Feature Space Hijacking Attacks against Differentially Private Split Learning
This work highlights a critical security flaw in privacy-preserving machine learning for distributed data, though it is incremental as it applies an existing attack to a new setting.
The paper tackled the vulnerability of differentially private split learning to feature space hijacking attacks, showing that private data can be reconstructed with low error rates even at arbitrary differential privacy epsilon levels.
Split learning and differential privacy are technologies with growing potential to help with privacy-compliant advanced analytics on distributed datasets. Attacks against split learning are an important evaluation tool and have been receiving increased research attention recently. This work's contribution is applying a recent feature space hijacking attack (FSHA) to the learning process of a split neural network enhanced with differential privacy (DP), using a client-side off-the-shelf DP optimizer. The FSHA attack obtains client's private data reconstruction with low error rates at arbitrarily set DP epsilon levels. We also experiment with dimensionality reduction as a potential attack risk mitigation and show that it might help to some extent. We discuss the reasons why differential privacy is not an effective protection in this setting and mention potential other risk mitigation methods.