On the Inference (In-)Security of Vertical Federated Learning: Efficient Auditing against Inference Tampering Attack

TL;DR

A novel Vertical Federated Inference Tampering (VeFIT) attack, allowing the data party to covertly tamper with the local inference and mislead results on the task party's final prediction, and a Vertical Federated Inference Auditing (VeFIA) framework, which helps the task party to audit whether the data party's inferences are executed as expected during large-scale online inference.

Abstract

Vertical Federated Learning (VFL) is an emerging distributed learning paradigm for cross-silo collaboration without accessing participants' data. However, existing VFL work lacks a mechanism to audit the inference correctness of the data party. The malicious data party can modify the local data and model to mislead the joint inference results. To exploit this vulnerability, we design a novel Vertical Federated Inference Tampering (VeFIT) attack, allowing the data party to covertly tamper with the local inference and mislead results on the task party's final prediction. VeFIT can decrease the task party's inference accuracy by an average of 34.49%. Existing defense mechanisms can not effectively detect this attack, and the detection performance is near random guessing. To mitigate the attack, we further design a Vertical Federated Inference Auditing (VeFIA) framework. VeFIA helps the task party to audit whether the data party's inferences are executed as expected during large-scale online inference. VeFIA does not leak the data party's privacy nor introduce additional latency. The core design is that the task party can use the inference results from a framework with Trusted Execution Environments (TEE) and the coordinator to validate the correctness of the data party's computation results. VeFIA guarantees that, as long as the proportion of inferences attacked by VeFIT exceeds 5.4%, the task party can detect the malicious behavior of the data party with a probability of 99.99%, without any additional online overhead. VeFIA's random sampling validation of VeFIA achieves 100% positive predictive value, negative predictive value, and true positive rate in detecting VeFIT. We further validate VeFIA's effectiveness in terms of privacy protection and scalability on real-world datasets. To the best of our knowledge, this is the first paper discussing the inference auditing problem towards VFL.

Figures (9)

• Figure 1: The pipeline of the typical VFL process. Purple solid and red dashed arrows represent forward and backward dataflow, respectively.
• Figure 2: The pipeline of VeFIT. In the offline preparation phase, $\mathcal{P}_d$ trains the adversarial noises $\delta_x$ and $\delta_f$. In the online attack phase, $\mathcal{P}_d$ uses $\delta_x$ and $\delta_f$ to tamper with local inference and attack joint inference of $\mathcal{P}_t$.
• Figure 3: Workflow of VeFIA. ① $\mathcal{P}_d$ adopts privacy-aware training to produce $f_d^{sm}$ and $\sigma$, which are sent to TEE, and $f_d^{dm}$, which is sent to $\mathcal{C}$. ② $\mathcal{P}_d$ performs untrusted inference and transmits the results to $\mathcal{P}_t$. ③ TEE performs model and data validation, and conducts trusted collaborative inference with $\mathcal{C}$, and sends results to $\mathcal{P}_t$. ④ $\mathcal{P}_t$ uses the trusted inference results to audit the authenticity of the untrusted inference.
• Figure 4: The change of detection success rate (DSR) with different $K$ (left) and $N$ (right).
• Figure 5: The scenario comparison between HFL and VFL.

Theorems & Definitions (3)

• lemma 1
• theorem 1
• theorem 2