纵向联邦学习方法及其隐私和安全综述

doi:10.11959/j.issn.2096-109x.2023017

网络与信息安全学报 ›› 2023, Vol. 9 ›› Issue (2): 1-20.doi: 10.11959/j.issn.2096-109x.2023017

• 综述 • 下一篇

纵向联邦学习方法及其隐私和安全综述

陈晋音¹^,², 李荣昌², 黄国瀚², 刘涛², 郑海斌¹, 程瑶³

¹ 浙江工业大学网络空间安全研究院，浙江杭州 310023
² 浙江工业大学信息工程学院，浙江杭州 310023
³ 南德认证检测亚太有限公司，新加坡 60993

修回日期:2022-08-20 出版日期:2023-04-25 发布日期:2023-04-01
作者简介:陈晋音（1982- ），女，浙江象山人，浙江工业大学教授，主要研究方向为人工智能安全、图数据挖掘和进化计算
李荣昌（1998- ），男，浙江长兴人，浙江工业大学硕士生，主要研究方向为人工智能安全、图数据挖掘和联邦学习
黄国瀚（1997- ），男，浙江台州人，浙江工业大学硕士生，主要研究方向为图神经网络及纵向联邦学习安全
刘涛（1998- ），男，浙江绍兴人，浙江工业大学硕士生，主要研究方向为人工智能安全和联邦学习
郑海斌（1995- ），男，浙江台州人，浙江工业大学讲师，主要研究方向为深度学习、人工智能安全和图像识别
程瑶（1987- ），女，新加坡，博士，南德认证检测亚太有限公司研究员，主要研究方向为深度学习系统安全与隐私、区块链技术应用和安卓框架脆弱性分析
基金资助:
国家自然科学基金(62072406);浙江省自然科学基金(DQ23F020001);信息系统安全技术重点实验室基金(61421110502);国家重点研发计划(2018AAA0100801)

Survey on vertical federated learning: algorithm, privacy and security

Jinyin CHEN¹^,², Rongchang LI², Guohan HUANG², Tao LIU², Haibin ZHENG¹, Yao CHENG³

¹ Institute of Cyberspace Security, Zhejiang University of Technology, Hangzhou 310023, China
² College of Information Engineering, Zhejiang University of Technology, Hangzhou 310023, China
³ TüV SüD Asia Pacific Pte.Ltd., 60993, Singapore

Revised:2022-08-20 Online:2023-04-25 Published:2023-04-01
Supported by:
The National Natural Science Foundation of China(62072406);Zhejiang Provincial Natural Science Foundation(DQ23F020001);The National Key Laboratory of Science and Technology on Information System Security(61421110502);The National Key R＆D Program of China(2018AAA0100801)

摘要/Abstract

摘要：

联邦学习（FL，federated learning）是一种新兴的分布式机器学习技术，利用分散在各个机构的数据，通过传输中间结果（如模型参数、参数梯度、嵌入信息等）实现机器学习模型的联合构建。联邦学习中机构的训练数据不允许离开本地，因此降低了数据泄露的风险。根据机构之间数据分布的差异，FL 通常分为横向联邦学习（HFL，horizontal FL）、纵向联邦学习（VFL，vertical FL），以及联邦迁移学习（TFL， transfer FL）。其中，VFL适用于机构具有相同样本空间但不同特征空间的场景，广泛应用于医疗诊断、金融评估和教育服务等领域。尽管 VFL 在现实应用中有出色的表现，但其本身仍然面临诸多隐私和安全问题，尚缺少对VFL方法与安全性展开全面综述的工作。为了构建高效且安全的VFL系统，从VFL方法及其隐私和安全两个方面展开，首先从边缘模型、通信机制、对齐机制以及标签处理机制4个角度对现有的VFL方法进行详细总结和归纳；其次介绍并分析了 VFL 面临的隐私和安全风险；进一步对其防御方法进行介绍和总结；此外，介绍了适用于VFL的常见数据集及平台框架。结合VFL面临的安全性挑战给出了VFL的未来研究方向，旨在为构建高效、鲁棒和安全的VFL的理论研究提供参考。

