Just a Simple Transformation is Enough for Data Protection in Vertical Federated Learning

🔼 This figure presents a comparison of the UnSplit attack’s effectiveness on Fashion-MNIST data when employed against two different client model architectures in a Split Learning setup. The top row displays the original Fashion-MNIST images. The middle row shows the reconstructed images when a CNN-based model is used on the client-side. The bottom row presents the reconstructed images when an MLP-based model is employed on the client-side. As can be seen, the CNN-based client model is vulnerable to the attack. The MLP-based client model, however, is resistant, with the attack failing to recover any meaningful representation of the original data.

read the caption

Figure 2: Results of UnSplit attack on F-MNIST. (Top): Original images. (Middle): CNN-based client model. (Bottom): MLP-based client model.

🔼 This figure presents a comparison of the Feature-space Hijacking Attack (FSHA) performance on the MNIST dataset under two different client model architectures: a CNN-based model and an MLP-based model. The top row displays the original MNIST images. The middle row shows the reconstructed images when the client model uses a CNN architecture. The bottom row illustrates the attack outcome when using an MLP-based client model. The figure aims to visually demonstrate the effectiveness of FSHA against these two architectures by comparing the quality of the reconstructed images. As shown in the figure, the attack achieves higher reconstruction quality with the CNN client model and fails when the client-side architecture contains dense layers.

read the caption

Figure 3: Results of FSHA attack on MNIST. (Top): Original images. (Middle): CNN-based client model. (Bottom): MLP-based client model.

🔼 This figure presents a comparison of the Feature-space Hijacking Attack (FSHA) on the Fashion-MNIST (F-MNIST) dataset with different client model architectures. The top row displays the original images. The middle row shows the reconstructed images when the client model is a Convolutional Neural Network (CNN). The bottom row shows the reconstructed images when the client model is a Multilayer Perceptron (MLP). The comparison demonstrates that FSHA is effective in reconstructing the original images when a CNN is used but fails when an MLP is used, highlighting the vulnerability of CNN-based client models and the robustness of MLP-based client models to this specific attack.

read the caption

Figure 4: Results of FSHA attack on F-MNIST. (Top): Original images. (Middle): CNN-based client model. (Bottom): MLP-based client model.

🔼 This figure presents the Encoder-Decoder error and the Reconstruction error for the Feature-space Hijacking Attack (FSHA). The Encoder-Decoder error represents the mean squared error (MSE) between the original images from a public dataset and the images reconstructed using an encoder-decoder model. The Reconstruction error, on the other hand, denotes the MSE between the original private data held by the client and the data reconstructed by the attacker (server) using the client’s model activations. The figure showcases these errors for both CNN-based and MLP-based client models across MNIST and Fashion-MNIST (F-MNIST) datasets. It illustrates that the encoder-decoder pair performs equally well in reconstructing public data, irrespective of the client’s model architecture. However, the attack’s success in reconstructing private data significantly depends on the client-side architecture, with MLP-based models demonstrating greater resistance to reconstruction.

read the caption

Figure 5: Encoder-decoder error and Reconstruction error for FSHA attack

🔼 Figure 6 presents a comparison of the UnSplit attack’s effectiveness on CIFAR-10 images when employing two different client model architectures within the Split Learning framework. The top row displays the original CIFAR-10 images. The middle row showcases the reconstructed images when a CNN-based model is used on the client-side. The bottom row presents the reconstructed images when an MLP-Mixer model is used on the client-side. The figure visually demonstrates that using the MLP-Mixer model, which incorporates dense layers, makes the UnSplit attack ineffective at reconstructing the original images, supporting Hypothesis 1 of the paper.

read the caption

Figure 6: Results of UnSplit attack on CIFAR-10. (Top): Original images. (Middle): CNN-based client model. (Bottom): MLP-Mixer client model.

🔼 This figure demonstrates how the Adam optimizer’s performance can be affected by initialization when applied to the non-convex function f(y) = y² + 6sin²(y), where y = WᵀX. The plot shows the function’s value over optimization steps for two different initializations of W and X. The ‘before rotation’ line represents the optimization path with the original initialization, converging towards the global minimum at y = 0. The ‘after rotation’ line shows the optimization path after applying an orthogonal transformation to both W and X. In this scenario, the optimizer gets stuck in a local minimum, failing to reach the global optimum. This illustrates that for non-convex functions, the behavior of Adam, and potentially other adaptive optimizers, can be sensitive to the initial values of the weights and data.

read the caption

Figure 7: While optimizing the non-convex function f⁢(x)𝑓𝑥f(x)italic_f ( italic_x ), Adam can get stuck in the local minima in depence on the initialization.

