Federated learning (FL), which aims to facilitate data collaboration across multiple organizations without exposing data privacy, encounters potential security risks. One serious threat is backdoor attacks, where an attacker injects a specific trigger into the training dataset to manipulate the model's prediction. Most existing FL backdoor attacks are based on horizontal federated learning (HFL), where the data owned by different parties have the same features. However, compared to HFL, backdoor attacks on vertical federated learning (VFL), where each party only holds a disjoint subset of features and the labels are only owned by one party, are rarely studied. The main challenge of this attack is to allow an attacker without access to the data labels, to perform an effective attack. To this end, we propose BadVFL, a novel and practical approach to inject backdoor triggers into victim models without label information. BadVFL mainly consists of two key steps. First, to address the challenge of attackers having no knowledge of labels, we introduce a SDD module that can trace data categories based on gradients. Second, we propose a SDP module that can improve the attack's effectiveness by enhancing the decision dependency between the trigger and attack target. Extensive experiments show that BadVFL supports diverse datasets and models, and achieves over 93% attack success rate with only 1% poisoning rate.

翻译：联邦学习（FL）旨在促进跨多个组织的数据协作而不暴露数据隐私，但其面临潜在安全风险。其中一种严重威胁是后门攻击，即攻击者向训练数据集中注入特定触发器以操控模型预测。现有大多数联邦学习后门攻击基于横向联邦学习（HFL），其中不同参与方持有的数据具有相同特征。然而，相较于横向联邦学习，针对纵向联邦学习（VFL）的后门攻击鲜有研究——在纵向联邦学习中，每个参与方仅持有互不相交的特征子集，且标签仅由一方持有。此类攻击的主要挑战在于，如何使无法访问数据标签的攻击者实施有效攻击。为此，我们提出BadVFL——一种无需标签信息即可向受害者模型注入后门触发器的新型实用方法。BadVFL主要由两个关键步骤组成：首先，为解决攻击者无法获知标签的难题，我们引入SDD模块，该模块能基于梯度追踪数据类别；其次，我们提出SDP模块，通过增强触发器与攻击目标之间的决策依赖性来提升攻击有效性。大量实验表明，BadVFL支持多种数据集和模型，在仅1%的投毒率下即可实现超过93%的攻击成功率。