Privacy for Free: Spy Attack in Vertical Federated Learning by Both Active and Passive Parties

Abstract

Vertical federated learning (VFL) is an emerging paradigm well-suitable for commercial collaborations among companies. These companies share a common user base but possess distinct features. VFL enables the training of a shared global model with features from different parties while maintaining the confidentiality of raw data. Despite its potential, the VFL mechanism still lacks certified integrity, posing a notable threat of potential commercial deception or privacy infringement. In this study, we introduce a novel form of attack in which the attacker can participate in VFL by free-riding on the collaborative process while surreptitiously extracting users’ private data. This attack, reminiscent of corporate espionage tactics, is called the “spy attack”. Specifically, spy attacks allow a dishonest party without sufficient data to hitch a ride by inferring the missing user features through the shared information from other participants. We design two types of spy attacks tailored for scenarios where the attacker either takes an active or passive role. Evaluations with four real-world datasets demonstrate the effectiveness of our attacks, not only fulfilling the stipulated collaboration through hitchhiking, but also successfully stealing users’ privacy. Even when the missing rate reaches 90%, the spy attack continues to yield a test accuracy that surpasses the model trained with non-missing data and achieves reconstruction results approaching the theoretically highest quality. Furthermore, we meticulously discuss and evaluate up to seven possible defense strategies. The findings underscore the necessity for designing more effective and efficient defense strategies to counteract spy attacks.