关键词: 纵向联邦学习, 安全与隐私, 后门攻击, 推断攻击与防御, 对抗攻击, 安全性评估

Abstract:

Federated learning （FL） is a distributed machine learning technology that enables joint construction of machine learning models by transmitting intermediate results （e.g., model parameters, parameter gradients, embedding representation, etc.） applied to data distributed across various institutions.FL reduces the risk of privacy leakage, since raw data is not allowed to leave the institution.According to the difference in data distribution between institutions, FL is usually divided into horizontal federated learning （HFL）, vertical federated learning （VFL）, and federal transfer learning （TFL）.VFL is suitable for scenarios where institutions have the same sample space but different feature spaces and is widely used in fields such as medical diagnosis, financial and security of VFL.Although VFL performs well in real-world applications, it still faces many privacy and security challenges.To the best of our knowledge, no comprehensive survey has been conducted on privacy and security methods.The existing VFL was analyzed from four perspectives: the basic framework, communication mechanism, alignment mechanism, and label processing mechanism.Then the privacy and security risks faced by VFL and the related defense methods were introduced and analyzed.Additionally, the common data sets and indicators suitable for VFL and platform framework were presented.Considering the existing challenges and problems, the future direction and development trend of VFL were outlined, to provide a reference for the theoretical research of building an efficient, robust and safe VFL.

Key words: vertical federated learning, security and privacy, backdoor attack, inference attack and defense, adversarial attack, security evaluation

中图分类号:

TP18

陈晋音, 李荣昌, 黄国瀚, 刘涛, 郑海斌, 程瑶. 纵向联邦学习方法及其隐私和安全综述[J]. 网络与信息安全学报, 2023, 9(2): 1-20.

Jinyin CHEN, Rongchang LI, Guohan HUANG, Tao LIU, Haibin ZHENG, Yao CHENG. Survey on vertical federated learning: algorithm, privacy and security[J]. Chinese Journal of Network and Information Security, 2023, 9(2): 1-20.

