Feature Inference Attack on Model Predictions in Vertical Federated Learning
This work addresses privacy risks for organizations using vertical federated learning, but it is incremental as it builds on existing attack research in federated learning.
The paper tackles privacy leakage in vertical federated learning by proposing feature inference attack methods that exploit model predictions, demonstrating their effectiveness on various models including logistic regression, decision trees, neural networks, and random forests.
Federated learning (FL) is an emerging paradigm for facilitating multiple organizations' data collaboration without revealing their private data to each other. Recently, vertical FL, where the participating organizations hold the same set of samples but with disjoint features and only one organization owns the labels, has received increased attention. This paper presents several feature inference attack methods to investigate the potential privacy leakages in the model prediction stage of vertical FL. The attack methods consider the most stringent setting that the adversary controls only the trained vertical FL model and the model predictions, relying on no background information. We first propose two specific attacks on the logistic regression (LR) and decision tree (DT) models, according to individual prediction output. We further design a general attack method based on multiple prediction outputs accumulated by the adversary to handle complex models, such as neural networks (NN) and random forest (RF) models. Experimental evaluations demonstrate the effectiveness of the proposed attacks and highlight the need for designing private mechanisms to protect the prediction outputs in vertical FL.