VFLIP: A Backdoor Defense for Vertical Federated Learning via Identification and Purification

Yungi Cho; Woorim Han; Miseon Yu; Younghan Lee; Ho Bae; Yunheung Paek

doi:10.1007/978-3-031-70903-6_15

VFLIP: A Backdoor Defense for Vertical Federated Learning via Identification and Purification

Yungi Cho, Woorim Han, Miseon Yu, Younghan Lee, Ho Bae, Yunheung Paek

Department of Cyber Security

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

Abstract

Vertical Federated Learning (VFL) focuses on handling vertically partitioned data over FL participants. Recent studies have discovered a significant vulnerability in VFL to backdoor attacks which specifically target the distinct characteristics of VFL. Therefore, these attacks may neutralize existing defense mechanisms designed primarily for Horizontal Federated Learning (HFL) and deep neural networks. In this paper, we present the first backdoor defense, called VFLIP, specialized for VFL. VFLIP employs the identification and purification techniques that operate at the inference stage, consequently improving the robustness against backdoor attacks to a great extent. VFLIP first identifies backdoor-triggered embeddings by adopting a participant-wise anomaly detection approach. Subsequently, VFLIP conducts purification which removes the embeddings identified as malicious and reconstructs all the embeddings based on the remaining embeddings. We conduct extensive experiments on CIFAR10, CINIC10, Imagenette, NUS-WIDE, and Bank-Marketing to demonstrate that VFLIP can effectively mitigate backdoor attacks in VFL. https://github.com/blingcho/VFLIP-esorics24

Original language	English
Title of host publication	Computer Security – ESORICS 2024 - 29th European Symposium on Research in Computer Security, Proceedings
Editors	Joaquin Garcia-Alfaro, Rafał Kozik, Michał Choraś, Sokratis Katsikas
Publisher	Springer Science and Business Media Deutschland GmbH
Pages	291-312
Number of pages	22
ISBN (Print)	9783031709029
DOIs	https://doi.org/10.1007/978-3-031-70903-6_15
State	Published - 2024
Event	29th European Symposium on Research in Computer Security, ESORICS 2024 - Bydgoszcz, Poland Duration: 16 Sep 2024 → 20 Sep 2024

Publication series

Name	Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
Volume	14985 LNCS
ISSN (Print)	0302-9743
ISSN (Electronic)	1611-3349

Conference

Conference	29th European Symposium on Research in Computer Security, ESORICS 2024
Country/Territory	Poland
City	Bydgoszcz
Period	16/09/24 → 20/09/24

Bibliographical note

Publisher Copyright:
© The Author(s), under exclusive license to Springer Nature Switzerland AG 2024.

Keywords

AI Security
Backdoor Attack
Vertical Federated Learning

Access to Document

10.1007/978-3-031-70903-6_15

Cite this

Cho, Y., Han, W., Yu, M., Lee, Y., Bae, H., & Paek, Y. (2024). VFLIP: A Backdoor Defense for Vertical Federated Learning via Identification and Purification. In J. Garcia-Alfaro, R. Kozik, M. Choraś, & S. Katsikas (Eds.), Computer Security – ESORICS 2024 - 29th European Symposium on Research in Computer Security, Proceedings (pp. 291-312). (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 14985 LNCS). Springer Science and Business Media Deutschland GmbH. https://doi.org/10.1007/978-3-031-70903-6_15

Cho, Yungi ; Han, Woorim ; Yu, Miseon et al. / VFLIP : A Backdoor Defense for Vertical Federated Learning via Identification and Purification. Computer Security – ESORICS 2024 - 29th European Symposium on Research in Computer Security, Proceedings. editor / Joaquin Garcia-Alfaro ; Rafał Kozik ; Michał Choraś ; Sokratis Katsikas. Springer Science and Business Media Deutschland GmbH, 2024. pp. 291-312 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)).

@inproceedings{d689e21460174102aaf890500540ab4c,

title = "VFLIP: A Backdoor Defense for Vertical Federated Learning via Identification and Purification",

abstract = "Vertical Federated Learning (VFL) focuses on handling vertically partitioned data over FL participants. Recent studies have discovered a significant vulnerability in VFL to backdoor attacks which specifically target the distinct characteristics of VFL. Therefore, these attacks may neutralize existing defense mechanisms designed primarily for Horizontal Federated Learning (HFL) and deep neural networks. In this paper, we present the first backdoor defense, called VFLIP, specialized for VFL. VFLIP employs the identification and purification techniques that operate at the inference stage, consequently improving the robustness against backdoor attacks to a great extent. VFLIP first identifies backdoor-triggered embeddings by adopting a participant-wise anomaly detection approach. Subsequently, VFLIP conducts purification which removes the embeddings identified as malicious and reconstructs all the embeddings based on the remaining embeddings. We conduct extensive experiments on CIFAR10, CINIC10, Imagenette, NUS-WIDE, and Bank-Marketing to demonstrate that VFLIP can effectively mitigate backdoor attacks in VFL. https://github.com/blingcho/VFLIP-esorics24",

keywords = "AI Security, Backdoor Attack, Vertical Federated Learning",

author = "Yungi Cho and Woorim Han and Miseon Yu and Younghan Lee and Ho Bae and Yunheung Paek",

note = "Publisher Copyright: {\textcopyright} The Author(s), under exclusive license to Springer Nature Switzerland AG 2024.; 29th European Symposium on Research in Computer Security, ESORICS 2024 ; Conference date: 16-09-2024 Through 20-09-2024",

year = "2024",

doi = "10.1007/978-3-031-70903-6_15",

language = "English",

isbn = "9783031709029",

series = "Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)",

publisher = "Springer Science and Business Media Deutschland GmbH",

pages = "291--312",

editor = "Joaquin Garcia-Alfaro and Rafa{\l} Kozik and Micha{\l} Chora{\'s} and Sokratis Katsikas",

booktitle = "Computer Security – ESORICS 2024 - 29th European Symposium on Research in Computer Security, Proceedings",

