Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

HealSplit: Towards Self-Healing through Adversarial Distillation in Split Federated Learning

Yuhan Xie, Chen Lyu

TL;DR

HealSplit addresses poisoning vulnerabilities in Split Federated Learning by introducing a unified defense that protects smashed data through topology-aware detection, semantically consistent substitutes generated by GANs, and a consistency-validated student trained via adversarial multi-teacher distillation. The framework leverages a topology-driven topological anomaly score (TAS) on a $k$-NN graph, an anomaly-aware gradient interaction mechanism, and a momentum-adaptive distillation strategy to balance semantic and anomaly signals, with theoretical backing showing reduced gradient variance on the server. Empirical results on four benchmark datasets demonstrate superior robustness and generalization against diverse and adaptive attacks, outperforming ten state-of-the-art defenses. HealSplit thus offers a practical, attack-agnostic, end-to-end solution to enhance security and reliability of SFL in privacy-preserving distributed learning settings.

Abstract

Split Federated Learning (SFL) is an emerging paradigm for privacy-preserving distributed learning. However, it remains vulnerable to sophisticated data poisoning attacks targeting local features, labels, smashed data, and model weights. Existing defenses, primarily adapted from traditional Federated Learning (FL), are less effective under SFL due to limited access to complete model updates. This paper presents HealSplit, the first unified defense framework tailored for SFL, offering end-to-end detection and recovery against five sophisticated types of poisoning attacks. HealSplit comprises three key components: (1) a topology-aware detection module that constructs graphs over smashed data to identify poisoned samples via topological anomaly scoring (TAS); (2) a generative recovery pipeline that synthesizes semantically consistent substitutes for detected anomalies, validated by a consistency validation student; and (3) an adversarial multi-teacher distillation framework trains the student using semantic supervision from a Vanilla Teacher and anomaly-aware signals from an Anomaly-Influence Debiasing (AD) Teacher, guided by the alignment between topological and gradient-based interaction matrices. Extensive experiments on four benchmark datasets demonstrate that HealSplit consistently outperforms ten state-of-the-art defenses, achieving superior robustness and defense effectiveness across diverse attack scenarios.

HealSplit: Towards Self-Healing through Adversarial Distillation in Split Federated Learning

TL;DR

HealSplit addresses poisoning vulnerabilities in Split Federated Learning by introducing a unified defense that protects smashed data through topology-aware detection, semantically consistent substitutes generated by GANs, and a consistency-validated student trained via adversarial multi-teacher distillation. The framework leverages a topology-driven topological anomaly score (TAS) on a -NN graph, an anomaly-aware gradient interaction mechanism, and a momentum-adaptive distillation strategy to balance semantic and anomaly signals, with theoretical backing showing reduced gradient variance on the server. Empirical results on four benchmark datasets demonstrate superior robustness and generalization against diverse and adaptive attacks, outperforming ten state-of-the-art defenses. HealSplit thus offers a practical, attack-agnostic, end-to-end solution to enhance security and reliability of SFL in privacy-preserving distributed learning settings.

Abstract

Split Federated Learning (SFL) is an emerging paradigm for privacy-preserving distributed learning. However, it remains vulnerable to sophisticated data poisoning attacks targeting local features, labels, smashed data, and model weights. Existing defenses, primarily adapted from traditional Federated Learning (FL), are less effective under SFL due to limited access to complete model updates. This paper presents HealSplit, the first unified defense framework tailored for SFL, offering end-to-end detection and recovery against five sophisticated types of poisoning attacks. HealSplit comprises three key components: (1) a topology-aware detection module that constructs graphs over smashed data to identify poisoned samples via topological anomaly scoring (TAS); (2) a generative recovery pipeline that synthesizes semantically consistent substitutes for detected anomalies, validated by a consistency validation student; and (3) an adversarial multi-teacher distillation framework trains the student using semantic supervision from a Vanilla Teacher and anomaly-aware signals from an Anomaly-Influence Debiasing (AD) Teacher, guided by the alignment between topological and gradient-based interaction matrices. Extensive experiments on four benchmark datasets demonstrate that HealSplit consistently outperforms ten state-of-the-art defenses, achieving superior robustness and defense effectiveness across diverse attack scenarios.

Paper Structure

This paper contains 34 sections, 1 theorem, 15 equations, 10 figures, 3 tables.

Table of Contents

  1. Introduction
  2. Related Work
  3. Defenses of Split Federated Learning.
  4. Adversarial Distillation.
  5. Background
  6. Problem Statement
  7. Threat Model
  8. Methodology
  9. Topology-Aware Malicious Data Detection
  10. Graph Representation.
  11. Topological Anomaly Score.
  12. Adaptive Threshold.
  13. Semantically Consistent Substitution
  14. Anomaly-Influence Debiasing Teacher
  15. Gradient Interaction Score.
  16. ...and 19 more sections

Key Result

Theorem 1

Under the SGV framework (Definition SGV), if the ratio of clean samples in a client's dataset satisfies: $\frac{m_n}{m_n + \widehat{m}_n} = \frac{M}{M + \widehat{M}},$ then the robust objective $\widehat{F}(\theta_s)$ bounds the gradient dissimilarity: $\text{SGV}(\widehat{F}, \theta_s) = \frac{\alp

Figures (10)

  • Figure 1: The framework of HealSplit. HealSplit first detects poisoned samples using a KNN-based TAS, and then employs a GAN to generate substitute smashed data. These substitutes are subsequently validated by a consistency validation student model, which is trained via adversarial multi-teacher distillation to ensure semantically consistent substitution.
  • Figure 2: Identification of poisoned data.
  • Figure 3: Distribution of smashed data.
  • Figure 4: Detection rate across classes.
  • Figure 6: Defense efficacy across varying client numbers. The circles represent the number of update rounds for the defense model.
  • ...and 5 more figures

Theorems & Definitions (2)

  • Definition 1
  • Theorem 1