图/表 6

图1

表1

表2

表3

表4

表5

参考文献 106

[1]	焦李成, 杨淑媛, 刘芳 ,等. 神经网络七十年:回顾与展望[J]. 计算机学报, 2016,39(8): 1697-1716.
	JIAO L C , YANG S Y , LIU F ,et al. Seventy years beyond neural networks：retrospect and prospect[J]. Chinese Journal of Computers, 2016,39(8): 1697-1716.
[2]	中华人民共和国数据安全法[N]. 中华人民共和国全国人民代表大会常务委员会公报, 2021(5): 951-956.
	FData Security Law of the People＇s Republic of China[N]. Communiqué of the Standing Committee of the National People＇s Congress of the People＇s Republic of China, 2021(5): 951-956.
[3]	GODDARD M . The EU general data protection regulation （GDPR）:European regulation that has a global impact[J]. International Journal of Market Research, 2017,59(6): 703-705.
[4]	HORD A . Federated learning for mobile keyboard prediction[J]. arXiv preprint arXiv:1811.03604, 2018.
[5]	YANG Q , LIU Y , CHEN T ,et al. Federated machine learning:concept and applications[J]. ACM Transactions on Intelligent Systems and Technology （TIST）, 2019,10(2): 1-19.
[6]	李少波, 杨磊, 李传江 ,等. 联邦学习概述：技术、应用及未来[J]. 计算机集成制造系统, 2021,1(10): 1-29.
	LI S B , YANG L , LI C J ,et al. Overview of federated learning:technology,applications and future[J]. Computer Integrated Manufacturing Systems, 2021,1(10): 1-29.
[7]	周传鑫, 孙奕, 汪德刚 ,等. 联邦学习研究综述[J]. 网络与信息安全学报, 2021,7(5): 1-16.
	ZHOU C X , SUN Y , WANG D ,et al. Survey of federated learning research[J]. Chinese Journal of Network and Information Security, 2021,7(5): 1-16.
[8]	卫新乐, 张志勇, 宋斌 ,等. 基于纵向联邦学习的社交网络跨平台恶意用户检测方法[J]. 小型微型计算机系统, 2021,(10): 1-9.
	WEI X L , ZHANG Z Y , SONG B ,et al. Social networks cross-platform malicious user detection method based on vertical federated learning[J]. Journal of Chinese Mini-Micro Computer Systems, 2021,(10): 1-9.
[9]	李鸣 . 基于纵向联邦学习的推荐系统技术研究[D]. 杭州:浙江大学, 2021.
	LI M . Research on recommendation system technology based on vertical federated learning[D]. Hangzhou:Zhejiang University, 2021.
[10]	KANG Y , LIU Y , CHEN T J . Fedmv:semi-supervised vertical federated learning with multiview training[J]. arXiv preprint arXiv:2008.10838, 2020.
[11]	WU Z , LI Q , HE B . Exploiting record similarity for practical vertical federated learning[J]. arXiv preprint arXiv:2106.06312, 2021.
[12]	LUO X , WU Y , XIAO X ,et al. Feature inference attack on model predictions in vertical federated learning[C]// Proceedings of IEEE 37th International Conference on Data Engineering (ICDE). 2021: 181-192.
[13]	LI O , SUN J , YANG X ,et al. Label leakage and protection in two-party split learning[J]. arXiv preprint arXiv:2102.08504, 2021.
[14]	WENG H , ZHANG J , XUE F ,et al. Privacy leakage of real-world vertical federated learning[J]. arXiv preprint arXiv:2011.09290, 2020.
[15]	LIU Y , YI Z , CHEN T . Backdoor attacks and defenses in feature-partitioned collaborative learning[J]. arXiv preprint arXiv:2007.03608, 2020.
[16]	HARDY S , HENECKA W , IVEY-LAW H , ,et al. Private federated learning on vertically partitioned data via entity resolution and additively homomorphic encryption[J]. arXiv preprint arXiv:1711.10677, 2017.
[17]	YANG K , FAN T , CHEN T ,et al. A quasi-Newton method based vertical federated learning framework for logistic regression[J]. arXiv preprint arXiv:1912.00513, 2019.
[18]	YANG S , REN B , ZHOU X ,et al. Multi-VFL for vertical federated learning without third-party coordinator[J]. arXiv preprint arXiv:1911.09824, 2019.
[19]	CHENG K , FAN T , JIN Y ,et al. SecureBoost:a lossless federated learning framework[J]. IEEE Intelligent Systems, 2021,36(6): 87-98.
[20]	WU Y , CAI S , XIAO X ,et al. Privacy preserving vertical federated learning for tree-based models[C]// Proceedings of the VLDB Endowment, 2020. 2090-2103.
[21]	VEPAKOMMA P , GUPTA O , SWEDISH T ,et al. Split learning for health:distributed deep learning without sharing raw patient data[J]. arXiv preprint arXiv:1812.00564, 2018.
[22]	FU C , ZHANG X , JI S ,et al. Label inference attacks against vertical federated learning[C]// Proceedings of USENIX Security Symposium. 2022: 1397-1414.
[23]	NI X , XU X , LYU L ,et al. A vertical federated learning framework for graph convolutional network[J]. arXiv preprint arXiv:2106.11593, 2021.
[24]	ZHOU J , CHEN C , ZHENG L ,et al. Vertically federated graph neural network for privacy-preserving node classification[J]. arXiv preprint arXiv:2005.11903, 2020.
[25]	GU B , XU A , HUO Z ,et al. Privacy-preserving asynchronous federated learning algorithms for multi-party vertically collaborative learning[J]. arXiv preprint arXiv:2008.06233, 2020.
