Split Learning (SL) has emerged as a practical and efficient alternative to traditional federated learning. While previous attempts to attack SL have often relied on overly strong assumptions or targeted easily exploitable models, we seek to develop more practical attacks. We introduce SDAR, a novel attack framework against SL with an honest-but-curious server. SDAR leverages auxiliary data and adversarial regularization to learn a decodable simulator of the client's private model, which can effectively infer the client's private features under the vanilla SL, and both features and labels under the U-shaped SL. We perform extensive experiments in both configurations to validate the effectiveness of our proposed attacks. Notably, in challenging but practical scenarios where existing passive attacks struggle to reconstruct the client's private data effectively, SDAR consistently achieves attack performance comparable to active attacks. On CIFAR-10, at the deep split level of 7, SDAR achieves private feature reconstruction with less than 0.025 mean squared error in both the vanilla and the U-shaped SL, and attains a label inference accuracy of over 98% in the U-shaped setting, while existing attacks fail to produce non-trivial results.

翻译：分割学习（SL）已成为传统联邦学习的一种实用且高效的替代方案。尽管此前针对SL的攻击尝试常依赖于过于严格的假设或针对易于利用的模型，但我们致力于开发更实用的攻击方法。我们提出SDAR，一种针对诚实但好奇服务器设置的SL攻击框架。SDAR利用辅助数据和对抗正则化学习客户端私有模型的可解码模拟器，该模拟器在标准SL下能有效推理客户端的私有特征，在U型SL下则能同时推理特征和标签。我们在两种配置下进行了大量实验以验证所提攻击的有效性。值得注意的是，在现有被动攻击难以有效重建客户端私有数据的高挑战性但实际场景中，SDAR始终能取得与主动攻击相当的攻击性能。在CIFAR-10数据集上深度分割层数为7时，SDAR在标准SL和U型SL两种模式下的私有特征重建均方误差均低于0.025，并在U型设置中实现超过98%的标签推理准确率，而现有攻击无法产生有意义的结果。