HealSplit: Towards Self-Healing through Adversarial Distillation in Split Federated Learning

TL;DR

HealSplit introduces a comprehensive defense framework for Split Federated Learning, combining detection, recovery, and adversarial distillation to effectively counter sophisticated poisoning attacks.

Contribution

This work is the first to propose a unified, end-to-end defense specifically designed for SFL, integrating topology-aware detection and adversarial distillation techniques.

Findings

Outperforms ten state-of-the-art defenses in robustness.

Effectively detects and recovers from five types of poisoning attacks.

Demonstrates superior performance on four benchmark datasets.

Abstract

Split Federated Learning (SFL) is an emerging paradigm for privacy-preserving distributed learning. However, it remains vulnerable to sophisticated data poisoning attacks targeting local features, labels, smashed data, and model weights. Existing defenses, primarily adapted from traditional Federated Learning (FL), are less effective under SFL due to limited access to complete model updates. This paper presents HealSplit, the first unified defense framework tailored for SFL, offering end-to-end detection and recovery against five sophisticated types of poisoning attacks. HealSplit comprises three key components: (1) a topology-aware detection module that constructs graphs over smashed data to identify poisoned samples via topological anomaly scoring (TAS); (2) a generative recovery pipeline that synthesizes semantically consistent substitutes for detected anomalies, validated by a consistency validation student; and (3) an adversarial multi-teacher distillation framework trains the student using semantic supervision from a Vanilla Teacher and anomaly-aware signals from an Anomaly-Influence Debiasing (AD) Teacher, guided by the alignment between topological and gradient-based interaction matrices. Extensive experiments on four benchmark datasets demonstrate that HealSplit consistently outperforms ten state-of-the-art defenses, achieving superior robustness and defense effectiveness across diverse attack scenarios.