Federated learning (FL) enables multiple parties to collaboratively train a machine learning model without sharing their data; rather, they train their own model locally and send updates to a central server for aggregation. Depending on how the data is distributed among the participants, FL can be classified into Horizontal (HFL) and Vertical (VFL). In VFL, the participants share the same set of training instances but only host a different and non-overlapping subset of the whole feature space. Whereas in HFL, each participant shares the same set of features while the training set is split into locally owned training data subsets. VFL is increasingly used in applications like financial fraud detection; nonetheless, very little work has analyzed its security. In this paper, we focus on robustness in VFL, in particular, on backdoor attacks, whereby an adversary attempts to manipulate the aggregate model during the training process to trigger misclassifications. Performing backdoor attacks in VFL is more challenging than in HFL, as the adversary i) does not have access to the labels during training and ii) cannot change the labels as she only has access to the feature embeddings. We present a first-of-its-kind clean-label backdoor attack in VFL, which consists of two phases: a label inference and a backdoor phase. We demonstrate the effectiveness of the attack on three different datasets, investigate the factors involved in its success, and discuss countermeasures to mitigate its impact.

翻译：联邦学习（FL）允许多个参与方在不共享数据的情况下协作训练机器学习模型；具体而言，各方本地训练自身模型，并将更新发送至中央服务器进行聚合。根据数据在参与方间的分布方式，FL可分为横向联邦学习（HFL）与纵向联邦学习（VFL）。在VFL中，参与方共享相同的训练实例集，但各自持有整体特征空间中不同且无重叠的子集；而在HFL中，各参与方共享相同的特征集，但训练集被分割为本地拥有的训练数据子集。尽管VFL在金融欺诈检测等应用中日益普及，但针对其安全性的分析工作仍极为匮乏。本文聚焦VFL的鲁棒性，特别是后门攻击——即攻击者试图在训练过程中操纵聚合模型以触发误分类。相较于HFL，在VFL中实施后门攻击更具挑战性，原因是攻击者：（一）在训练期间无法获取标签信息，（二）仅能访问特征嵌入而无法修改标签。我们首次提出一种针对VFL的干净标签后门攻击，该攻击包含两个阶段：标签推断阶段与后门植入阶段。我们在三个不同数据集上验证了该攻击的有效性，系统分析了影响攻击成功的关键因素，并讨论了缓解其影响的防御措施。