Papers
Topics
Authors
Recent
Gemini 2.5 Flash
Gemini 2.5 Flash
156 tokens/sec
GPT-4o
7 tokens/sec
Gemini 2.5 Pro Pro
45 tokens/sec
o3 Pro
4 tokens/sec
GPT-4.1 Pro
38 tokens/sec
DeepSeek R1 via Azure Pro
28 tokens/sec
2000 character limit reached

SplitOut: Out-of-the-Box Training-Hijacking Detection in Split Learning via Outlier Detection (2302.08618v3)

Published 16 Feb 2023 in cs.LG and cs.CR

Abstract: Split learning enables efficient and privacy-aware training of a deep neural network by splitting a neural network so that the clients (data holders) compute the first layers and only share the intermediate output with the central compute-heavy server. This paradigm introduces a new attack medium in which the server has full control over what the client models learn, which has already been exploited to infer the private data of clients and to implement backdoors in the client models. Although previous work has shown that clients can successfully detect such training-hijacking attacks, the proposed methods rely on heuristics, require tuning of many hyperparameters, and do not fully utilize the clients' capabilities. In this work, we show that given modest assumptions regarding the clients' compute capabilities, an out-of-the-box outlier detection method can be used to detect existing training-hijacking attacks with almost-zero false positive rates. We conclude through experiments on different tasks that the simplicity of our approach we name \textit{SplitOut} makes it a more viable and reliable alternative compared to the earlier detection methods.

