- The paper proposes a prototype consistency framework paired with distribution-free conformal filtering to defend vertical split learning from embedding-space backdoor attacks.
- Experimental results demonstrate significantly lower attack success rates (ASR as low as 0.03 to 0.08) while maintaining high benign main accuracy across diverse datasets and architectures.
- The method is robust, scalable, and deployable in real-world settings, such as multi-institution medical analytics, preserving data privacy and preventing model subversion.
Prototype Consistency-Based Backdoor Defense for Vertical Split Learning: Summary of ProtoGuard-SL
Introduction
Vertical split learning (SL) offers a collaborative paradigm for learning from feature-distributed data without direct sharing of raw features between entities. However, the aggregation of confidential client embeddings on a central server introduces novel vulnerabilities, specifically to embedding-space backdoor attacks. These attacks exploit the split interface, allowing malicious clients to insert triggers via manipulated embeddings; these then subvert prediction for targeted samples without simple geometric separability. ProtoGuard-SL addresses the acute limitations of existing defenses (such as DP, MP, ANP, and VFLIP), which either sacrifice main accuracy (MA) or fail under adaptive attacks, by introducing a class-conditional, prototype-based consistency framework for robust defense.
Methodology
ProtoGuard-SL consists of two principal stages: prototype-based consistency representation and class-conditional, distribution-free conformal filtering.
Initially, the server, leveraging access to ground-truth labels, constructs robust prototypes for each class by taking the coordinate-wise median across received embeddings, ensuring robustness to a moderate contamination rate. Each embedding is then mapped into a prototype-consistency space by computing a vector of cosine similarities to all class prototypes. This relational transformation amplifies the semantic separability between benign and poisoned embeddings—poisoned samples that would overlap with benign samples in the original embedding space are projected into clearly distinct clusters in the new representation.



Figure 1: Visualization of embedding distributions under backdoor attacks before and after prototype-consistency transformation.
Next, to quantify embedding conformity, a class-conditional deviation score is computed: the L2 distance between the sample’s consistency vector and its class’s median relational pattern. An anomaly is flagged if its conformal p-value (based on rank statistics within its class) falls below a threshold α. This non-parametric mechanism sidesteps the need for explicit distributional assumptions and adapts naturally to intra-class variation, class imbalance, and changing participation dynamics.
Experimental Evaluation
ProtoGuard-SL is evaluated on three distinct datasets (CIFAR-10, SVHN, Bank Marketing) and under multiple state-of-the-art backdoor threats including ViLLAIN, BadVFL, and SplitNN attacks. Experimental settings employ realistic poisoning rates with both ResNet-18 and VGG-19 architectures, with rigorous comparative analysis against prominent defense baselines.
Strong empirical claims are substantiated:
Theoretical and Practical Implications
This method reframes embedding verification in vertical SL as an issue of preserving class-conditional semantic consistency, as opposed to naive geometric anomaly detection. This is theoretically appealing: triggers, by construction, disrupt relational structure even when geometric overlap is maintained. Practically, ProtoGuard-SL’s server-side-only protocol is readily deployable for real-world SL deployments (for instance, multi-institution medical analytics), delivering strong empirical robustness guarantees without sharing client-side model or data information. The use of coordinate-wise medians and rank-based conformal scores makes the approach resistant to moderate contamination and client heterogeneity.
Speculation on Future Directions
- Extending Prototype Consistency Frameworks: Future work may generalize prototype-consistency modeling to more complex, non-linear representation spaces or dynamic class ontologies.
- Adversarial Adaptivity: Systematic evaluation against actively adaptive adversaries—in which attackers attempt to mimic benign relational structures—could further probe the limits of conformal consistency filtering.
- Integration with Privacy Mechanisms: Combining ProtoGuard-SL with differential privacy or secure multiparty computation protocols could further enhance provable guarantees regarding information leakage and attack surface minimization.
- Automated Parameter Optimization: Adaptive or data-driven control of filtering threshold α and prototype construction strategies may yield further robustness-utility improvements.
Conclusion
ProtoGuard-SL represents a rigorous, empirically validated advance in the defense of vertical split learning against embedding-space backdoor attacks. By leveraging class-conditional prototype-consistency and distribution-free conformal filtering, it achieves state-of-the-art robustness with negligible compromise to benign utility. The approach is theoretically founded and practically scalable, holding promise for secure, privacy-preserving collaborative model training in institutional settings where feature-wise data remains partitioned.