VTarbel: Targeted Attack in Vertical Federated Learning
- The paper introduces VTarbel, a framework that exploits MMD-guided sample selection and detector-aware PGD to induce targeted misclassification in vertical federated learning.
- It demonstrates robust performance across multiple datasets and architectures, achieving attack success rates upward of 90% under minimal-knowledge constraints.
- Experimental ablations confirm that the combination of pseudo-label collection and constrained adversarial optimization is crucial for evading modern anomaly detectors.
Searching arXiv for the specified paper and closely related VFL attack context. Vertical federated learning (VFL) is a collaborative learning setting in which multiple parties hold disjoint feature subsets for the same sample identities and jointly train or deploy a model without exchanging raw data. VTarbel denotes a targeted label attack framework for detector-enhanced VFL inference under a minimal-knowledge threat model, introduced in “VTarbel: Targeted Label Attack with Minimal Knowledge on Detector-enhanced Vertical Federated Learning” (Tan et al., 19 Jul 2025). Its defining premise is that a passive party, restricted to manipulating only its own inference-time features and observing only final predicted labels or rejection decisions, can still induce adversary-chosen labels while evading anomaly detection through a two-stage pipeline combining maximum mean discrepancy (MMD)-guided sample selection, pseudo-label harvesting, local surrogate training, detector estimation, and projected gradient optimization (Tan et al., 19 Jul 2025).
1. Threat model and attack objective
VTarbel is formulated for a detector-enhanced VFL system in which the attacker is a passive party operating during inference only. The attacker can manipulate its own raw features , knows the VFL task type such as classification and the number of classes , but has no access to other parties’ data, model architectures, parameters, or top-model outputs, including logits and probabilities. The attacker also cannot eavesdrop on embeddings exchanged between other parties. The only information learned from a query is the final predicted label , where denotes detector-triggered rejection (Tan et al., 19 Jul 2025).
Within this model, the attacker chooses a targeted label and seeks perturbed features satisfying a distance constraint . The adversarial instance is sent through the VFL protocol with the aim of causing either a normal prediction or rejection . The optimization target is Attack Success Rate (ASR), defined as the fraction of samples for which the global VFL model predicts exactly the targeted label , subject to the perturbation budget:
0
with 1 (Tan et al., 19 Jul 2025).
This formulation distinguishes VTarbel from attack models that assume richer oracle access. A plausible implication is that the work is intended to approximate a comparatively constrained deployment scenario rather than a white-box or score-based adversary.
2. Two-stage architecture
VTarbel decomposes inference-time attack generation into a preparation stage and an attack stage. The preparation stage gathers pseudo-labels and trains local models; the attack stage generates adversarial examples under detection constraints (Tan et al., 19 Jul 2025).
During preparation, the attacker starts from an unlabeled local test set 2, the global VFL model 3, and the class count 4. The outputs of this stage are a small preparation set 5 of size 6, a pseudo-labeled local dataset 7, a surrogate model 8, and an estimated detector 9 (Tan et al., 19 Jul 2025).
The procedure iterates until MMD converges or a maximum number of rounds is reached. First, semi-supervised clustering using Constrained-seed K-Means partitions 0 into 1 clusters 2, using any labeled pairs already collected in 3 as seeds. Next, for each cluster 4, the attacker computes a sample expressiveness score 5 for each unlabeled candidate 6 as the reduction in squared MMD between the current preparation set and the full local data when the sample is added:
7
where
8
The top 9 samples per cluster are added to 0, queried honestly through the VFL system, and recorded in 1 whenever the returned label is not 2 (Tan et al., 19 Jul 2025).
After query collection, the attacker locally trains a surrogate model and an estimated detector. The surrogate is defined as 3 and is optimized by cross-entropy:
4
The estimated detector 5 is trained on embeddings of 6, either by fitting a KDE density or by training a DeepAE with reconstruction loss
7
This suggests that VTarbel treats both class prediction and anomaly scoring as transferable local approximations built from sparse pseudo-supervision (Tan et al., 19 Jul 2025).