}

Cho, Y, Han, W, Yu, M, Lee, Y, Bae, H & Paek, Y 2024, VFLIP: A Backdoor Defense for Vertical Federated Learning via Identification and Purification. in J Garcia-Alfaro, R Kozik, M Choraś & S Katsikas (eds), Computer Security – ESORICS 2024 - 29th European Symposium on Research in Computer Security, Proceedings. Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), vol. 14985 LNCS, Springer Science and Business Media Deutschland GmbH, pp. 291-312, 29th European Symposium on Research in Computer Security, ESORICS 2024, Bydgoszcz, Poland, 16/09/24. https://doi.org/10.1007/978-3-031-70903-6_15

VFLIP: A Backdoor Defense for Vertical Federated Learning via Identification and Purification. / Cho, Yungi; Han, Woorim; Yu, Miseon et al.
Computer Security – ESORICS 2024 - 29th European Symposium on Research in Computer Security, Proceedings. ed. / Joaquin Garcia-Alfaro; Rafał Kozik; Michał Choraś; Sokratis Katsikas. Springer Science and Business Media Deutschland GmbH, 2024. p. 291-312 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 14985 LNCS).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

TY - GEN

T1 - VFLIP

T2 - 29th European Symposium on Research in Computer Security, ESORICS 2024

AU - Cho, Yungi

AU - Han, Woorim

AU - Yu, Miseon

AU - Lee, Younghan

AU - Bae, Ho

AU - Paek, Yunheung

N1 - Publisher Copyright: © The Author(s), under exclusive license to Springer Nature Switzerland AG 2024.

PY - 2024

Y1 - 2024

N2 - Vertical Federated Learning (VFL) focuses on handling vertically partitioned data over FL participants. Recent studies have discovered a significant vulnerability in VFL to backdoor attacks which specifically target the distinct characteristics of VFL. Therefore, these attacks may neutralize existing defense mechanisms designed primarily for Horizontal Federated Learning (HFL) and deep neural networks. In this paper, we present the first backdoor defense, called VFLIP, specialized for VFL. VFLIP employs the identification and purification techniques that operate at the inference stage, consequently improving the robustness against backdoor attacks to a great extent. VFLIP first identifies backdoor-triggered embeddings by adopting a participant-wise anomaly detection approach. Subsequently, VFLIP conducts purification which removes the embeddings identified as malicious and reconstructs all the embeddings based on the remaining embeddings. We conduct extensive experiments on CIFAR10, CINIC10, Imagenette, NUS-WIDE, and Bank-Marketing to demonstrate that VFLIP can effectively mitigate backdoor attacks in VFL. https://github.com/blingcho/VFLIP-esorics24

AB - Vertical Federated Learning (VFL) focuses on handling vertically partitioned data over FL participants. Recent studies have discovered a significant vulnerability in VFL to backdoor attacks which specifically target the distinct characteristics of VFL. Therefore, these attacks may neutralize existing defense mechanisms designed primarily for Horizontal Federated Learning (HFL) and deep neural networks. In this paper, we present the first backdoor defense, called VFLIP, specialized for VFL. VFLIP employs the identification and purification techniques that operate at the inference stage, consequently improving the robustness against backdoor attacks to a great extent. VFLIP first identifies backdoor-triggered embeddings by adopting a participant-wise anomaly detection approach. Subsequently, VFLIP conducts purification which removes the embeddings identified as malicious and reconstructs all the embeddings based on the remaining embeddings. We conduct extensive experiments on CIFAR10, CINIC10, Imagenette, NUS-WIDE, and Bank-Marketing to demonstrate that VFLIP can effectively mitigate backdoor attacks in VFL. https://github.com/blingcho/VFLIP-esorics24

KW - AI Security

KW - Backdoor Attack

KW - Vertical Federated Learning

UR - http://www.scopus.com/inward/record.url?scp=85204362315&partnerID=8YFLogxK

U2 - 10.1007/978-3-031-70903-6_15

DO - 10.1007/978-3-031-70903-6_15

M3 - Conference contribution

AN - SCOPUS:85204362315

SN - 9783031709029

T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)

SP - 291

EP - 312

BT - Computer Security – ESORICS 2024 - 29th European Symposium on Research in Computer Security, Proceedings

A2 - Garcia-Alfaro, Joaquin

A2 - Kozik, Rafał

A2 - Choraś, Michał

A2 - Katsikas, Sokratis

PB - Springer Science and Business Media Deutschland GmbH

Y2 - 16 September 2024 through 20 September 2024

ER -

Cho Y, Han W, Yu M, Lee Y, Bae H, Paek Y. VFLIP: A Backdoor Defense for Vertical Federated Learning via Identification and Purification. In Garcia-Alfaro J, Kozik R, Choraś M, Katsikas S, editors, Computer Security – ESORICS 2024 - 29th European Symposium on Research in Computer Security, Proceedings. Springer Science and Business Media Deutschland GmbH. 2024. p. 291-312. (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)). doi: 10.1007/978-3-031-70903-6_15