VFLAIR-LLM: Privacy-Preserving Split LLM
- VFLAIR-LLM is a split learning framework for LLMs that partitions models via Head–Tail and Head–Body–Tail schemes to balance privacy, computation, and communication.
- It benchmarks diverse NLP tasks across 18 datasets, systematically evaluating the trade-offs between task performance and privacy leakage.
- The framework integrates advanced attack and defense modules that mitigate inversion and label inference risks while maintaining strong performance.
VFLAIR-LLM is an extensible and lightweight split learning framework for LLMs that enables privacy-preserving LLM inference and fine-tuning in resource-constrained environments. Developed to address data privacy concerns and the computational demands of private LLM deployments, VFLAIR-LLM provides two core model partition strategies, supports a broad array of benchmarks, and includes comprehensive modules for simulating and countering information leakage attacks. Its codebase and pre-configured benchmarks are available at https://github.com/FLAIR-THU/VFLAIR-LLM, facilitating real-world adoption and reproducible evaluation (Gu et al., 5 Aug 2025).
1. Model Partitioning Schemes in VFLAIR-LLM
VFLAIR-LLM formalizes two principal approaches to partitioning pretrained LLMs with transformer layers for split learning: Head–Tail (HT) and Head–Body–Tail (HBT). These allow flexible trade-offs between privacy, communication, and computational overhead.
Head–Tail (HT) Split
The model is divided into:
- Data Party (Client): (embedding + first layers)
- Model Party (Server): (remaining layers + output head)
Data flow:
- Forward: ,
- Backward: ; used to update via backpropagation
Resource metrics per sample:
- Client compute: 0
- Communication: 1
Head–Body–Tail (HBT) Split
Here, the model is divided into:
- Data Party (Client): 2 (first 3 layers) and 4 (last 5 layers)
- Model Party (Server): 6 (middle 7 layers; 8)
Data flow:
- Forward: 9; 0; 1
- Backward: 2 updates 3 and 4, backward 5 updates 6
Resource metrics:
- Client compute: 7
- Communication: 8 (client→server) and 9 (server→client) per sample
Compute–Communication–Privacy Trade-offs
Client compute 0 increases linearly with added head layers. Communication cost 1. Privacy leakage—measured by attack performance (AP)—decreases empirically as 2 increases, but this incurs higher local compute and communication [(Gu et al., 5 Aug 2025), Figure 1].
2. Task and Dataset Scope
VFLAIR-LLM benchmarks three major NLP task categories across 18 datasets, ensuring coverage of both practical and adversarially-relevant scenarios:
| Task Type | Datasets (examples) | Primary Metrics |
|---|---|---|
| Classification/Regression | SST-2, CoLA, MRPC, MNLI, QNLI, RTE, Yelp, STS-B | Accuracy, Pearson’s 3 |
| Span QA | SQuAD v1.1 | EM, F1 |
| Generation/CausalLM/QA | Lambada, Alpaca, Dolly, CodeAlpaca, MATH, GSM8K, TextVQA | Rouge, CodeBLEU |
These datasets represent a diverse spectrum, including discrete-label and sequence-level outputs, as well as specialty domains (code, math, vision-language) [(Gu et al., 5 Aug 2025), Table 3]. The inclusion facilitates comprehensive assessment of privacy–utility trade-offs in practical and high-risk adaptation settings.
3. Attack and Defense Framework
VFLAIR-LLM implements standard modules for five adversarial attacks and nine defense mechanisms, encompassing both perturbation- and learning-based approaches.
Attack Methods
- Model Inversion Attacks (MIA): Aim to reconstruct 4 from 5.
- VMI (Vanilla Model Inversion): 6
- RMI: continuous relaxation and regularization, 7
- BiSR: two-phase, semi-white-box, achieves highest empirical AP
- Attack Performance (AP): recall/exact match rate of reconstructed tokens
- Label Inference Attacks (LIA): Aim to infer 8 from 9
- BLI (Batch-level Label Inversion): gradient-statistics to label inversion
- NS (Norm Scoring): infer 0 by thresholding 1
Defense Strategies
- Perturbation-Based (6): Differential Privacy (DP), Sparsification (SP), token-level MLDP (SanText, CusText, RanText), Split-N-Denoise (SnD)
- Hyperparameters: 2 for DP/MLDP (3–4); 5 for SP (6–7\%)
- Learning-Based (3):
4. Empirical Benchmarks and Insights
Benchmarking combines main task performance (MP: accuracy, Rouge, CodeBLEU, EM, etc.), inversion/attack performance (AP), and composite defense capability scores (DCS).
Fine-Tuning Regimes
- Full-Vanilla, Full-LoRA, Local-Vanilla, Local-LoRA are evaluated
- Full-LoRA halves training epochs on SST-2 (BERT) for matched accuracy and gives 5 compute reduction on GPT-2/Mistral with only 6\% MP drop
- Local tuning benefits from HBT as it allows more trainable parameters client-side
Defense Efficacy
- Without defense, BiSR AP 7 0.30 (SST-2), 0.15 (Alpaca), 0.12 (GSM8K)
- Perturbation methods reduce both utility (MP) and information leakage (AP) with stronger noise
- Learning-based defenses (MID, AT) consistently achieve best privacy–utility trade-off: MID yields lowest AP for 8; AT is close
- On SQuAD v1.1, MID achieves composite C-DCS 9 (SST-2), 0 (CoLA); AT achieves 1; DP or SP require 2 or 3 to approach, but with 4 MP loss
Partitioning and Privacy
- Increasing 5 (6): reduces AP by 7 at 8 MP loss, but increases local computation proportionally
- Learning-based MID/AT atop LoRA fine-tuning provides optimal privacy–utility; recommended: MID 9, AT 0, 1
5. Best Practices and Deployment Recommendations
- Partitioning: HT is straightforward; HBT preferred if the server must not access ground-truth labels or outputs
- Layer assignment: 2 (about 3 of model) gives a robust privacy–utility compromise
- Defenses: MID or AT on LoRA-finetuned splits optimally balances MP and AP; DP/SP are viable for lightweight protection with careful tuning, but significant MP decrease occurs for strong privacy settings
- Resource management: Reduce 4 or use Local tuning if client GPU memory is critical; batch size 5, LoRA LR 6, early stopping is recommended
- Operational mode: Standalone mode is preferred for research (e.g., Alpaca on Llama3-8B: 7 tokens/s standalone vs. 8 tokens/s distributed)
6. Scope, Limitations, and Reproducibility
VFLAIR-LLM is designed for flexible, privacy-conscious LLM deployment under real-world resource and threat constraints. Benchmarks and code are publicly available, supporting customization for model splits, attacks, defenses, and hyperparameter sweeps. The platform’s task, dataset, and threat coverage enable rigorous experimental comparisons across the privacy–efficiency spectrum (Gu et al., 5 Aug 2025). The framework does not extend to scenarios outside the split learning paradigm, nor to privacy threats not captured by inversion or label inference attacks as modeled in the included modules. A plausible implication is that privacy guarantees are tightly coupled to the implemented attack/defense taxonomy.
For implementation and experiment recipes, practitioners are referred to the open-source codebase.