🔼 This figure presents Mean Squared Error (MSE) results across different classes for the UnSplit attack on three datasets: CIFAR-10, F-MNIST, and MNIST. The top row shows results on CIFAR-10 using both an MLP-Mixer and a CNN-based client model. The middle row displays results on F-MNIST with MLP and CNN-based client models. The bottom row presents results on MNIST also with MLP and CNN-based client models. Each plot within the rows shows the MSE for both the reconstructed image (Reconstruction MSE) and the intermediate activations at the cut layer (Cut Layer MSE). This allows for a comparison of the error in both the input space and the latent space at the cut layer for each class in the respective dataset.

read the caption

Figure 8: MSE across different classes for the UnSplit attack. (Top row): CIFAR-10 – MLP-Mixer and CNN-based models. (Middle row): F-MNIST – MLP and CNN-based models. (Bottom row): MNIST – MLP and CNN-based models.

🔼 This figure presents a comparison of the UnSplit attack’s reconstruction capabilities on the MNIST dataset, showcasing the impact of client-side model architecture. The top row displays the original MNIST images. The middle row illustrates the reconstructed images when the client utilizes a CNN-based model, while the bottom row shows the results when the client employs a smaller MLP-based model (SmallMLP) designed to have a similar number of parameters as the CNN. Notably, even with this smaller MLP model, the UnSplit attack struggles to reconstruct meaningful images, aligning with the paper’s core argument about the resistance of MLP-based architectures to such attacks.

read the caption

Figure 9: Results of UnSplit attack on MNIST. (Top): Original images. (Middle): CNN-based client model. (Bottom): SmallMLP client model.

🔼 Figure 10 shows the reconstruction results of the UnSplit attack on the Fashion-MNIST (F-MNIST) dataset. The top row displays the original images. The middle row presents the reconstructions when a CNN-based model is used on the client-side, which in this case results in almost perfect reconstruction of the input data. The bottom row shows the reconstructions when a much smaller MLP-based model (SmallMLP) is used on the client-side. As expected by the theory presented in the paper, the attacker cannot succeed against SmallMLP, highlighting that the usage of simple transformations (like usage of MLP instead of CNN) can be enough for data protection in Vertical Federated Learning.

read the caption

Figure 10: Results of UnSplit attack on F-MNIST. (Top): Original images. (Middle): CNN-based client model. (Bottom): SmallMLP client model.

🔼 This figure presents the results of the Feature Space Hijacking Attack (FSHA) on the MNIST dataset. The top row displays the original MNIST images. The middle row shows the reconstructed images when a CNN-based model is used on the client-side. The bottom row presents the reconstructed images when a smaller MLP-based model (SmallMLP) is used on the client-side. As can be seen, the FSHA attack successfully reconstructs the original images when the client uses a CNN-based model. However, it completely fails when the client model is a SmallMLP model.

read the caption

Figure 11: Results of FSHA attack on MNIST. (Top): Original images. (Middle): CNN-based client model. (Bottom): SmallMLP client model.

🔼 This figure presents a comparison of the Feature-space Hijacking Attack (FSHA) results on the Fashion-MNIST (F-MNIST) dataset with two different client models. The top row displays the original images from the dataset. The middle row shows the reconstruction results when a CNN-based model is used on the client-side. The bottom row shows the results when a smaller MLP-based model (SmallMLP) is used on the client side. SmallMLP is not as accurate as the four-layer MLP in other experiments but is designed to match CNN’s number of parameters. As demonstrated, the CNN client model allows near-perfect reconstruction of the private data by the malicious server, while the MLP-based model effectively thwarts the attack.

read the caption

Figure 12: Results of FSHA attack on F-MNIST. (Top): Original images. (Middle): CNN-based client model. (Bottom): SmallMLP client model.

🔼 This table, located in Section 4, compares the number of parameters across different models used in the experiments: a four-layer MLP, an MLP-Mixer, a CNN, and a two-layer MLP (SmallMLP). The SmallMLP is designed to have a comparable number of parameters to the CNN while having reduced accuracy.

read the caption

Table 2: Number of parameters for different models across.

Split Layer #	Without noise	With Noise
Ref.
1
2
3
4
5
6
Ref.
1
2
3
4
5
6
Ref.
1
2
3
4
5
6

🔼 This table shows the results of reconstructing input images using the UnSplit attack with Differential Privacy (DP) defense, applied for various cut layers on MNIST, Fashion-MNIST, and CIFAR-10 datasets. The table compares the effectiveness of reconstruction with and without adding the DP noise. Each row represents a different split depth (cut layer), with ‘Ref.’ showing the original images. The DP noise variance (σ) is set differently for each dataset to balance privacy and utility. It’s worth noting that while the theoretical σ for CIFAR-10 is 7.1, it was lowered to 0.25 due to complications in training.

read the caption

Table 3: Estimated inputs with and without adding noise for various Cut Layers for the MNIST, F-MNIST, and CIFAR-10 datasets. The 'Ref.' row display the actual inputs, and the next rows display the attack results for different split depths. We took the following noise variance for different datasets: σ=1.6𝜎1.6\sigma=1.6italic_σ = 1.6 for MNIST, σ=2.6𝜎2.6\sigma=2.6italic_σ = 2.6 for F-MNIST, σ=0.25𝜎0.25\sigma=0.25italic_σ = 0.25 for CIFAR-10. Note that theoretical value of σ𝜎\sigmaitalic_σ for CIFAR-10 is 7.17.17.17.1, but we decided to lower it due to neural network learning issues.