Model Extraction Attacks on Split Federated Learning

TL;DR

This paper reveals vulnerabilities in Split Federated Learning (SFL) that allow malicious clients to perform model extraction attacks by exploiting gradient information, demonstrating high success rates in extracting models.

Contribution

The paper introduces five novel model extraction attack variants targeting SFL and evaluates their effectiveness, exposing security weaknesses in SFL despite its design protections.

Findings

ME attacks achieve over 90% accuracy with minimal degradation

SFL remains vulnerable to gradient-based extraction attacks

Proposed attacks are effective under practical scenarios

Abstract

Federated Learning (FL) is a popular collaborative learning scheme involving multiple clients and a server. FL focuses on protecting clients' data but turns out to be highly vulnerable to Intellectual Property (IP) threats. Since FL periodically collects and distributes the model parameters, a free-rider can download the latest model and thus steal model IP. Split Federated Learning (SFL), a recent variant of FL that supports training with resource-constrained clients, splits the model into two, giving one part of the model to clients (client-side model), and the remaining part to the server (server-side model). Thus SFL prevents model leakage by design. Moreover, by blocking prediction queries, it can be made resistant to advanced IP threats such as traditional Model Extraction (ME) attacks. While SFL is better than FL in terms of providing IP protection, it is still vulnerable. In this paper, we expose the vulnerability of SFL and show how malicious clients can launch ME attacks by querying the gradient information from the server side. We propose five variants of ME attack which differs in the gradient usage as well as in the data assumptions. We show that under practical cases, the proposed ME attacks work exceptionally well for SFL. For instance, when the server-side model has five layers, our proposed ME attack can achieve over 90% accuracy with less than 2% accuracy degradation with VGG-11 on CIFAR-10.