ResSFL: A Resistance Transfer Framework for Defending Model Inversion Attack in Split Federated Learning
It addresses privacy vulnerabilities in distributed machine learning for applications like healthcare or finance, though it is incremental as it builds on existing SFL defenses.
This work tackles Model Inversion attacks during training in Split Federated Learning by proposing ResSFL, which uses a resistant feature extractor to initialize client models, achieving a high reconstruction Mean-Square-Error of 0.050 compared to 0.005 for the baseline on CIFAR-100 with 67.5% accuracy and low overhead.
This work aims to tackle Model Inversion (MI) attack on Split Federated Learning (SFL). SFL is a recent distributed training scheme where multiple clients send intermediate activations (i.e., feature map), instead of raw data, to a central server. While such a scheme helps reduce the computational load at the client end, it opens itself to reconstruction of raw data from intermediate activation by the server. Existing works on protecting SFL only consider inference and do not handle attacks during training. So we propose ResSFL, a Split Federated Learning Framework that is designed to be MI-resistant during training. It is based on deriving a resistant feature extractor via attacker-aware training, and using this extractor to initialize the client-side model prior to standard SFL training. Such a method helps in reducing the computational complexity due to use of strong inversion model in client-side adversarial training as well as vulnerability of attacks launched in early training epochs. On CIFAR-100 dataset, our proposed framework successfully mitigates MI attack on a VGG-11 model with a high reconstruction Mean-Square-Error of 0.050 compared to 0.005 obtained by the baseline system. The framework achieves 67.5% accuracy (only 1% accuracy drop) with very low computation overhead. Code is released at: https://github.com/zlijingtao/ResSFL.