A novel form of inference attack in vertical federated learning (VFL) is proposed, where two parties collaborate in training a machine learning (ML) model. Logistic regression is considered for the VFL model. One party, referred to as the active party, possesses the ground truth labels of the samples in the training phase, while the other, referred to as the passive party, only shares a separate set of features corresponding to these samples. It is shown that the active party can carry out inference attacks on both training and prediction phase samples by acquiring an ML model independently trained on the training samples available to them. This type of inference attack does not require the active party to be aware of the score of a specific sample, hence it is referred to as an agnostic inference attack. It is shown that utilizing the observed confidence scores during the prediction phase, before the time of the attack, can improve the performance of the active party's autonomous model, and thus improve the quality of the agnostic inference attack. As a countermeasure, privacy-preserving schemes (PPSs) are proposed. While the proposed schemes preserve the utility of the VFL model, they systematically distort the VFL parameters corresponding to the passive party's features. The level of the distortion imposed on the passive party's parameters is adjustable, giving rise to a trade-off between privacy of the passive party and interpretabiliy of the VFL outcomes by the active party. The distortion level of the passive party's parameters could be chosen carefully according to the privacy and interpretabiliy concerns of the passive and active parties, respectively, with the hope of keeping both parties (partially) satisfied. Finally, experimental results demonstrate the effectiveness of the proposed attack and the PPSs.

翻译：提出了一种垂直联邦学习（VFL）中新型的推理攻击形式，其中两方协作训练机器学习（ML）模型。考虑使用逻辑回归作为VFL模型。一方被称为主动方，在训练阶段拥有样本的真实标签，而另一方被称为被动方，仅共享与这些样本对应的另一组特征。研究表明，主动方可以通过获取独立在训练样本上训练的ML模型，对训练阶段和预测阶段的样本实施推理攻击。这种推理攻击不需要主动方知晓特定样本的分数，因此称为不可知推理攻击。研究显示，在攻击发生前利用预测阶段观测到的置信分数，可以提升主动方自主模型的性能，进而提高不可知推理攻击的质量。作为对抗措施，提出了隐私保护方案（PPSs）。所提方案在保持VFL模型效用的同时，系统性地扭曲了与被动方特征对应的VFL参数。被动方参数的扭曲程度可调，从而在被动方的隐私与主动方对VFL结果的可解释性之间产生权衡。可根据被动方和主动方各自的隐私与可解释性需求，谨慎选择被动方参数的扭曲程度，以期（部分）满足双方需求。最后，实验结果验证了所提攻击与PPSs的有效性。