HFIA: A Parasitic Feature Inference Attack and Gradient-Based Defense Strategy in SplitNN-Based Vertical Federated Learning

Abstract

Vertical Federated Learning (VFL) is widely adopted in industries like healthcare, enabling collaborators to enhance model performance using disparate data sources. Split Neural Networks (SplitNN) are central to two-party VFL setups, providing enhanced data privacy during collaboration. However, an untrustworthy server owner, referred to as the host, may exploit its position to infer sensitive client-side features during training. Our research introduces Hitchhike Feature Inference Attack (HFIA), where the host leverages a minimal auxiliary dataset (less than 1% of total data) to infer sensitive features with high accuracy (up to 99%) before VFL training is completed. To mitigate this privacy risk, we propose a client-side defense strategy. Clients construct shadow models to simulate the attacker’s approach and introduce gradient-based adversarial noise to local embeddings, significantly reducing feature leakage. Experiments demonstrate that HFIA achieves high attack success rates, while defense method can reduce attack macro_auc to approximately 60%, with minimal impact ( $<5\%$ < 5 % decrease) on the normal VFL task. The defense can reduce attack macro_auc by over 20% and does not impose restrictions on VFL model construction. In practical applications, participants can adopt this approach to effectively mitigate training-time privacy leakage and protect sensitive client-side data from malicious inference.