3. Attack-stage optimization
The attack stage operates on the remaining samples 8, using the surrogate 9, the estimated detector 0, the adversarial target 1, and the distance bound 2. For each sample 3, the algorithm initializes 4 and performs Projected Gradient Descent (PGD) on a joint loss:
5
Each PGD iteration updates
6
where 7 clips to the 8-ball of radius 9 around 0 and to valid feature ranges. Optimization stops if 1 or a maximum number of iterations is reached, and the resulting 2 is sent through the VFL system. An attack is successful if the returned label equals 3 (Tan et al., 19 Jul 2025).
The joint loss embodies the central design choice of VTarbel: targeted misclassification pressure is coupled directly with a detector-avoidance penalty. In effect, the attacker does not merely search for transferable adversarial examples; it searches for adversarial examples in a constrained region defined by an estimated anomaly boundary. A plausible implication is that the method depends on the fidelity of 4 less as an exact detector replica than as a regularizer that steers perturbations away from evidently abnormal local embeddings.
4. Experimental scope
The implementation is evaluated against four model architectures, seven multimodal datasets, and two anomaly detectors (Tan et al., 19 Jul 2025). The bottom models are MLP3 for tabular data, VGG13 and ResNet18 for images, and DistilBERT for text; the top model and surrogate head are MLP2. The datasets and reported test-sample sizes and class counts are TabMNIST/TabFMNIST with 10 k samples and 10 classes, CIFAR10 with 10 k and 10 classes, CINIC10 with 90 k and 10 classes, CIFAR100 with 10 k and 100 classes, TREC with 554 and 6 classes, and IMDB with 25 k and 2 classes. The anomaly detectors are Kernel Density Estimation (KDE) and Deep Autoencoder (DeepAE) (Tan et al., 19 Jul 2025).
The experimental baselines comprise honest inference, reported as “Ground-Truth,” and four prior attacks: LR-BA, HijackVFL, ADI, and TIFS’23. The principal metrics are Top-1 ASR, with Top-5 ASR for CIFAR100, and detection evasion measured as the fraction of crafted embeddings not flagged (Tan et al., 19 Jul 2025).
| Category | Elements |
|---|---|
| Bottom models | MLP3, VGG13, ResNet18, DistilBERT |
| Top model / surrogate head | MLP2 |
| Datasets | TabMNIST/TabFMNIST, CIFAR10, CINIC10, CIFAR100, TREC, IMDB |
| Detectors | KDE, DeepAE |
| Baselines | Ground-Truth, LR-BA, HijackVFL, ADI, TIFS’23 |
| Metrics | ASR, detection evasion |
This evaluation design emphasizes multimodality and detector heterogeneity. This suggests that the paper is concerned not only with a single architecture-specific exploit but with a broader inference-phase failure mode in detector-enhanced VFL.
5. Empirical results and ablations
The reported results state that VTarbel outperforms four state-of-the-art baselines, evades detection, and remains effective against three representative privacy-preserving defenses (Tan et al., 19 Jul 2025). Under a DeepAE detector with VGG13 on CIFAR10, the reported ASRs are: Baseline 9.24%, LR-BA 51.74%, Hijack 0%, ADI 74.83%, TIFS’23 84.05%, and VTarbel 89.05%. For ResNet18 on CIFAR10 and CIFAR100, VTarbel achieves 90.28% and 40.77%, respectively, versus at most 80.74% and 29.98% for baselines. For DistilBERT on TREC and IMDB, the reported VTarbel ASRs are 90.97% and 96.05%. Under dual detectors, DeepAE and KDE, VTarbel is reported to achieve approximately 90% ASR with evasion greater than 99% (Tan et al., 19 Jul 2025).
The comparative analysis states that VTarbel outperforms LR-BA, HijackVFL, ADI, and TIFS’23 by 10–40 percentage points in ASR across all settings, and that prior attacks collapse, with ASR approaching 0, once detectors are deployed, whereas VTarbel remains effective (Tan et al., 19 Jul 2025). Within the paper’s framing, this establishes detector awareness rather than mere adversarial transfer as the decisive factor.
