On the Inference (In-)Security of Vertical Federated Learning: Efficient Auditing against Inference Tampering Attack

TL;DR

This paper identifies vulnerabilities in vertical federated learning where malicious data parties can tamper with inference results, and proposes an auditing framework to detect such tampering with high accuracy without compromising privacy.

Contribution

It introduces VeFIT, a novel inference tampering attack, and VeFIA, an auditing framework that effectively detects malicious behavior in VFL without additional latency or privacy loss.

Findings

VeFIT reduces inference accuracy by 34.49% on average.

VeFIA detects over 99.99% of malicious inferences with high confidence.

The framework is scalable and preserves privacy in real-world datasets.

Abstract

Vertical Federated Learning (VFL) is an emerging distributed learning paradigm for cross-silo collaboration without accessing participants' data. However, existing VFL work lacks a mechanism to audit the inference correctness of the data party. The malicious data party can modify the local data and model to mislead the joint inference results. To exploit this vulnerability, we design a novel Vertical Federated Inference Tampering (VeFIT) attack, allowing the data party to covertly tamper with the local inference and mislead results on the task party's final prediction. VeFIT can decrease the task party's inference accuracy by an average of 34.49%. Existing defense mechanisms can not effectively detect this attack, and the detection performance is near random guessing. To mitigate the attack, we further design a Vertical Federated Inference Auditing (VeFIA) framework. VeFIA helps the task party to audit whether the data party's inferences are executed as expected during large-scale online inference. VeFIA does not leak the data party's privacy nor introduce additional latency. The core design is that the task party can use the inference results from a framework with Trusted Execution Environments (TEE) and the coordinator to validate the correctness of the data party's computation results. VeFIA guarantees that, as long as the proportion of inferences attacked by VeFIT exceeds 5.4%, the task party can detect the malicious behavior of the data party with a probability of 99.99%, without any additional online overhead. VeFIA's random sampling validation of VeFIA achieves 100% positive predictive value, negative predictive value, and true positive rate in detecting VeFIT. We further validate VeFIA's effectiveness in terms of privacy protection and scalability on real-world datasets. To the best of our knowledge, this is the first paper discussing the inference auditing problem towards VFL.