NDSS 2025 – Passive Inference Attacks On Split Learning Via Adversarial Regularization
嗯,用户让我帮忙总结一篇文章的内容,控制在一百个字以内。首先,我需要仔细阅读用户提供的文章内容,找出关键信息。
文章标题是“Passive Inference Attacks on Split Learning via Adversarial Regularization”,作者来自新加坡国立大学等机构。内容主要讲的是Split Learning(SL)作为一种联邦学习的替代方案,他们提出了一种新的攻击框架SDAR,用于被动推理攻击。SDAR利用辅助数据和对抗正则化来模拟客户端的私有模型,从而推断出客户端的私有特征和标签。
接下来,我需要提取这些关键点:被动推理攻击、Split Learning、SDAR框架、辅助数据、对抗正则化、私有特征和标签推断。然后将这些信息浓缩成一句话,不超过100字。
还要注意用户的要求是直接写描述,不需要开头语。所以总结的时候要简洁明了,涵盖主要研究方法和成果。
最后检查一下字数是否符合要求,并确保信息准确无误。
</think>
研究人员提出了一种新的被动推理攻击框架SDAR,针对Split Learning(SL)中的诚实但好奇服务器。通过利用辅助数据和对抗正则化技术,SDAR能够有效推断客户端的私有特征和标签,在CIFAR-10数据集上实现了高精度的攻击效果。
2025-12-10 16:0:0
Author: securityboulevard.com(查看原文)
阅读量:3
收藏
Session 5C: Federated Learning 1
Authors, Creators & Presenters: Xiaochen Zhu (National University of Singapore & Massachusetts Institute of Technology), Xinjian Luo (National University of Singapore & Mohamed bin Zayed University of Artificial Intelligence), Yuncheng Wu (Renmin University of China), Yangfan Jiang (National University of Singapore), Xiaokui Xiao (National University of Singapore), Beng Chin Ooi (National University of Singapore)
PAPER
Passive Inference Attacks on Split Learning via Adversarial Regularization
Split Learning (SL) has emerged as a practical and efficient alternative to traditional federated learning. While previous attempts to attack SL have often relied on overly strong assumptions or targeted easily exploitable models, we seek to develop more capable attacks. We introduce SDAR, a novel attack framework against SL with an honest-but-curious server. SDAR leverages auxiliary data and adversarial regularization to learn a decodable simulator of the client’s private model, which can effectively infer the client’s private features under the vanilla SL, and both features and labels under the U-shaped SL. We perform extensive experiments in both configurations to validate the effectiveness of our proposed attacks. Notably, in challenging scenarios where existing passive attacks struggle to reconstruct the client’s private data effectively, SDAR consistently achieves significantly superior attack performance, even comparable to active attacks. On CIFAR-10, at the deep split level of 7, SDAR achieves private feature reconstruction with less than 0.025 mean squared error in both the vanilla and the U-shaped SL, and attains a label inference accuracy of over 98% in the U-shaped setting, while existing attacks fail to produce non-trivial results.
ABOUT NDSS
The Network and Distributed System Security Symposium (NDSS) fosters information exchange among researchers and practitioners of network and distributed system security. The target audience includes those interested in practical aspects of network and distributed system security, with a focus on actual system design and implementation. A major goal is to encourage and enable the Internet community to apply, deploy, and advance the state of available security technologies.
