Dullahan: Stealthy Backdoor Attack against Without-Label-Sharing Split Learning

TL;DR

This paper introduces SBAT, a stealthy backdoor attack targeting split learning without label sharing, revealing security vulnerabilities by injecting triggers post-training without altering model parameters.

Contribution

The paper presents a novel backdoor attack method (SBAT) for split learning that is highly stealthy and effective, especially in scenarios with unknown client architectures.

Findings

SBAT successfully injects backdoors without modifying training data or gradients.

The attack remains undetectable during training, increasing security risks.

SBAT demonstrates effectiveness across different split learning scenarios.

Abstract

As a novel privacy-preserving paradigm aimed at reducing client computational costs and achieving data utility, split learning has garnered extensive attention and proliferated widespread applications across various fields, including smart health and smart transportation, among others. While recent studies have primarily concentrated on addressing privacy leakage concerns in split learning, such as inference attacks and data reconstruction, the exploration of security issues (e.g., backdoor attacks) within the framework of split learning has been comparatively limited. Nonetheless, the security vulnerability within the context of split learning is highly posing a threat and can give rise to grave security implications, such as the illegal impersonation in the face recognition model. Therefore, in this paper, we propose a stealthy backdoor attack strategy (namely SBAT) tailored to the without-label-sharing split learning architecture, which unveils the inherent security vulnerability of split learning. We posit the existence of a potential attacker on the server side aiming to introduce a backdoor into the training model, while exploring two scenarios: one with known client network architecture and the other with unknown architecture. Diverging from traditional backdoor attack methods that manipulate the training data and labels, we constructively conduct the backdoor attack by injecting the trigger embedding into the server network. Specifically, our SBAT achieves a higher level of attack stealthiness by refraining from modifying any intermediate parameters (e.g., gradients) during training and instead executing all malicious operations post-training.