Practical Feature Inference Attack in Vertical Federated Learning During Prediction in Artificial Internet of Things

The emergence of edge computing guarantees the combination of the Internet of Things (IoT) and artificial intelligence (AI). The vertical federated learning (VFL) framework, usually deployed by split learning, can analyze and integrate information on different features collected by different terminals in the IoT. The complete model is divided into a top model and multiple bottom models in a specific middle layer. Each passive party as a terminal with certain features owns a bottom model, and an active party as an edge server with labels holds the top model. Feature inference attack aims to infer the party’s features from the model predictions during prediction in VFL. Existing attacks considered the adversary an active party under the white-box or black-box model. However, an attacker usually is a passive party in practice because terminals are more vulnerable than edge servers. Therefore, this article discusses a practical feature inference attack in VFL during prediction in IoT under this setting. We design an adversary builds an inference model to minimize the distance between the predictions from the inferred features and target features. Because the information on the top model and other bottom models is unknown, the adversary cannot directly train the inference model. Therefore, we utilize the zeroth-order gradient estimation method to calculate the parameters’ gradients to train the inference model. Experimental results demonstrate that the performance of our attack is comparable to that of the white-box attacks while retaining apparent advantages over the existing black-box attacks.