Feature Reconstruction Attacks and Countermeasures of DNN Training in Vertical Federated Learning
Paper: Ye P., Jiang Z., Wang W., Li B., Li B. β IEEE TDSC, 2024
Focus: Feature security in VFL when training DNNs
1. What is Vertical Federated Learning (VFL)?
Party A (Active) Party B (Passive)
βββββββββββββββββββ βββββββββββββββββββ
β Features xA β β Features xB β
β Labels y β β No labels β
β Top model ΞΈ β β Bottom model WB β
ββββββββββ¬βββββββββ ββββββββββ¬βββββββββ
β β
β zB = WB Β· xB β
ββββββββββββββββββββββββββ
β
βΌ
z = WAΒ·xA + zB
Final prediction
Key Characteristics:
- Column-wise split: Each party holds different features (columns) of the same samples
- Active party: Has labels, coordinates training, holds top of the model
- Passive party: Has features only, sends intermediate results to active party
2. Threat Model
| Aspect | Description |
|---|---|
| Adversary | Active party (honest-but-curious) |
| Goal | Reconstruct passive partyβs input features xB |
| View | Own data (xA, y), local weights (WA, ΞΈ), intermediate results (zB = WBΒ·xB) |
| Constraint | No knowledge of passive partyβs weights WB |
3. Core Theoretical Result β Impossibility Theorem
Theorem 1: With zero knowledge, feature reconstruction is impossible.
Why? For any intermediate result zB, there exist infinitely many pairs (WB, xB) that produce the same output:
- If U is any unitary matrix: WBΒ·Uβ€ and UΒ·xB produce the same zB
- The active party cannot distinguish between these possibilities
Critical Implication: Attack only becomes possible when the attacker knows constraints on the features (e.g., binary/discrete values).
4. Binary Feature Attack
4.1 Why Binary Features are Vulnerable
If the attacker knows some features are binary ({0,1}):
- The search space becomes finite (2^n instead of infinite)
- Binary vectors in the column space of ZB correspond to actual features
4.2 Attack Algorithm 1: Solving Linear Equations
## Core idea: Find binary vectors in column space of ZB
1. Extract dB Γ dB full-rank submatrix Z'
2. For each x' in {0,1}^dB \ {0}:
w = Z'^(-1) Β· x'
x = Z Β· w
if x is binary:
Found a feature!Complexity: O(2^dB) β exponential in feature dimension
4.3 Attack Algorithm 2: Robust Version (Linear Regression)
Handles noise/perturbations using Leverage Score Sampling:
- Samples r rows to reduce enumeration from 2^n to 2
- Solves least squares instead of exact linear equations
- r = O(dB log dB / Ρ²) theoretically, but r = dB + 1 works in practice
4.4 NP-Hardness
Theorem 2: Finding binary vectors in a matrix column span is NP-hard (reduces from Exact Cover problem)
Despite this, the attack is practical because:
- dB is typically small (β€ 20 features)
- 2^dB is tractable for most real datasets
5. Why Simple Defenses Fail
Gaussian Noise Defense
| Ο (noise level) | Attack Accuracy | Model Accuracy |
|---|---|---|
| 0 | 100% | High |
| 0.1 | ~70-90% | Moderate drop |
| 0.5+ | ~60% | Significant drop |
Problem: Even with noise, attack accuracy remains high while model performance degrades.
BlindFL (Privacy-Preserving Framework)
The paper shows their attack still works against BlindFL because the aggregated sum of intermediate results is still exposed.
6. Masquerade Defense
6.1 Core Idea
Inject fake binary features that mislead the attacker:
βββββββββββββββ
xB βββββββΊ β Transform Q ββββ
βββββββββββββββ β βββββββββββββββββ
ββββΊβ zB = [P|u]... ββββΊ To Party A
Random a βββββββββββββββββββΊβ βββββββββββββββββ
(fabricated)
6.2 How It Works
- Introduce matrices P and Q
- For each sample, generate random binary value(s) {a1, β¦, am}
- Attacker finds fabricated features instead of real ones
- Set m = βlogβ(n)β to prevent adaptive attacks
6.3 Effectiveness
| Metric | Without Defense | With Masquerade |
|---|---|---|
| Attack Accuracy | 100% | ~50% (random) |
| Model Accuracy | Baseline | ~Same (negligible drop) |
| Training Time | Baseline | +2-14% overhead |
7. Experiments
Datasets Used
| Dataset | Samples | Passive Features | Binary Features |
|---|---|---|---|
| Bank | 41,188 | 8 | 1 (contact) |
| Credit | 30,000 | 10 | 1 (gender) |
| Nursery | 12,960 | 6 | 1 (financial) |
| Covertype | 581,012 | 10 | 4 (one-hot) |
| COVID | 5,434 | 12 | 12 (symptoms) |
| Monkey-pox | 25,000 | 8 | 8 (symptoms) |
Results Summary
- Algorithm 1: 100% reconstruction without noise
- Algorithm 2: 60-95% reconstruction with Gaussian noise
- Masquerade: Reduces attack to ~50% (random guessing)
8. Practical Takeaways
For Attackers (Understanding Threats)
- Binary/discrete features in VFL are highly vulnerable
- Even with noise, reconstruction is feasible
- Attack works in multi-party settings too
- One-hot encoded features can be fully recovered
For Defenders (Protecting Data)
- Simple noise is insufficient
- Masquerade defense is effective with minimal overhead
- Use m = logβ(n) fabricated features minimum
- Cutting at deeper layers (not input layer) prevents these attacks
Limitations
- Attack only works when cut layer is the input layer
- If cut at layer 2+, non-linear activations break the linear algebra basis
- Feature dimension dB must be tractable (practical limit ~20-30)
9. Key Equations to Remember
| Concept | Equation |
|---|---|
| Intermediate result | zB = WB Β· xB |
| Aggregation | z = WAΒ·xA + WBΒ·xB |
| Attack objective | Find binary x in col-span(ZB) |
| Defense condition | m β₯ logβ(n) fabricated features |
10. Questions for Further Investigation
- How do other attack types (gradient inversion, model inversion) compare?
- Are there defenses that donβt require modifying the training process?
- What about attacks on continuous features with known distributions?
- How does differential privacy compare to masquerade defense?