Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

ProtoGuard-SL: Prototype Consistency Based Backdoor Defense for Vertical Split Learning

Yuhan Shui, Ruobin Jin, Zhihao Dou, Zhiqiang Gao

Abstract

Vertical split learning (SL) enables collaborative model training across parties holding complementary features without sharing raw data, but recent work has shown that it is highly vulnerable to poisoning-based backdoor attacks operating on intermediate embeddings. By compromising malicious clients, adversaries can inject stealthy triggers that manipulate the server-side model while remaining difficult to detect, and existing defenses provide limited robustness against adaptive attacks. In this paper, we propose ProtoGuard-SL, a server-side defense that improves the robustness of split learning by exploiting class-conditional representation consistency in the embedding space. Our approach is motivated by the observation that benign embeddings within the same class exhibit stable semantic alignment, whereas poisoned embeddings inevitably disrupt this structure. ProtoGuard-SL adopts a two-stage framework that constructs robust class prototypes and transforms embeddings into a prototype-consistency representation, followed by a class-conditional, distribution-free conformal filtering strategy to identify and remove anomalous embeddings. Extensive experiments are conducted on three datasets, CIFAR-10, SVHN, and Bank Marketing, under three different attack settings demonstrate that our method achieves state-of-the-art performance.

ProtoGuard-SL: Prototype Consistency Based Backdoor Defense for Vertical Split Learning

Abstract

Vertical split learning (SL) enables collaborative model training across parties holding complementary features without sharing raw data, but recent work has shown that it is highly vulnerable to poisoning-based backdoor attacks operating on intermediate embeddings. By compromising malicious clients, adversaries can inject stealthy triggers that manipulate the server-side model while remaining difficult to detect, and existing defenses provide limited robustness against adaptive attacks. In this paper, we propose ProtoGuard-SL, a server-side defense that improves the robustness of split learning by exploiting class-conditional representation consistency in the embedding space. Our approach is motivated by the observation that benign embeddings within the same class exhibit stable semantic alignment, whereas poisoned embeddings inevitably disrupt this structure. ProtoGuard-SL adopts a two-stage framework that constructs robust class prototypes and transforms embeddings into a prototype-consistency representation, followed by a class-conditional, distribution-free conformal filtering strategy to identify and remove anomalous embeddings. Extensive experiments are conducted on three datasets, CIFAR-10, SVHN, and Bank Marketing, under three different attack settings demonstrate that our method achieves state-of-the-art performance.

Paper Structure

This paper contains 19 sections, 5 equations, 2 figures, 4 tables, 1 algorithm.

Table of Contents

  1. Introduction
  2. Related work
  3. Background on Split Learning
  4. Backdoor Attacks against Split Learning
  5. Our ProtoGuard-SL
  6. Empirical Analysis and Motivation
  7. Prototype-based Consistency Representation
  8. Class Prototype Construction
  9. Prototype Consistency Transformation
  10. Consistency Deviation Score
  11. Conformal Filtering
  12. Experiment
  13. Experiment setting
  14. Main results
  15. Ablation analysis
  16. ...and 4 more sections

Figures (2)

  • Figure 1: Visualization of embedding distributions under backdoor attacks before and after prototype-consistency transformation. (a) and (b) show the embedding distributions in the original embedding space under the ViLLAIN and SplitNN attacks, respectively, where poisoned embeddings are highly overlapped with benign ones and thus difficult to distinguish. (c) and (d) illustrate the embedding distributions in the prototype-consistency representation space under the same attacks. After transforming embeddings based on their semantic consistency with class prototypes, poisoned samples become clearly separable from benign samples, highlighting the effectiveness of the proposed representation.
  • Figure 2: Impact of the total client number, where CIFAR-10 dataset is considered.