Papers
Topics
Authors
Recent
Search
2000 character limit reached

VFLAIR-LLM: Privacy-Preserving Split LLM

Updated 3 July 2026
  • VFLAIR-LLM is a split learning framework for LLMs that partitions models via Head–Tail and Head–Body–Tail schemes to balance privacy, computation, and communication.
  • It benchmarks diverse NLP tasks across 18 datasets, systematically evaluating the trade-offs between task performance and privacy leakage.
  • The framework integrates advanced attack and defense modules that mitigate inversion and label inference risks while maintaining strong performance.

VFLAIR-LLM is an extensible and lightweight split learning framework for LLMs that enables privacy-preserving LLM inference and fine-tuning in resource-constrained environments. Developed to address data privacy concerns and the computational demands of private LLM deployments, VFLAIR-LLM provides two core model partition strategies, supports a broad array of benchmarks, and includes comprehensive modules for simulating and countering information leakage attacks. Its codebase and pre-configured benchmarks are available at https://github.com/FLAIR-THU/VFLAIR-LLM, facilitating real-world adoption and reproducible evaluation (Gu et al., 5 Aug 2025).

1. Model Partitioning Schemes in VFLAIR-LLM

VFLAIR-LLM formalizes two principal approaches to partitioning pretrained LLMs with nn transformer layers for split learning: Head–Tail (HT) and Head–Body–Tail (HBT). These allow flexible trade-offs between privacy, communication, and computational overhead.

Head–Tail (HT) Split

The model is divided into:

  • Data Party (Client): MheadM_{\text{head}} (embedding + first nheadn_\text{head} layers)
  • Model Party (Server): MtailM_{\text{tail}} (remaining ntail=nnheadn_\text{tail} = n - n_\text{head} layers + output head)

Data flow:

  • Forward: H1=Mhead(X)H_1 = M_{\text{head}}(X), Y^=Mtail(H1)\hat{Y} = M_{\text{tail}}(H_1)
  • Backward: G1=L/H1G_1 = \partial L/\partial H_1; G1G_1 used to update MheadM_{\text{head}} via backpropagation

Resource metrics per sample:

  • Client compute: MheadM_{\text{head}}0
  • Communication: MheadM_{\text{head}}1

Head–Body–Tail (HBT) Split

Here, the model is divided into:

  • Data Party (Client): MheadM_{\text{head}}2 (first MheadM_{\text{head}}3 layers) and MheadM_{\text{head}}4 (last MheadM_{\text{head}}5 layers)
  • Model Party (Server): MheadM_{\text{head}}6 (middle MheadM_{\text{head}}7 layers; MheadM_{\text{head}}8)

Data flow:

  • Forward: MheadM_{\text{head}}9; nheadn_\text{head}0; nheadn_\text{head}1
  • Backward: nheadn_\text{head}2 updates nheadn_\text{head}3 and nheadn_\text{head}4, backward nheadn_\text{head}5 updates nheadn_\text{head}6

Resource metrics:

  • Client compute: nheadn_\text{head}7
  • Communication: nheadn_\text{head}8 (client→server) and nheadn_\text{head}9 (server→client) per sample

Compute–Communication–Privacy Trade-offs

Client compute MtailM_{\text{tail}}0 increases linearly with added head layers. Communication cost MtailM_{\text{tail}}1. Privacy leakage—measured by attack performance (AP)—decreases empirically as MtailM_{\text{tail}}2 increases, but this incurs higher local compute and communication [(Gu et al., 5 Aug 2025), Figure 1].