[26]	MCMAHAN H B , MOORE E , RAMAGE D ,et al. Federated learning of deep networks using model averaging[J]. arXiv preprint arXiv:1602.05629, 2016.
[27]	LIU Y , KANG Y , ZHANG X ,et al. A communication efficient collaborative learning framework for distributed features[J]. arXiv preprint arXiv:1912.11187, 2019.
[28]	CHEN T , JIN X , SUN Y ,et al. VAFL:a method of vertical asynchronous federated learning[J]. arXiv preprint arXiv:2007.06081, 2020.
[29]	DAS A , PATTERSON S . Multi-tier federated learning for vertically partitioned data[C]// Proceedings of IEEE International Conference on Acoustics,Speech and Signal Processing (ICASSP). 2021: 3100-3104.
[30]	WRIGHT S , NOCEDAL J . Numerical optimization[J]. Springer Science, 1999,35(67-68): 7.
[31]	ZHANG Q , GU B , DENG C ,et al. AsySQN:faster vertical federated learning algorithms with better computation resource utilization[C]// Proceedings of the 27th ACM SIGKDD Conference on Knowledge Discovery ＆ Data Mining. 2021: 3917-3927.
[32]	LIN Y J . Deep gradient compression:reducing the communication bandwidth for distributed training[J]. arXiv preprint arXiv:1712.01887, 2017.
[33]	YANG K , SONG Z , ZHANG Y ,et al. Model optimization method based on vertical federated learning[C]// Proceedings of IEEE International Symposium on Circuits and Systems (ISCAS). 2021: 1-5.
[34]	LI M , CHEN Y , WANG Y ,et al. Efficient asynchronous vertical federated learning via gradient prediction and double-end sparse compression[C]// Proceedings of 16th International Conference on Control,Automation,Robotics and Vision (ICARCV). 2020: 291-296.
[35]	LIU D , . Accelerating intra-party communication in vertical federated learning with RDMA[C]// Proceedings of the 1st Workshop on Distributed Machine Learning. 2020: 14-20.
[36]	黄翠婷, 张帆, 孙小超 ,等. 隐私集合求交技术的理论与金融实践综述[J]. 信息通信技术与政策, 2021,47(6): 50.
	HUANG C T , ZHANG F , SUN X C ,et al. A survey of private set intersection technology and finance practice[J]. Information and Communications Technology and Policy, 2021,47(6): 50.
[37]	MEADOWS C , . A more efficient cryptographic matchmaking protocol for use in the absence of a continuously available third party[C]// Proceedings of 1986 IEEE Symposium on Security and Privacy. 1986: 134-134.
[38]	DE CRISTOFARO E , TSUDIK G . Experimenting with fast private set intersection[C]// Proceedings of International Conference on Trust and Trustworthy Computing. 2012: 55-73.
[39]	RABIN M O . How To Exchange Secrets with Oblivious Transfer[J]. IACR Cryptol, 2005,2005(187): 1-26.
[40]	ISHAI Y , KILIAN J , NISSIM K ,et al. Extending oblivious transfers efficiently[C]// Proceedings of Annual International Cryptology Conference. 2003: 145-161.
[41]	KISSNER L , SONG D . Privacy-preserving set operations[C]// Proceedings of Annual International Cryptology Conference. 2005: 241-257.
[42]	CAMENISCH J , ZAVERUCHA G M . Private intersection of certified sets[C]// Proceedings of International Conference on Financial Cryptography and Data Security. 2009: 108-127.
[43]	ZHANG Q , GU B , DENG C ,et al. Secure bilevel asynchronous vertical federated learning with backward updating[J]. arXiv preprint arXiv:2103.00958, 2021.
[44]	XIA W , LI Y , ZHANG L ,et al. A vertical federated learning framework for horizontally partitioned labels[J]. arXiv preprint arXiv:2106.10056, 2021.
[45]	MUGUNTHAN V , GOYAL P , KAGAL L . Multi-VFL:a vertical federated learning system for multiple data and label owners[J]. arXiv preprint arXiv:2106.05468, 2021.
[46]	REDDI S , CHARLES Z , ZAHEER M ,et al. Adaptive federated optimization[J]. arXiv preprint arXiv:2003.00295, 2020.
[47]	FENG S , YU H . Multi-participant multi-class vertical federated learning[J]. arXiv preprint arXiv:2001.11154, 2020.
[48]	HU Y , LIU P , KONG L ,et al. Learning privately over distributed features:An ADMM sharing approach[J]. arXiv preprint arXiv:1907.07735, 2019.
[49]	GU B , DANG Z , LI X ,et al. Federated doubly stochastic kernel learning for vertically partitioned data[C]// Proceedings of the 26th ACM SIGKDD International Conference on Knowledge Discovery＆ Data Mining. 2020: 2483-2493.
[50]	CHEN X , LI J , CHAKRABARTI C . Communication and computation reduction for split learning using asynchronous training[J]. arXiv preprint arXiv:2107.09786, 2021.
[51]	ZHANG S , XIANG L , YU X ,et al. Privacy-preserving federated learning on partitioned attributes[J]. arXiv preprint arXiv:2104.14383, 2021.
