SecureSplit: Mitigating Backdoor Attacks in Split Learning

TL;DR

SecureSplit is a novel defense mechanism for split learning that enhances the detection and removal of backdoor embeddings, significantly improving model robustness against malicious attacks while preserving data privacy.

Contribution

We propose SecureSplit, a dimensionality transformation and adaptive filtering method that effectively mitigates backdoor attacks in split learning environments.

Findings

SecureSplit outperforms existing defenses across multiple datasets.

It effectively detects and removes poisoned embeddings.

The method maintains high model accuracy with minimal false positives.

Abstract

Split Learning (SL) offers a framework for collaborative model training that respects data privacy by allowing participants to share the same dataset while maintaining distinct feature sets. However, SL is susceptible to backdoor attacks, in which malicious clients subtly alter their embeddings to insert hidden triggers that compromise the final trained model. To address this vulnerability, we introduce SecureSplit, a defense mechanism tailored to SL. SecureSplit applies a dimensionality transformation strategy to accentuate subtle differences between benign and poisoned embeddings, facilitating their separation. With this enhanced distinction, we develop an adaptive filtering approach that uses a majority-based voting scheme to remove contaminated embeddings while preserving clean ones. Rigorous experiments across four datasets (CIFAR-10, MNIST, CINIC-10, and ImageNette), five backdoor attack scenarios, and seven alternative defenses confirm the effectiveness of SecureSplit under various challenging conditions.