2. Task and Dataset Scope

VFLAIR-LLM benchmarks three major NLP task categories across 18 datasets, ensuring coverage of both practical and adversarially-relevant scenarios:

Task Type Datasets (examples) Primary Metrics
Classification/Regression SST-2, CoLA, MRPC, MNLI, QNLI, RTE, Yelp, STS-B Accuracy, Pearson’s MtailM_{\text{tail}}3
Span QA SQuAD v1.1 EM, F1
Generation/CausalLM/QA Lambada, Alpaca, Dolly, CodeAlpaca, MATH, GSM8K, TextVQA Rouge, CodeBLEU

These datasets represent a diverse spectrum, including discrete-label and sequence-level outputs, as well as specialty domains (code, math, vision-language) [(Gu et al., 5 Aug 2025), Table 3]. The inclusion facilitates comprehensive assessment of privacy–utility trade-offs in practical and high-risk adaptation settings.

3. Attack and Defense Framework

VFLAIR-LLM implements standard modules for five adversarial attacks and nine defense mechanisms, encompassing both perturbation- and learning-based approaches.

Attack Methods

  • Model Inversion Attacks (MIA): Aim to reconstruct MtailM_{\text{tail}}4 from MtailM_{\text{tail}}5.
    • VMI (Vanilla Model Inversion): MtailM_{\text{tail}}6
    • RMI: continuous relaxation and regularization, MtailM_{\text{tail}}7
    • BiSR: two-phase, semi-white-box, achieves highest empirical AP
    • Attack Performance (AP): recall/exact match rate of reconstructed tokens
  • Label Inference Attacks (LIA): Aim to infer MtailM_{\text{tail}}8 from MtailM_{\text{tail}}9
    • BLI (Batch-level Label Inversion): gradient-statistics to label inversion
    • NS (Norm Scoring): infer ntail=nnheadn_\text{tail} = n - n_\text{head}0 by thresholding ntail=nnheadn_\text{tail} = n - n_\text{head}1

Defense Strategies

  • Perturbation-Based (6): Differential Privacy (DP), Sparsification (SP), token-level MLDP (SanText, CusText, RanText), Split-N-Denoise (SnD)
    • Hyperparameters: ntail=nnheadn_\text{tail} = n - n_\text{head}2 for DP/MLDP (ntail=nnheadn_\text{tail} = n - n_\text{head}3–ntail=nnheadn_\text{tail} = n - n_\text{head}4); ntail=nnheadn_\text{tail} = n - n_\text{head}5 for SP (ntail=nnheadn_\text{tail} = n - n_\text{head}6–ntail=nnheadn_\text{tail} = n - n_\text{head}7\%)
  • Learning-Based (3):
    • MID (Mutual Information Defense): bottleneck ntail=nnheadn_\text{tail} = n - n_\text{head}8, minimize ntail=nnheadn_\text{tail} = n - n_\text{head}9, H1=Mhead(X)H_1 = M_{\text{head}}(X)0
    • AT (Adversarial Training): privatizer H1=Mhead(X)H_1 = M_{\text{head}}(X)1 adversarial to inverter H1=Mhead(X)H_1 = M_{\text{head}}(X)2, tradeoff parameters H1=Mhead(X)H_1 = M_{\text{head}}(X)3
    • TO (TextObfuscator): embedding perturbations clustered; H1=Mhead(X)H_1 = M_{\text{head}}(X)4

4. Empirical Benchmarks and Insights

Benchmarking combines main task performance (MP: accuracy, Rouge, CodeBLEU, EM, etc.), inversion/attack performance (AP), and composite defense capability scores (DCS).

Fine-Tuning Regimes

  • Full-Vanilla, Full-LoRA, Local-Vanilla, Local-LoRA are evaluated
  • Full-LoRA halves training epochs on SST-2 (BERT) for matched accuracy and gives H1=Mhead(X)H_1 = M_{\text{head}}(X)5 compute reduction on GPT-2/Mistral with only H1=Mhead(X)H_1 = M_{\text{head}}(X)6\% MP drop
  • Local tuning benefits from HBT as it allows more trainable parameters client-side

