Table of Contents
Fetching ...

SecureSplit: Mitigating Backdoor Attacks in Split Learning

Zhihao Dou, Dongfei Cui, Weida Wang, Anjun Gao, Yueyang Quan, Mengyao Ma, Viet Vo, Guangdong Bai, Zhuqing Liu, Minghong Fang

TL;DR

SecureSplit tackles backdoor threats in Split Learning by reshaping the embedding space to amplify differences between benign and poisoned embeddings and then applying an adaptive majority-based filter to remove contaminated embeddings. The defense combines a two-step embedding transformation (UMAP dimensionality reduction followed by PKT expansion) with a robust filtering rule based on a median center and an adaptive radius, ensuring most poisoned embeddings are discarded while preserving clean ones. Extensive experiments across CIFAR-10, MNIST, CINIC-10, and ImageNette under five attack scenarios and seven baselines demonstrate that SecureSplit achieves higher accuracy and substantially lower attack success rates, with robustness to varying poison rates, trigger magnitudes, and non-IID settings, and with minimal computational overhead. The approach offers a practical, data-privacy-preserving defense for SL in realistic deployments, including adaptations to U-shaped SL, and establishes a strong baseline for future defenses in vertically partitioned, privacy-conscious collaborative learning.

Abstract

Split Learning (SL) offers a framework for collaborative model training that respects data privacy by allowing participants to share the same dataset while maintaining distinct feature sets. However, SL is susceptible to backdoor attacks, in which malicious clients subtly alter their embeddings to insert hidden triggers that compromise the final trained model. To address this vulnerability, we introduce SecureSplit, a defense mechanism tailored to SL. SecureSplit applies a dimensionality transformation strategy to accentuate subtle differences between benign and poisoned embeddings, facilitating their separation. With this enhanced distinction, we develop an adaptive filtering approach that uses a majority-based voting scheme to remove contaminated embeddings while preserving clean ones. Rigorous experiments across four datasets (CIFAR-10, MNIST, CINIC-10, and ImageNette), five backdoor attack scenarios, and seven alternative defenses confirm the effectiveness of SecureSplit under various challenging conditions.

SecureSplit: Mitigating Backdoor Attacks in Split Learning

TL;DR

SecureSplit tackles backdoor threats in Split Learning by reshaping the embedding space to amplify differences between benign and poisoned embeddings and then applying an adaptive majority-based filter to remove contaminated embeddings. The defense combines a two-step embedding transformation (UMAP dimensionality reduction followed by PKT expansion) with a robust filtering rule based on a median center and an adaptive radius, ensuring most poisoned embeddings are discarded while preserving clean ones. Extensive experiments across CIFAR-10, MNIST, CINIC-10, and ImageNette under five attack scenarios and seven baselines demonstrate that SecureSplit achieves higher accuracy and substantially lower attack success rates, with robustness to varying poison rates, trigger magnitudes, and non-IID settings, and with minimal computational overhead. The approach offers a practical, data-privacy-preserving defense for SL in realistic deployments, including adaptations to U-shaped SL, and establishes a strong baseline for future defenses in vertically partitioned, privacy-conscious collaborative learning.

Abstract

Split Learning (SL) offers a framework for collaborative model training that respects data privacy by allowing participants to share the same dataset while maintaining distinct feature sets. However, SL is susceptible to backdoor attacks, in which malicious clients subtly alter their embeddings to insert hidden triggers that compromise the final trained model. To address this vulnerability, we introduce SecureSplit, a defense mechanism tailored to SL. SecureSplit applies a dimensionality transformation strategy to accentuate subtle differences between benign and poisoned embeddings, facilitating their separation. With this enhanced distinction, we develop an adaptive filtering approach that uses a majority-based voting scheme to remove contaminated embeddings while preserving clean ones. Rigorous experiments across four datasets (CIFAR-10, MNIST, CINIC-10, and ImageNette), five backdoor attack scenarios, and seven alternative defenses confirm the effectiveness of SecureSplit under various challenging conditions.
Paper Structure (21 sections, 6 equations, 13 figures, 7 tables, 2 algorithms)

This paper contains 21 sections, 6 equations, 13 figures, 7 tables, 2 algorithms.

Figures (13)

  • Figure 1: Split learning under backdoor attack.
  • Figure 2: Illustration of our SecureSplit.
  • Figure 3: Separation ratio on different embedding sets.
  • Figure 4: Impact of the poison rate, where CIFAR-10 dataset is considered.
  • Figure 5: Impact of the trigger magnitude, where CIFAR-10 dataset is considered.
  • ...and 8 more figures