The paper introduces DMAVFL, a novel defense-penetrating malicious data reconstruction attack in vertical federated learning (VFL). Unlike traditional approaches that utilize a discriminator, DMAVFL incorporates training a discriminator with auxiliary classifier (DAC), which helps to significantly enhance the effectiveness in embedding distribution transfer and attack performance, as well as make the malicious gradients indistinguishable from the ones with honest training.
The key steps of DMAVFL are:
Pretraining: The adversary pretrains an encoder, a decoder, and its bottom model to achieve high reconstruction performance on an auxiliary dataset.
Malicious gradient generation: The adversary freezes the encoder and replaces the conventional top model with the DAC. The DAC is instrumental in transferring the embedding distribution from the encoder into the target model and integrating label information through classification processes, ensuring the malicious training is indistinguishable from honest training.
Data reconstruction: The adversary leverages the trained decoder to reconstruct private features of target clients, from embeddings uploaded by passive clients and the adversary's local embedding.
The comprehensive experiments demonstrate that DMAVFL significantly outperforms existing attacks, and successfully circumvents state-of-the-art defenses for malicious attacks. Additional ablation studies and evaluations on other defenses further underscore the robustness and effectiveness of DMAVFL.
Til et andet sprog
fra kildeindhold
arxiv.org
Vigtigste indsigter udtrukket fra
by Duanyi Yao,S... kl. arxiv.org 05-01-2024
https://arxiv.org/pdf/2404.19582.pdfDybere Forespørgsler