Stealing Data from Active Party in Vertical Split Learning

Abstract

Vertical Split Learning (VSL) facilitates collaborative learning among users with vertically partitioned data but also introduces risks of private data leakage. Existing reconstruction attacks primarily rely on intermediate feature access, making them ineffective against semi-honest passive adversaries who lack such access. In this paper, we propose PASTA, a novel attack framework that enables the PAssive party to STeal private data from the Active party without direct feature access. Our approach consists of three steps. First, we leverage an autoencoder to establish an initial reconstruction by analyzing correlations between sample features. Second, we construct a shadow VSL model to mimic server-side gradient behaviors. Finally, we refine the reconstruction using a U-Net-based network with gradient-based guidance. Our reconstruction results on CIFAR-10 and CelebA achieved SSIM scores of 0.5132 and 0.5877, and LPIPS scores of 0.3395 and 0.2771, respectively. Ablation study demonstrated that even without access to auxiliary data from the same distribution, the attack could still reveal most of the image details. We further validated the effectiveness of our attack on real-world datasets Tiny-ImageNet and LFW. We also conducted experiments on ResNet18, VGG16, ViT-B16, and MobileNet to show that our attack is model-agnostic.