As a distributed collaborative machine learning paradigm, vertical federated learning (VFL) allows multiple passive parties with distinct features and one active party with labels to collaboratively train a model. Although it is known for the privacy-preserving capabilities, VFL still faces significant privacy and security threats from backdoor attacks. Existing backdoor attacks typically involve an attacker implanting a trigger into the model during the training phase and executing the attack by adding the trigger to the samples during the inference phase. However, in this paper, we find that triggers are not essential for backdoor attacks in VFL. In light of this, we disclose a new backdoor attack pathway in VFL by introducing a feature-based triggerless backdoor attack. This attack operates under a more stringent security assumption, where the attacker is honest-but-curious rather than malicious during the training phase. It comprises three modules: label inference for the targeted backdoor attack, poison generation with amplification and perturbation mechanisms, and backdoor execution to implement the attack. Extensive experiments on five benchmark datasets demonstrate that our attack outperforms three baseline backdoor attacks by 2 to 50 times while minimally impacting the main task. Even in VFL scenarios with 32 passive parties and only one set of auxiliary data, our attack maintains high performance. Moreover, when confronted with distinct defense strategies, our attack remains largely unaffected and exhibits strong robustness. We hope that the disclosure of this triggerless backdoor attack pathway will encourage the community to revisit security threats in VFL scenarios and inspire researchers to develop more robust and practical defense strategies.

翻译：作为一种分布式协作机器学习范式，垂直联邦学习允许多个具有不同特征的被动方与一个拥有标签的主动方协同训练模型。尽管以其隐私保护能力而闻名，垂直联邦学习仍面临来自后门攻击的重大隐私与安全威胁。现有的后门攻击通常涉及攻击者在训练阶段将触发器植入模型，并在推理阶段通过向样本添加触发器来执行攻击。然而，本文发现，在垂直联邦学习中，触发器对于后门攻击并非必需。基于此，我们通过引入一种基于特征的无触发器后门攻击，揭示了垂直联邦学习中一条新的后门攻击路径。该攻击在更严格的安全假设下运行，即攻击者在训练阶段仅为诚实但好奇，而非恶意。它包含三个模块：针对目标后门攻击的标签推断、结合放大与扰动机制的毒化生成，以及用于实施攻击的后门执行。在五个基准数据集上的大量实验表明，我们的攻击性能优于三种基线后门攻击2至50倍，同时对主任务的影响极小。即使在拥有32个被动方且仅有一组辅助数据的垂直联邦学习场景中，我们的攻击仍保持高性能。此外，在面对不同防御策略时，我们的攻击基本不受影响，并展现出强大的鲁棒性。我们希望这一无触发器后门攻击路径的揭示，能够促使学术界重新审视垂直联邦学习场景中的安全威胁，并激励研究者开发更鲁棒且实用的防御策略。