LR-BA: Backdoor attack against vertical federated learning using local latent representations

In vertical federated learning (VFL), multiple participants can collaborate in training a model with distributed data features and labels managed by one of them. The cooperation provides opportunities for a malicious participant to conduct a backdoor attack. However, the attack is challenging when the adversary does not own labels with the mitigation of other participants. In this paper, we discover that an adversary can exploit local latent representations output in the inference stage to inject a backdoor in VFL, even without access to labels. With little auxiliary labeled data, the adversary fine-tunes its bottom model to make it output specific latent representation for backdoor input instances, which induces the federated model to predict the attacker-specified label regardless of benign participants. Our experiments show that the proposed attack can achieve a high attack success rate with little loss of main task accuracy and outperform existing backdoor attacks. We also explore possible defenses against the attack. Our research demonstrates the potential security threat to VFL.