Focusing on Pinocchio's Nose: A Gradients Scrutinizer to Thwart Split-Learning Hijacking Attacks Using Intrinsic Attributes
Jiayun Fu, Xiaojing Ma, Bin Zhu, Pingyi Hu, Ruixin Zhao, Yaru Jia, Peng Xu, Hai Jin, Dongmei Zhang
Abstract
Split learning is privacy-preserving distributed learning that has gained momentum recently.It also faces new security challenges.FSHA [37] is a serious threat to split learning.In FSHA, a malicious server hijacks training to trick clients to train the encoder of an autoencoder instead of a classification model.Intermediate results sent to the server by a client are actually latent codes of private training samples, which can be reconstructed with high fidelity from the received codes with the decoder of the autoencoder.SplitGuard [10] is the only existing effective defense against hijacking attacks.It is an active method that injects falsely labeled data to incur abnormal behaviors to detect hijacking attacks.Such injection also incurs an adverse impact on honest training of intended models.