The ablation and trade-off studies further characterize the method. Varying the preparation–attack split 5 yields an optimum around 5–10% preparation with the remainder used for attack. “Only-Prep” or “Only-Attack” yields ASR approximately 0–10%, indicating that the combination of pseudo-label collection and constrained optimization is necessary. Replacing MMD-based selection with random selection causes a 5–15% absolute loss, and stopping substantially earlier or later than the optimal 6 degrades ASR by 5–15%. Detector-agnostic attack design, in which the attacker’s 7 differs from the real detector, still yields ASR around 88–90%. Robustness is also reported with respect to feature fraction and number of parties, remaining effective down to 50–60% attacker-owned features. Under class imbalance, varying target labels, and varying distance bound 8, ASR remains stable above 70% (Tan et al., 19 Jul 2025).
These ablations support the paper’s claim that the two-stage design is structurally important. A plausible implication is that MMD-guided representativeness is functioning as a query-efficiency mechanism, while the detector-estimated PGD objective supplies the stealth component that prior attacks lack.
6. Interaction with defenses and broader implications
Three representative privacy-preserving defenses are evaluated: noisy embeddings, quantization by discrete bins, and compressed embeddings that zero out small coefficients. The reported outcome is that noisy embeddings and quantization concurrently degrade VFL accuracy while producing only minor ASR reduction. Compressed embeddings can reduce ASR from 90% to approximately 7–50%, but at the cost of at most a 15% drop in VFL accuracy (Tan et al., 19 Jul 2025).
The paper concludes that existing anomaly detectors such as KDE and DeepAE cannot by themselves block stealthy, inference-phase label attacks under minimal attacker knowledge, and that the two-stage paradigm of minimal sample querying plus adversarial transfer is both practical and effective in real VFL deployments (Tan et al., 19 Jul 2025). It further identifies attack-aware defenses as necessary, explicitly listing adversarially trained detectors, robust aggregation, and randomized embedding transformations that preserve utility while closing the MMD/transferability attack channel. Future directions include theoretical characterization of detection-stealth trade-offs under MMD constraints, robust anomaly detectors that adapt to adversarially optimized embeddings, and certified defenses in VFL such as DP-based or randomized smoothing for embeddings (Tan et al., 19 Jul 2025).
The principal misconception addressed by the reported results is that anomaly detection alone suffices to neutralize inference-time adversarial manipulation in VFL. In the reported experiments, detector deployment causes prior attacks to fail, but not VTarbel. Another likely misconception is that minimal label-only feedback is too weak to support targeted attacks in vertically partitioned systems; the pseudo-labeling and surrogate-construction strategy is presented precisely as a counterexample (Tan et al., 19 Jul 2025).
7. Position within VFL security research
VTarbel is situated in a part of the VFL literature concerned with security threats rather than privacy vulnerabilities. The paper states that privacy vulnerabilities of VFL are extensively studied, whereas targeted label attacks remain underexplored (Tan et al., 19 Jul 2025). Its contribution is therefore not a general account of VFL leakage, but a concrete attack model for detector-enhanced inference in which the adversary lacks access to top-model outputs and intermediate exchanges.
Methodologically, the framework combines four components that the paper treats as integral: minimal-knowledge querying, MMD-guided preparation-set construction, surrogate-model training on pseudo-labels, and detector-aware PGD. By integrating these components, the reported system attains near-ceiling ASR above 90% in several settings (Tan et al., 19 Jul 2025). This suggests a shift in emphasis from attacks that exploit richer interfaces toward attacks that exploit the structural transferability of local-feature perturbations in vertically partitioned models.
In that sense, VTarbel identifies a specific blind spot in detector-enhanced VFL deployment: if a passive party can query a small, carefully chosen subset, infer a local proxy for decision structure and detector behavior, and then optimize perturbations under a constrained anomaly objective, the apparent opacity of the global model does not preclude high-success targeted manipulation. The paper presents this as evidence that robust VFL security requires defenses designed for adaptive adversaries rather than reliance on conventional anomaly detectors alone (Tan et al., 19 Jul 2025).