Distributed deep learning frameworks enable more efficient and privacy-aware training of deep neural networks across multiple clients. Split learning achieves this by splitting a neural network between a client and a server such that the client computes the initial set of layers, and the server computes the rest. However, this method introduces a unique attack vector for a malicious server attempting to recover the client's private inputs: the server can direct the client model towards learning any task of its choice, e.g. towards outputting easily invertible values. With a concrete example already proposed (Pasquini et al., ACM CCS '21), such \textit{training-hijacking} attacks present a significant risk for the data privacy of split learning clients. We propose two methods for a split learning client to detect if it is being targeted by a training-hijacking attack or not. We experimentally evaluate our methods' effectiveness, compare them with other potential solutions, and discuss various points related to their use. Our conclusion is that by using the method that best suits their use case, split learning clients can consistently detect training-hijacking attacks and thus keep the information gained by the attacker at a minimum.
翻译:分散的深层次学习框架可以让多个客户对深层神经网络进行更有效和隐私意识的培训。 通过将客户和服务器之间的神经网络分割开来,使客户计算初始的层数,服务器计算其余的层数。然而,这种方法为试图收回客户私人投入的恶意服务器引入了一种独特的攻击矢量:服务器可以引导客户模式学习自己选择的任何任务,例如产出容易翻转的价值观。有了已经提出的一个具体例子(Pasquini等人,ACM CC'21),这种“textit{training-highing}攻击对分离学习客户的数据隐私构成重大风险。我们建议了两种方法,让分离的学习客户检测它是否被培训劫持攻击的目标。我们实验性地评估我们的方法的有效性,将其与其他潜在解决方案进行比较,并讨论与使用这些方法有关的各点。我们的结论是,通过使用最适合他们使用的方法,分裂学习客户可以持续地检测攻击行为,从而保持通过攻击获得的信息。