A novel form of inference attack in vertical federated learning (VFL) is proposed, where two parties collaborate in training a machine learning (ML) model. Logistic regression is considered for the VFL model. One party, referred to as the active party, possesses the ground truth labels of the samples in the training phase, while the other, referred to as the passive party, only shares a separate set of features corresponding to these samples. It is shown that the active party can carry out inference attacks on both training and prediction phase samples by acquiring an ML model independently trained on the training samples available to them. This type of inference attack does not require the active party to be aware of the score of a specific sample, hence it is referred to as an agnostic inference attack. It is shown that utilizing the observed confidence scores during the prediction phase, before the time of the attack, can improve the performance of the active party's autonomous ML model, and thus improve the quality of the agnostic inference attack. As a countermeasure, privacy-preserving schemes (PPSs) are proposed. While the proposed schemes preserve the utility of the VFL model, they systematically distort the VFL parameters corresponding to the passive party's features. The level of the distortion imposed on the passive party's parameters is adjustable, giving rise to a trade-off between privacy of the passive party and interpretabiliy of the VFL outcomes by the active party. The distortion level of the passive party's parameters could be chosen carefully according to the privacy and interpretabiliy concerns of the passive and active parties, respectively, with the hope of keeping both parties (partially) satisfied. Finally, experimental results demonstrate the effectiveness of the proposed attack and the PPSs.

翻译：提出了一种在垂直联邦学习（VFL）中新型的推断攻击形式，其中两方协作训练机器学习（ML）模型。针对VFL模型采用逻辑回归方法。一方称为主动方，在训练阶段拥有样本的真实标签；另一方称为被动方，仅共享与这些样本对应的另一组特征。研究表明，主动方可通过获取基于其可用训练样本独立训练的ML模型，对训练阶段和预测阶段的样本实施推断攻击。这种推断攻击无需主动方知晓特定样本的置信度分数，故称为不可知推断攻击。研究表明，在攻击发生前利用预测阶段观察到的置信度分数，可提升主动方自主ML模型的性能，进而增强不可知推断攻击的效果。作为应对措施，提出了隐私保护方案（PPSs）。所提方案在维持VFL模型效用的前提下，系统性地扭曲与被动方特征对应的VFL参数。对被动方参数的扭曲程度可调，从而在被动方隐私与主动方对VFL结果的可解释性之间形成权衡。可根据被动方与主动方对隐私及可解释性的关切程度，审慎选择被动方参数的扭曲水平，以期（部分）满足双方需求。最后，实验验证了所提攻击及PPSs的有效性。