[52]	SHOKRI R , STRONATI M , SONG C ,et al. Membership inference attacks against machine learning models[C]// Proceedings of 2017 IEEE Symposium on Security and Privacy (SP). 2017: 3-18.
[53]	LIU Y , ZHANG X , WANg L . Asymmetrical vertical federated learning[J]. arXiv preprint arXiv:2004.07427, 2020.
[54]	ZHU L , LIU Z , HAN S . Deep leakage from gradients[J]. Advances in Neural Information Processing Systems, 2019,32: 14774-14784.
[55]	GEIPING J , BAUERMEISTER H , DR?GE H , ,et al. Inverting gradients--how easy is it to break privacy in federated learning[J]. arXiv preprint arXiv:2003.14053, 2020.
[56]	YIN H , MALLYA A , VAHDAT A ,et al. See through gradients:image batch recovery via grad inversion[C]// Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition. 2021: 16337-16346.
[57]	MAHENDRAN A , VEDALDI A . Understanding deep image representations by inverting them[C]// Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition. 2015: 5188-5196.
[58]	PASQUINI D , ATENIESE G , BERNASCHI M . Unleashing the tiger:inference attacks on split learning[J]. arXiv preprint arXiv:2012.02670, 2020.
[59]	GU T , LIU K , DOLAN-GAVITT B , ,et al. Badnets:evaluating backdooring attacks on deep neural networks[J]. IEEE Access, 2019,7: 47230-47244.
[60]	LIAO C , ZHONG H , SQUICCIARINI A ,et al. Backdoor embedding in convolutional neural network models via invisible perturbation[J]. arXiv preprint arXiv:1808.10307, 2018.
[61]	XIE C , HUANG K , CHEN P Y ,et al. Dba:distributed backdoor attacks against federated learning[C]// Proceedings of International Conference on Learning Representations. 2019: 1-19.
[62]	SHAFAHI A , HUANG W R , NAJIBI M ,et al. Poison frogs! targeted clean-label poisoning attacks on neural networks[J]. arXiv preprint arXiv:1804.00792, 2018.
[63]	TURNER A , TSIPRAS D , MADRY A . Label-consistent backdoor attacks[J]. arXiv preprint arXiv:1912.02771, 2019.
[64]	WENG C H , LEE Y T , WU S H B . On the trade-off between adversarial and backdoor robustness[J]. Advances in Neural Information Processing Systems, 2020,33.
[65]	GOODFELLOW I J , SHLENS J , SZEGEDY C . Explaining and harnessing adversarial examples[J]. arXiv preprint arXiv:1412.6572, 2014.
[66]	LIU J , XIE C , KENTHAPADI K ,et al. Rvfr:Robust vertical federated learning via feature subspace recovery[C]// Proceedings of NeurIPS Workshop New Frontiers in Federated Learning:Privacy,Fairness,Robustness,Personalization and Data Ownership. 2021: 1-9.
[67]	CHEN J Y . Graph-fraudster:adversarial attacks on graph neural network based vertical federated learning[J]. arXiv preprint arXiv:2110.06468, 2021.
[68]	RONALD L R , ADLEMAN L , DERTOUZOS M L . On data banks and privacy homomorphisms[J]. Foundations of Secure Computation, 1978,4(11): 169-180.
[69]	GENTRY C , . Fully homomorphic encryption using ideal lattices[C]// Proceedings of the forty-first annual ACM symposium on Theory of computing. 2009: 1-10.
[70]	OU W . A homomorphic-encryption-based vertical federated learning scheme for rick management[J]. Computer Science and Information Systems, 2020:22.
[71]	夏家骏, 鲁颖, 张子扬 ,等. 基于秘密共享与同态加密的纵向联邦学习方案研究[J]. 信息通信技术与政策, 2021,47(6): 19-26.
	XIA J J , LU Y , ZHANG Z Y ,et al. Research on vertical federated learning based on secret sharing and homomorphic encryption[J]. Information and Communications Technology and Policy, 2021,47(6): 19-26.
[72]	DWORK C , MCSHERRY F , NISSIM K ,et al. Calibrating noise to sensitivity in private data analysis[C]// Proceedings of Theory of Cryptography Conference. 2006: 265-284.
[73]	ABADI M , CHU A , GOODFELLOW I ,et al. Deep learning with differential privacy[C]// Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security. 2016: 308-318.
[74]	WANG C , LIANG J , HUANG M ,et al. Hybrid differentially private federated learning on vertically partitioned data[J]. arXiv preprint arXiv:2009.02763, 2020.
[75]	SZEGEDY C , ZAREMBA W , SUTSKEVER I ,et al. Intriguing properties of neural networks[J]. Computer Science, 2013.
[76]	ELAZAR Y , GOLDBERG Y . Adversarial removal of demographic attributes from text data[J]. arXiv preprint arXiv:1808.06640, 2018.
[77]	LIAO P , ZHAO H , XU K ,et al. Information obfuscation of graph neural networks[C]// Proceedings of International Conference on Machine Learning. 2021: 6600-6610.
[78]	ZHANG S , XIANG L , YU X ,et al. Privacy-preserving federated learning on partitioned attributes[J]. arXiv preprint arXiv:2104.14383, 2021.
[79]	SUN J , YAO Y , GAO W ,et al. Defending against reconstruction attack in vertical federated learning[J]. arXiv preprint arXiv:2107.09898, 2021.
