Is the Trigger Essential? A Feature-Based Triggerless Backdoor Attack in Vertical Federated Learning

TL;DR

This paper introduces a novel feature-based triggerless backdoor attack in vertical federated learning, revealing a new security vulnerability that outperforms existing methods and remains robust against defenses.

Contribution

The paper proposes a new triggerless backdoor attack in VFL that operates under honest-but-curious assumptions, expanding understanding of security threats in federated learning.

Findings

Outperforms baseline attacks by 2 to 50 times

Maintains high attack success with minimal impact on main task

Remains effective against various defense strategies

Abstract

As a distributed collaborative machine learning paradigm, vertical federated learning (VFL) allows multiple passive parties with distinct features and one active party with labels to collaboratively train a model. Although it is known for the privacy-preserving capabilities, VFL still faces significant privacy and security threats from backdoor attacks. Existing backdoor attacks typically involve an attacker implanting a trigger into the model during the training phase and executing the attack by adding the trigger to the samples during the inference phase. However, in this paper, we find that triggers are not essential for backdoor attacks in VFL. In light of this, we disclose a new backdoor attack pathway in VFL by introducing a feature-based triggerless backdoor attack. This attack operates under a more stringent security assumption, where the attacker is honest-but-curious rather than malicious during the training phase. It comprises three modules: label inference for the targeted backdoor attack, poison generation with amplification and perturbation mechanisms, and backdoor execution to implement the attack. Extensive experiments on five benchmark datasets demonstrate that our attack outperforms three baseline backdoor attacks by 2 to 50 times while minimally impacting the main task. Even in VFL scenarios with 32 passive parties and only one set of auxiliary data, our attack maintains high performance. Moreover, when confronted with distinct defense strategies, our attack remains largely unaffected and exhibits strong robustness. We hope that the disclosure of this triggerless backdoor attack pathway will encourage the community to revisit security threats in VFL scenarios and inspire researchers to develop more robust and practical defense strategies.