Table of Contents
Fetching ...

A Taxonomy of Attacks and Defenses in Split Learning

Aqsa Shabbir, Halil İbrahim Kanpak, Alptekin Küpçü, Sinem Sav

TL;DR

This paper introduces a taxonomy of attacks and defenses for Split Learning (SL) by organizing threats and mitigations along strategies, constraints, and effectiveness. It surveys data reconstruction, label inference, property inference, and model manipulation attacks across SL variants (VanSL, USL, NLSL, Hybrid-SL, MHSL) and data-partitioning schemes, and reviews defenses including differential privacy, secure computation (HE/FSS), architectural/protocol modifications, and detection techniques. It highlights persistent vulnerabilities at the SL cut layer and analyzes trade-offs among privacy, utility, and computational overhead, offering open research directions such as uncertainty-aware defenses, layered monitoring, and verifiable training. The work aims to guide practitioners and researchers in designing robust SL systems for privacy-preserving distributed learning.

Abstract

Split Learning (SL) has emerged as a promising paradigm for distributed deep learning, allowing resource-constrained clients to offload portions of their model computation to servers while maintaining collaborative learning. However, recent research has demonstrated that SL remains vulnerable to a range of privacy and security threats, including information leakage, model inversion, and adversarial attacks. While various defense mechanisms have been proposed, a systematic understanding of the attack landscape and corresponding countermeasures is still lacking. In this study, we present a comprehensive taxonomy of attacks and defenses in SL, categorizing them along three key dimensions: employed strategies, constraints, and effectiveness. Furthermore, we identify key open challenges and research gaps in SL based on our systematization, highlighting potential future directions.

A Taxonomy of Attacks and Defenses in Split Learning

TL;DR

This paper introduces a taxonomy of attacks and defenses for Split Learning (SL) by organizing threats and mitigations along strategies, constraints, and effectiveness. It surveys data reconstruction, label inference, property inference, and model manipulation attacks across SL variants (VanSL, USL, NLSL, Hybrid-SL, MHSL) and data-partitioning schemes, and reviews defenses including differential privacy, secure computation (HE/FSS), architectural/protocol modifications, and detection techniques. It highlights persistent vulnerabilities at the SL cut layer and analyzes trade-offs among privacy, utility, and computational overhead, offering open research directions such as uncertainty-aware defenses, layered monitoring, and verifiable training. The work aims to guide practitioners and researchers in designing robust SL systems for privacy-preserving distributed learning.

Abstract

Split Learning (SL) has emerged as a promising paradigm for distributed deep learning, allowing resource-constrained clients to offload portions of their model computation to servers while maintaining collaborative learning. However, recent research has demonstrated that SL remains vulnerable to a range of privacy and security threats, including information leakage, model inversion, and adversarial attacks. While various defense mechanisms have been proposed, a systematic understanding of the attack landscape and corresponding countermeasures is still lacking. In this study, we present a comprehensive taxonomy of attacks and defenses in SL, categorizing them along three key dimensions: employed strategies, constraints, and effectiveness. Furthermore, we identify key open challenges and research gaps in SL based on our systematization, highlighting potential future directions.
Paper Structure (68 sections, 31 equations, 8 figures, 2 tables)

This paper contains 68 sections, 31 equations, 8 figures, 2 tables.

Figures (8)

  • Figure 1: SL attack and defense timeline (2021–2025), with attacks on the top half and defenses on the bottom half. Attack and defense types are categorized into four groups, as shown in the legend. Attacks are represented with a colored background, while the corresponding defenses share the same color but are displayed without a background.
  • Figure 2: Overview of three key SL variants: Vanilla Split Learning, U-shaped Split Learning, and Split Federated Learning. The figure highlights their architectural distinctions, client-server roles, and the flow of forward and backward passes in training.
  • Figure 3: A taxonomy of attacks in SL categorizing attack vectors into: (1) Data Reconstruction, (2) Label Inference, (3) Property Inference, and (4) Model Manipulation Attacks.
  • Figure 4: The distribution of adversarial models of surveyed attacks in SL.
  • Figure 5: The distribution of defense mechanisms classified in the surveyed literature.
  • ...and 3 more figures