A novel form of inference attack in vertical federated learning (VFL) is proposed, where two parties collaborate in training a machine learning (ML) model. Logistic regression is considered for the VFL model. One party, referred to as the active party, possesses the ground truth labels of the samples in the training phase, while the other, referred to as the passive party, only shares a separate set of features corresponding to these samples. It is shown that the active party can carry out inference attacks on both training and prediction phase samples by acquiring an ML model independently trained on the training samples available to them. This type of inference attack does not require the active party to be aware of the score of a specific sample, hence it is referred to as an agnostic inference attack. It is shown that utilizing the observed confidence scores during the prediction phase, before the time of the attack, can improve the performance of the active party's autonomous model, and thus improve the quality of the agnostic inference attack. As a countermeasure, privacy-preserving schemes (PPSs) are proposed. While the proposed schemes preserve the utility of the VFL model, they systematically distort the VFL parameters corresponding to the passive party's features. The level of the distortion imposed on the passive party's parameters is adjustable, giving rise to a trade-off between privacy of the passive party and interpretabiliy of the VFL outcomes by the active party. The distortion level of the passive party's parameters could be chosen carefully according to the privacy and interpretabiliy concerns of the passive and active parties, respectively, with the hope of keeping both parties (partially) satisfied. Finally, experimental results demonstrate the effectiveness of the proposed attack and the PPSs.

翻译：在纵向联邦学习（VFL）中提出一种新型推理攻击形式，其中两方协作训练机器学习（ML）模型。考虑将逻辑回归作为VFL模型。一方（称为主动方）在训练阶段拥有样本的真实标签，而另一方（称为被动方）仅共享与这些样本对应的单独特征集。研究表明，主动方可通过获取基于其训练样本独立训练的ML模型，对训练阶段和预测阶段的样本实施推理攻击。此类推理攻击无需主动方知晓特定样本的分数，因此被称为不可知推理攻击。研究表明，在攻击发生前的预测阶段利用观察到的置信度分数，可提升主动方自主模型的性能，进而增强不可知推理攻击的效果。作为防御措施，提出隐私保护方案（PPSs）。所提方案在保持VFL模型效用的同时，系统性地扭曲与被动方特征对应的VFL参数。被动方参数的扭曲程度可调节，从而在被动方隐私与主动方对VFL结果的可解释性之间产生权衡。可根据被动方与主动方对隐私和可解释性的关注程度，审慎选择被动方参数的扭曲水平，以期（部分）满足双方需求。最后，实验结果验证了所提攻击方法与PPSs的有效性。