[80]	LIU Y , KANG Y , ZOU T ,et al. Vertical Federated Learning[J]. arXiv preprint arXiv:2211.12814, 2022.
[81]	JOHNSON A E W , POLLARD T J , SHEN L ,et al. MIMIC-III,a freely accessible critical care database[J]. Scientific data, 2016,3(1): 1-9.
[82]	STREET W N , WOLBERG W H , MANGARIAN O L . Nuclear feature extraction for breast tumor diagnosis[J]. In Biomedical image processing and biomedical visualization, 1993,1905: 861-870.
[83]	MORO S , CORTEZ P , RITA P . A data-driven approach to predict the success of bank telemarketing[J]. Decision Support Systems, 2014,62: 22-31.
[84]	YEH I , LIEN C . The comparisons of data mining techniques for the predictive accuracy of probability of default of credit card clients[J]. Expert systems with applications, 2009,36(2): 2473-2480.
[85]	KOHAVI R . Scaling up the accuracy of naive-bayes classifiers:A decision-tree hybrid[J]. Kdd, 1996,96: 202-207.
[86]	ZHAO P , XIAO K , ZHANG Y ,et al. AMEIR:Automatic Behavior Modeling,Interaction Exploration and MLP Investigation in the Recommender System[C]// Proceedings of International Joint Conferences on Artifi-cial Intelligence. 2021: 2104-2110.
[87]	MCCALLUM A K , NIGAM K , RENNIE J ,et al. Automating the construction of internet portals with machine learning[J]. Information Retrieval, 2000,3: 127-163.
[88]	SEN P , NAMATA G , BILGIC M ,et al. Collective classification in network data[J]. AI magazine, 2008,29(3): 93.
[89]	DENG L . The MNIST database of handwritten digit images for machine learning research[J]. IEEE signal processing magazine, 2021,29(6): 141-142.
[90]	XIAO H , RASUL K , VOLLGRAF R . Fashion-MNIST:a novel image dataset for benchmarking machine learning algorithms[J]. arXiv preprint arXiv:1708.07747, 2017.
[91]	KRIZHEVSKY A , HINTON G . Learning multiple layers of features from tiny images[R]. Technical report,Citeseer, 2009.
[92]	REN M , KIROS R , ZEMEL R . Exploring models and data for image question answering[J]. Advances in neural information processing systems, 2015,28: 2953-2961.
[93]	CHUA T S , TANG J , HONG R ,et al. NUS-WIDE:a real-world web image database from national university of Singapore[C]// Proceedings of ACM International Conference on Image and Video Retrieval. 2009: 1-9.
[94]	LIU Z , LUO P , WANG X ,et al. Deep learning face attributes in the wild[C]// Proceedings of IEEE International Conference on Computer Vision. 2015: 3730-3738.
[95]	FERNANDES K , VINAGRE P , CORTEZ P . A proactive intelligent decision support system for predicting the popularity of online news[C]// Proceedings of Portuguese Conference on Artificial Intelligence. 2015: 535-546.
[96]	ZHANG X , ZHAO J , LECUN Y . Character-level convolutional networks for text classification[C]// Proceedings of The Advances in neural information processing systems. 2015: 1-9.
[97]	HAMIDIEH K . A data-driven statistical model for predicting the critical temperature of a superconductor[J]. Computational Materials Science, 2018,154: 346-354.
[98]	CANDANEDO L M , FELDHEIM V , DERAMAIX D . Data driven prediction models of energy use of appliances in a low-energy house[J]. Energy and buildings, 2017,140: 81-97.
[99]	ZHANG C , ZHANG J , CHAI D ,et al. Aegis:A trusted,automatic and accurate verification framework for vertical federated learning[J]. arXiv preprint arXiv:2108.06958, 2021.
[100]	ZHU H , WANG R , JIN Y ,et al. PIVODL:privacy-preserving vertical federated learning over distributed labels[J]. arXiv preprint arXiv:2108.11444, 2021.
[101]	WENJIE S , XUAN S . Vertical federated learning based on DFP and BFGS[J]. arXiv preprint arXiv:2101.09428, 2021.
[102]	SUN J , YANG X , YAO Y ,et al. Vertical federated learning without revealing intersection membership[J]. arXiv preprint arXiv:2106.05508, 2021.
[103]	SHAN C , JIAO H , FU J . Towards representation identical privacy-preserving graph neural network via split learning[J]. arXiv preprint arXiv:2107.05917, 2021.
[104]	XIA W , LI Y , ZHANG L ,et al. A Vertical federated learning framework for horizontally partitioned labels[J]. arXiv preprint arXiv:2106.10056, 2021.
[105]	ROMANINI D , HALL A J , Papadopoulos P ,et al. Pyvertical:a vertical federated learning framework for multi-headed splitnn[J]. arXiv preprint arXiv:2104.00489, 2021.
[106]	GAO Y , DOAN B G , ZHANG Z ,et al. Backdoor attacks and countermeasures on deep learning:a comprehensive review[J]. arXiv preprint arXiv:2007.10760, 2020.

