Federated learning (FL) enables multiple parties to collaboratively train a machine learning model without sharing their data; rather, they train their own model locally and send updates to a central server for aggregation. Depending on how the data is distributed among the participants, FL can be classified into Horizontal (HFL) and Vertical (VFL). In VFL, the participants share the same set of training instances but only host a different and non-overlapping subset of the whole feature space. Whereas in HFL, each participant shares the same set of features while the training set is split into locally owned training data subsets. VFL is increasingly used in applications like financial fraud detection; nonetheless, very little work has analyzed its security. In this paper, we focus on robustness in VFL, in particular, on backdoor attacks, whereby an adversary attempts to manipulate the aggregate model during the training process to trigger misclassifications. Performing backdoor attacks in VFL is more challenging than in HFL, as the adversary i) does not have access to the labels during training and ii) cannot change the labels as she only has access to the feature embeddings. We present a first-of-its-kind clean-label backdoor attack in VFL, which consists of two phases: a label inference and a backdoor phase. We demonstrate the effectiveness of the attack on three different datasets, investigate the factors involved in its success, and discuss countermeasures to mitigate its impact.

翻译：联邦学习（FL）允许多方在不共享数据的情况下协作训练机器学习模型；各方在本地训练自己的模型，并将更新发送至中央服务器进行聚合。根据参与方之间的数据分布方式，联邦学习可分为横向联邦学习（HFL）和纵向联邦学习（VFL）。在纵向联邦学习中，参与方共享相同的训练实例集，但各自持有整个特征空间中互不重叠的不同子集；而横向联邦学习中，每个参与方共享相同的特征集，但训练集被划分为各方本地拥有的训练数据子集。纵向联邦学习在金融欺诈检测等应用中日益广泛，然而针对其安全性的分析工作却非常有限。本文聚焦于纵向联邦学习的鲁棒性，特别是后门攻击——即攻击者试图在训练过程中操控聚合模型以触发错误分类。在纵向联邦学习中实施后门攻击比横向联邦学习更具挑战性，因为攻击者（i）在训练期间无法访问标签，（ii）由于只能获取特征嵌入而无法修改标签。我们提出了纵向联邦学习中首个清洁标签后门攻击，该攻击包含两个阶段：标签推断阶段和后门阶段。我们在三个不同数据集上验证了该攻击的有效性，探究了影响其成功的关键因素，并讨论了减轻其影响的防御措施。