shared deep neural network (DNN) without requiring clients to share their private local data. The DNN is partitioned in SL, with most layers residing on the server and a few initial layers and inputs on the client side. This configuration allows resource-constrained clients to participate in training and inference. However, the distributed architecture exposes SL to backdoor attacks, where malicious clients can manipulate local datasets to alter the DNN's behavior. Existing defenses from other distributed frameworks like Federated Learning are not applicable, and there is a lack of effective backdoor defenses specifically designed for SL. We present SafeSplit, the first defense against client-side backdoor attacks in Split Learning (SL). SafeSplit enables the server to detect and filter out malicious client behavior by employing circular backward analysis after a client's training is completed, iteratively reverting to a trained checkpoint where the model under examination is found to be benign. It uses a two-fold analysis to identify client-induced changes and detect poisoned models. First, a static analysis in the frequency domain measures the differences in the layer's parameters at the server. Second, a dynamic analysis introduces a novel rotational distance metric that assesses the orientation shifts of the server's layer parameters during training. Our comprehensive evaluation across various data distributions, client counts, and attack scenarios demonstrates the high efficacy of this dual analysis in mitigating backdoor attacks while preserving model utility.

SafeSplit: A Novel Defense Against Client-Side Backdoor Attacks in Split Learning (Full Version)

TL;DR

This paper tackles client-side backdoor attacks in Split Learning (SL) by introducing SafeSplit, a server-side defense that performs circular rollback to benign backbone checkpoints. SafeSplit combines static frequency-domain analysis via a 2-D Discrete Cosine Transform and a dynamic rotational distance metric to detect poisoned updates, selecting a benign checkpoint and skipping malicious contributions without permanently excluding clients. The evaluation shows that SafeSplit dramatically reduces Backdoor Accuracy (BA) to near 0% across semantic and pixel triggers while preserving Main Task Accuracy (MA) across multiple datasets (CIFAR-10, MNIST, FMNIST, GTSRB, CIFAR-100) and architectures (ResNet-18, GoogLeNet, VGG11, Wide-ResNet50, MicronNet), even under adaptive attacks. Compared with defenses adapted from Federated Learning, SafeSplit provides robust backdoor mitigation tailored to SL’s sequential training, with a practical runtime and generalization across data distributions and model sizes. This work establishes SafeSplit as a foundational approach for securing SL deployments against client-side backdoors, enabling safer privacy-preserving collaborative learning in resource-constrained settings.

Abstract

Split Learning (SL) is a distributed deep learning approach enabling multiple clients and a server to collaboratively train and infer on a shared deep neural network (DNN) without requiring clients to share their private local data. The DNN is partitioned in SL, with most layers residing on the server and a few initial layers and inputs on the client side. This configuration allows resource-constrained clients to participate in training and inference. However, the distributed architecture exposes SL to backdoor attacks, where malicious clients can manipulate local datasets to alter the DNN's behavior. Existing defenses from other distributed frameworks like Federated Learning are not applicable, and there is a lack of effective backdoor defenses specifically designed for SL. We present SafeSplit, the first defense against client-side backdoor attacks in Split Learning (SL). SafeSplit enables the server to detect and filter out malicious client behavior by employing circular backward analysis after a client's training is completed, iteratively reverting to a trained checkpoint where the model under examination is found to be benign. It uses a two-fold analysis to identify client-induced changes and detect poisoned models. First, a static analysis in the frequency domain measures the differences in the layer's parameters at the server. Second, a dynamic analysis introduces a novel rotational distance metric that assesses the orientation shifts of the server's layer parameters during training. Our comprehensive evaluation across various data distributions, client counts, and attack scenarios demonstrates the high efficacy of this dual analysis in mitigating backdoor attacks while preserving model utility.
Paper Structure (33 sections, 16 equations, 11 figures, 6 tables, 1 algorithm)

This paper contains 33 sections, 16 equations, 11 figures, 6 tables, 1 algorithm.

Table of Contents

  1. Introduction
  2. Background
  3. Split Learning
  4. Problem Setting
  5. System Setting
  6. Adversary Model
  7. Objectives and Challenges
  8. Rationale for Static and Dynamic Analysis
  9. SafeSplit
  10. High-level Design
  11. Circular Benign Model Identification
  12. Frequency Variation Computation
  13. Measuring Rotation Distances
  14. Evaluation
  15. Experimental Setup
  16. ...and 18 more sections

Figures (11)

  • Figure 1: Comparison of splitting the Deep Neural Network (DNN) F into head ($H$), backbone ($B$), and tail ($T$), such that $F\equiv H\circ B \circ T$. The head and tail are located on the client side, and the backbone is on the server side.
  • Figure 2: Overview of a Split Learning (SL) system that utilizes data from mobile devices but executes the computation-heavy backbone ($B$) on a cloud server, while all clients $C_1, \ldots C_{N\xspace}$ provide the data $D_i$, hosts the head $T$ and tail $T$, as well as calculates the loss $\mathcal{L}$.
  • Figure 3: Workflow of SafeSplit to skip or poisoned models based on an analysis of the models in the frequency domain and their rotational displacement. The workflow is shown for an example scenario consisting of 4 clients.
  • Figure 4: Overview of SafeSplit, using the latest backbone model $B_t$ and previous backbones $B_{t-N\xspace+1}\ldots B_{t-1}$ to determine Rotation Displacement Metric values $R_{t-N+1}, \ldots, R_t$ and the Euclidean Distance Neighborhood Scores, before returning the index of most recent backbone $L_i$ being among $N\xspace/2+1$ lowest values $R_{L_1}, \ldots, R_{L_{N\xspace/2+1}}$ and $E_{L_1}, \ldots, E_{L_{N\xspace/2+1}}$.
  • Figure 5: BA and MA for different participant numbers.
  • ...and 6 more figures