Definition Search Book Streamline Icon: https://streamlinehq.com
References (67)
  1. On the Surprising Behavior of Distance Metrics in High Dimensional Space. In Goos, G., Hartmanis, J., Van Leeuwen, J., Van Den Bussche, J., and Vianu, V., editors, Database Theory — ICDT 2001, volume 1973, pages 420–434. Springer Berlin Heidelberg, Berlin, Heidelberg.
  2. Annas, G. J. (2003). HIPAA Regulations — A New Era of Medical-Record Privacy? New England Journal of Medicine, 348(15):1486–1490.
  3. {{\{{VILLAIN}}\}}: Backdoor attacks against vertical split learning. In 32nd USENIX Security Symposium (USENIX Security 23), pages 2743–2760.
  4. When is “nearest neighbor” meaningful? In Database Theory—ICDT’99: 7th International Conference Jerusalem, Israel, January 10–12, 1999 Proceedings 7, pages 217–235. Springer.
  5. Towards federated learning at scale: System design. Proceedings of Machine Learning and Systems, 1:374–388.
  6. Lof: identifying density-based local outliers. In ACM SIGMOD, pages 93–104.
  7. Geometric deep learning: Grids, groups, graphs, geodesics, and gauges. arXiv preprint arXiv:2104.13478.
  8. Language Models are Few-Shot Learners. arXiv:2005.14165 [cs]. arXiv: 2005.14165.
  9. Extracting training data from diffusion models. In 32nd USENIX Security Symposium (USENIX Security 23), pages 5253–5270.
  10. A comparison of outlier detection algorithms for its data. Expert Systems with Applications, 37(2):1169–1178.
  11. Bert: Pre-training of deep bidirectional transformers for language understanding. arXiv preprint arXiv:1810.04805.
  12. The algorithmic foundations of differential privacy. Found. Trends Theor. Comput. Sci., 9(3-4):211–407.
  13. Splitguard: Detecting and mitigating training-hijacking attacks in split learning. In ACM WPES, page 125–137.
  14. Unsplit: Data-oblivious model inversion, model stealing, and label inference attacks against split learning. In ACM WPES, page 115–124.
  15. Model inversion attacks that exploit confidence information and basic countermeasures. In Proceedings of the 22nd ACM SIGSAC conference on computer and communications security, pages 1322–1333.
  16. Focusing on Pinocchio’s Nose: A Gradients Scrutinizer to Thwart Split-Learning Hijacking Attacks Using Intrinsic Attributes.
  17. {{\{{PCAT}}\}}: Functionality and data stealing from split learning by {{\{{Pseudo-Client}}\}} attack. In 32nd USENIX Security Symposium (USENIX Security 23), pages 5271–5288.
  18. Feature space hijacking attacks against differentially private split learning. Third AAAI Workshop on Privacy-Preserving Artificial Intelligence.
  19. Deep Learning. MIT Press. http://www.deeplearningbook.org.
  20. Distributed learning of deep neural network over multiple agents. Journal of Network and Computer Applications, 116:1–8.
  21. Deep residual learning for image recognition. In Proceedings of the IEEE conference on computer vision and pattern recognition, pages 770–778.
  22. Unsolved problems in ml safety. arXiv preprint arXiv:2109.13916.
  23. Hornik, K. (1991). Approximation capabilities of multilayer feedforward networks. Neural networks, 4(2):251–257.
  24. Outlier detection with one-class classifiers from ml and kdd. In 2009 International Conference on Machine Learning and Applications, pages 147–153. IEEE.
  25. Exploit: Extracting private labels in split learning. In 2023 IEEE Conference on Secure and Trustworthy Machine Learning (SaTML), pages 165–175.
  26. Love or hate? share or split? privacy-preserving training using split learning and homomorphic encryption. arXiv preprint arXiv:2309.10517.
  27. Adam: A Method for Stochastic Optimization. arXiv:1412.6980 [cs]. arXiv: 1412.6980.
  28. Semi-supervised classification with graph convolutional networks. arXiv preprint arXiv:1609.02907.
  29. Federated Optimization: Distributed Machine Learning for On-Device Intelligence. arXiv:1610.02527 [cs]. arXiv: 1610.02527.
  30. Krizhevsky, A. (2009). Learning multiple layers of features from tiny images. Master’s thesis, University of Toronto.
  31. Convolutional networks for images, speech, and time series. The handbook of brain theory and neural networks, 3361(10):1995.
  32. Mnist handwritten digit database. ATT Labs [Online]. Available: http://yann.lecun.com/exdb/mnist, 2.
  33. Label leakage and protection in two-party split learning. arXiv preprint arXiv:2102.08504.
  34. Clustering label inference attack against practical split learning. arXiv preprint arXiv:2203.05222.
  35. Mercuri, R. T. (2004). The HIPAA-potamus in health care data security. Communications of the ACM, 47(7):25–28.
  36. Unleashing the tiger: Inference attacks on split learning. In ACM CCS, pages 2113–2129.
  37. Pytorch: An imperative style, high-performance deep learning library. In NeurIPS, pages 8024–8035.
  38. Carbon emissions and large neural network training. arXiv preprint arXiv:2104.10350.
  39. Scikit-learn: Machine learning in Python. Journal of Machine Learning Research, 12:2825–2830.
  40. Split he: Fast secure inference combining split learning and homomorphic encryption. arXiv preprint arXiv:2202.13351.
  41. EXACT: Extensive Attack for Split Learning.
  42. High-resolution image synthesis with latent diffusion models. In Proceedings of the IEEE/CVF conference on computer vision and pattern recognition, pages 10684–10695.
  43. Rosenblatt, F. (1958). The perceptron: a probabilistic model for information storage and organization in the brain. Psychological review, 65(6):386.
  44. Learning representations by back-propagating errors. nature, 323(6088):533–536.
  45. Support vector method for novelty detection. Advances in neural information processing systems, 12.
  46. Detailed comparison of communication efficiency of split learning and federated learning. arXiv preprint arXiv:1909.09145.
  47. Visualizing data using t-sne. Journal of machine learning research, 9(11).
  48. Vapnik, V. (1991). Principles of risk minimization for learning theory. Advances in neural information processing systems, 4.
  49. Attention is all you need. Advances in neural information processing systems, 30.
  50. Algorithms that Remember: Model Inversion Attacks and Data Protection Law. Philosophical Transactions of the Royal Society A: Mathematical, Physical and Engineering Sciences, 376(2133):20180083.
  51. Demystifying the draft eu artificial intelligence act—analysing the good, the bad, and the unclear elements of the proposed approach. Computer Law Review International, 22(4):97–112.
  52. Veličković, P. (2023). Everything is connected: Graph neural networks. Current Opinion in Structural Biology, 79:102538.
  53. Split learning for health: Distributed deep learning without sharing raw patient data. arXiv preprint arXiv:1812.00564.
  54. NoPeek: Information leakage reduction to share activations in distributed deep learning. In 2020 International Conference on Data Mining Workshops (ICDMW), pages 933–942, Sorrento, Italy. IEEE.
  55. No peek: A survey of private distributed deep learning. arXiv preprint arXiv:1812.03288.
  56. Neural cleanse: Identifying and mitigating backdoor attacks in neural networks. In 2019 IEEE Symposium on Security and Privacy (SP), pages 707–723. IEEE.
  57. Image Quality Assessment: From Error Visibility to Structural Similarity. IEEE Transactions on Image Processing, 13(4):600–612.
  58. White House Office of Science and Technology Policy (2023). Blueprint for an ai bill of rights.
  59. Split learning with differential privacy for integrated terrestrial and non-terrestrial networks. IEEE Wireless Communications.
  60. Fashion-mnist: a novel image dataset for benchmarking machine learning algorithms. arXiv preprint arXiv:1708.07747.
  61. Shuffled Transformer for Privacy-Preserving Split Learning.
  62. Automatic hyperparameter tuning method for local outlier factor, with applications to anomaly detection. In 2019 IEEE International Conference on Big Data (Big Data), pages 4201–4207. IEEE.
  63. Differentially private label protection in split learning. arXiv preprint arXiv:2203.02073.
  64. Privacy-Preserving Split Learning via Patch Shuffling over Transformers. In 2022 IEEE International Conference on Data Mining (ICDM), pages 638–647.
  65. How to backdoor split learning. Neural Networks, 168:326–336.
  66. Deep leakage from gradients. Advances in neural information processing systems, 32.
  67. A survey on unsupervised outlier detection in high-dimensional numerical data. Statistical Analysis and Data Mining: The ASA Data Science Journal, 5(5):363–387.
Citations (1)
View on Semantic Scholar

Summary

We haven't generated a summary for this paper yet.

Ai Sparkles Streamline Icon: https://streamlinehq.com Summarize Now
X Twitter Logo Streamline Icon: https://streamlinehq.com

Tweets