Split learning, as one of the most common architectures in vertical federated learning, has gained widespread use in industry due to its privacy-preserving characteristics. In this architecture, the party holding the labels seeks cooperation from other parties to improve model performance due to insufficient feature data. Each of these participants has a self-defined bottom model to learn hidden representations from its own feature data and uploads the embedding vectors to the top model held by the label holder for final predictions. This design allows participants to conduct joint training without directly exchanging data. However, existing research points out that malicious participants may still infer label information from the uploaded embeddings, leading to privacy leakage. In this paper, we first propose an embedding extension attack that manually modifies embeddings to undermine existing defense strategies, which rely on constraining the correlation between the embeddings uploaded by participants and the labels. Subsequently, we propose a new label obfuscation defense strategy, called `LabObf', which randomly maps each original one-hot vector label to multiple numerical soft labels with values intertwined, significantly increasing the difficulty for attackers to infer the labels. We conduct experiments on four different types of datasets, and the results show that LabObf can reduce the attacker's success rate to near random guessing while maintaining an acceptable model accuracy.

翻译：分割学习作为纵向联邦学习中最常见的架构之一，因其隐私保护特性在工业界获得了广泛应用。在此架构中，由于特征数据不足，持有标签的一方寻求与其他方合作以提升模型性能。每位参与者都拥有一个自定义的底层模型，用于从自身特征数据中学习隐藏表示，并将嵌入向量上传至由标签持有方持有的顶层模型以进行最终预测。这种设计使得参与者能够在不直接交换数据的情况下进行联合训练。然而，现有研究指出，恶意参与者仍可能从上传播入中推断出标签信息，导致隐私泄露。本文首先提出一种嵌入扩展攻击，该攻击通过人工修改嵌入来破坏现有的防御策略，这些策略依赖于约束参与者上传的嵌入与标签之间的相关性。随后，我们提出一种新的标签混淆防御策略，称为`LabObf`，该策略将每个原始的独热向量标签随机映射为多个数值相互交织的软标签，从而显著增加了攻击者推断标签的难度。我们在四种不同类型的数据集上进行了实验，结果表明，LabObf能够将攻击者的成功率降低至接近随机猜测的水平，同时保持可接受的模型精度。