攻击类型	攻击目标	攻击方法	攻击阶段			攻击背景知识		威胁强度	VFL框架	数据模态
攻击类型	攻击目标	攻击方法	训练阶段	推理阶段	协调者模型	嵌入信息	标签信息	威胁强度	VFL框架	数据模态
隐私性	标签	模型补全	√	√	×	×	×	●	神经网络	图像、文本
隐私性	标签	主动攻击	√	×	×	×	×	●	神经网络	图像、文本
隐私性	标签	直接攻击	√	√	×	×	×	○	神经网络	图像、文本
隐私性	标签	范数攻击	√	√	×	√	×	○	神经网络	文本
隐私性	属性	等式求解攻击	√	√	×	×	×	?	逻辑回归	文本
隐私性	属性	路径限制攻击	√	√	×	×	×	?	决策树	文本
隐私性	属性	生成回归网络	×	√	√	√	×	●	神经网络	文本
隐私性	属性	解码器攻击	√	√	×	√	×	●	神经网络	图像、文本
隐私性	成员信息	PSI暴露	√	√	×	×	×	?	神经网络、逻辑回归	图像、文本
隐私性	原始数据	逆向乘法攻击	√	×	×	×	×	?	逻辑回归	文本
隐私性	原始数据	逆向加法攻击^]	√	×	×	×	×	?	XGBoost	文本
隐私性	原始数据	特征空间劫持攻击	√	×	×	×	×	●	神经网络	图像
安全性	VFL模型	梯度替换后门攻击	√	×	×	×	√	●	神经网络	图像、文本
注：√表示满足，×表示不满足。威胁强度（根据攻击所需背景知识和攻击场景评估其具有的威胁性）：○表示低，?表示中，●表示高。

