A novel form of inference attack in vertical federated learning (VFL) is proposed, where two parties collaborate in training a machine learning (ML) model. Logistic regression is considered for the VFL model. One party, referred to as the active party, possesses the ground truth labels of the samples in the training phase, while the other, referred to as the passive party, only shares a separate set of features corresponding to these samples. It is shown that the active party can carry out inference attacks on both training and prediction phase samples by acquiring an ML model independently trained on the training samples available to them. This type of inference attack does not require the active party to be aware of the score of a specific sample, hence it is referred to as an agnostic inference attack. It is shown that utilizing the observed confidence scores during the prediction phase, before the time of the attack, can improve the performance of the active party's autonomous ML model, and thus improve the quality of the agnostic inference attack. As a countermeasure, privacy-preserving schemes (PPSs) are proposed. While the proposed schemes preserve the utility of the VFL model, they systematically distort the VFL parameters corresponding to the passive party's features. The level of the distortion imposed on the passive party's parameters is adjustable, giving rise to a trade-off between privacy of the passive party and interpretabiliy of the VFL outcomes by the active party. The distortion level of the passive party's parameters could be chosen carefully according to the privacy and interpretabiliy concerns of the passive and active parties, respectively, with the hope of keeping both parties (partially) satisfied. Finally, experimental results demonstrate the effectiveness of the proposed attack and the PPSs.

翻译：本文提出了一种纵向联邦学习（VFL）中的新型推断攻击形式，其中两方协作训练机器学习（ML）模型。该VFL模型采用逻辑回归方法。一方（称为主动方）在训练阶段拥有样本的真实标签，而另一方（称为被动方）仅共享与这些样本对应的另一组特征。研究表明，主动方可以通过获取基于其可用训练样本独立训练的ML模型，对训练阶段和预测阶段的样本实施推断攻击。此类攻击不要求主动方知晓特定样本的置信度分数，因此被称为不可知推断攻击。研究证明，利用攻击发生前预测阶段观测到的置信度分数，可以提升主动方自主ML模型的性能，从而增强不可知推断攻击的效果。作为应对措施，本文提出了隐私保护方案（PPSs）。所提方案在保持VFL模型实用性的同时，系统性地扭曲了与被动方特征对应的VFL参数。对被动方参数的扭曲程度可调节，从而在被动方的隐私保护与主动方对VFL结果的可解释性之间形成权衡。可根据被动方与主动方各自对隐私和可解释性的关切，谨慎选择被动方参数的扭曲程度，以期使双方（部分）满意。最后，实验结果验证了所提攻击方法与隐私保护方案的有效性。