Defense Efficacy

  • Without defense, BiSR AP H1=Mhead(X)H_1 = M_{\text{head}}(X)7 0.30 (SST-2), 0.15 (Alpaca), 0.12 (GSM8K)
  • Perturbation methods reduce both utility (MP) and information leakage (AP) with stronger noise
  • Learning-based defenses (MID, AT) consistently achieve best privacy–utility trade-off: MID yields lowest AP for H1=Mhead(X)H_1 = M_{\text{head}}(X)8; AT is close
  • On SQuAD v1.1, MID achieves composite C-DCS H1=Mhead(X)H_1 = M_{\text{head}}(X)9 (SST-2), Y^=Mtail(H1)\hat{Y} = M_{\text{tail}}(H_1)0 (CoLA); AT achieves Y^=Mtail(H1)\hat{Y} = M_{\text{tail}}(H_1)1; DP or SP require Y^=Mtail(H1)\hat{Y} = M_{\text{tail}}(H_1)2 or Y^=Mtail(H1)\hat{Y} = M_{\text{tail}}(H_1)3 to approach, but with Y^=Mtail(H1)\hat{Y} = M_{\text{tail}}(H_1)4 MP loss

Partitioning and Privacy

  • Increasing Y^=Mtail(H1)\hat{Y} = M_{\text{tail}}(H_1)5 (Y^=Mtail(H1)\hat{Y} = M_{\text{tail}}(H_1)6): reduces AP by Y^=Mtail(H1)\hat{Y} = M_{\text{tail}}(H_1)7 at Y^=Mtail(H1)\hat{Y} = M_{\text{tail}}(H_1)8 MP loss, but increases local computation proportionally
  • Learning-based MID/AT atop LoRA fine-tuning provides optimal privacy–utility; recommended: MID Y^=Mtail(H1)\hat{Y} = M_{\text{tail}}(H_1)9, AT G1=L/H1G_1 = \partial L/\partial H_10, G1=L/H1G_1 = \partial L/\partial H_11

5. Best Practices and Deployment Recommendations

  • Partitioning: HT is straightforward; HBT preferred if the server must not access ground-truth labels or outputs
  • Layer assignment: G1=L/H1G_1 = \partial L/\partial H_12 (about G1=L/H1G_1 = \partial L/\partial H_13 of model) gives a robust privacy–utility compromise
  • Defenses: MID or AT on LoRA-finetuned splits optimally balances MP and AP; DP/SP are viable for lightweight protection with careful tuning, but significant MP decrease occurs for strong privacy settings
  • Resource management: Reduce G1=L/H1G_1 = \partial L/\partial H_14 or use Local tuning if client GPU memory is critical; batch size G1=L/H1G_1 = \partial L/\partial H_15, LoRA LR G1=L/H1G_1 = \partial L/\partial H_16, early stopping is recommended
  • Operational mode: Standalone mode is preferred for research (e.g., Alpaca on Llama3-8B: G1=L/H1G_1 = \partial L/\partial H_17 tokens/s standalone vs. G1=L/H1G_1 = \partial L/\partial H_18 tokens/s distributed)

6. Scope, Limitations, and Reproducibility

VFLAIR-LLM is designed for flexible, privacy-conscious LLM deployment under real-world resource and threat constraints. Benchmarks and code are publicly available, supporting customization for model splits, attacks, defenses, and hyperparameter sweeps. The platform’s task, dataset, and threat coverage enable rigorous experimental comparisons across the privacy–efficiency spectrum (Gu et al., 5 Aug 2025). The framework does not extend to scenarios outside the split learning paradigm, nor to privacy threats not captured by inversion or label inference attacks as modeled in the included modules. A plausible implication is that privacy guarantees are tightly coupled to the implemented attack/defense taxonomy.

For implementation and experiment recipes, practitioners are referred to the open-source codebase.

Definition Search Book Streamline Icon: https://streamlinehq.com
References (1)

Topic to Video (Beta)

No one has generated a video about this topic yet.

Whiteboard

No one has generated a whiteboard explanation for this topic yet.

Follow Topic

Get notified by email when new papers are published related to VFLAIR-LLM.