攻击发起者	背景知识					操纵能力
攻击发起者	中间嵌入	更新梯度	标签信息	边缘模型	本地属性	中间嵌入	更新梯度	标签信息	边缘模型	本地属性
主参与者	√	√	√	√	√	√	√	√	√	√
从参与者	√	√	×	√	√	×	×	×	√	√

类型	横向联邦学习	纵向联邦学习	风险独特性
数据提供	每个参与者都有各自的特征和标签	主动方具有标签，被动方具有特征	易遭受标签推断攻击
数据处理	无须对齐操作	需要进行数据对齐	数据成员直接在对齐过程中被泄露
模型结构	参与者模型结构完整	参与者模型结构不完整	攻击者对全局模型的操纵能力相对较弱
传输内容	上传下发模型参数信息或梯度信息	上传嵌入层信息，下发梯度信息	嵌入层成为隐私泄露或者攻击的目标
聚合机制	平均聚合等鲁棒聚合方式	直接拼接或相加	缺少对后门攻击的聚合防御
推理方式	参与者对全局模型单独推理，获得不同推理结果	参与者需要联合进行推理，输出同一个推理结果	易在推理阶段引入对抗攻击

适用场景	数据集	样本数量	特征数量	标签类别	数据模态	任务类型	VFL引用文献
	MIMIC-III^[81]	21 139	714	2	文本	分类任务	[27],[28],[29]
生物医疗	Breast^[82]	569	31	2	文本	分类任务	[16],[21],[75],[100]
	Purchase100^[51]	197 324	600	2	文本	分类任务	[51]
	Insurance Claim^[33]	188 318	116	2	文本	分类任务	[34]
金融交易	Bank Market^[83]	4 521	17	2	文本	分类任务	[20],[101]
	Credit Card Clients^[84]	284 807	28	2	文本	分类任务	[17],[27],[31],[34],[49],[75],[100],[102]
	Adult^[85]	48 842	12	2	文本	分类任务	[51],[75]
	Criteo^[86]	4 500 000	40	2	文本	分类任务	[21],[103]
广告推荐	Avazu	4 000 000	17	2	文本	分类任务	[103]
	Cora^[87]	2 708	1 433	7	网络	分类任务	[22],[23],[104]
文献引用	Citeseer^[87]	3 312	3 703	6	网络	分类任务	[22],[23],[104]
	Pubmed^[88]	19 717	500	3	网络	分类任务	[22],[23],[104]
	MNIST^[89]	70 000	784	10	图像	分类任务	[16],[18],[27],[28],[29][31],[45],[105],[106]
	Fashion-MNIST^[90]	70 000	784	10	图像	分类任务	[105],[45],[28],[58]
	Cifar10^[91]	60 000	3 072	10	图像	分类任务	[21],[27],[28],[105]
物体识别	Cifar100^[91]	60 000	3 072	100	图像	分类任务	[21]
	COCO-QA^[92]	78 736	—	—	图像、文本	分类任务	[51]
	NUS-WIDE^[93]	269 648	5 018	81	图像、文本	分类任务	[10],[27]
	CelebA^[94]	202 599	116 412	2	图像	分类任务	[58]
	News Popularity^[95]	93 239	11	—	时序文本	回归任务	[16],[24],[31],[33]
新闻媒体	Yahoo Answers^[96]	146 000	—	10	文本	分类任务	[21]
	Superconductivity^[97]	20 000	81	—	文本	回归任务	[29]
物理	Drive Diagnosis^[98]	58 509	48	11	文本	分类任务	[101]
家电能源	Appliances Energy^[99]	19 735	29	—	文本	回归任务	[20],[101]

框架或平台	开发者	加密手段	是否开源	使用类型	框架	特点	应用场景
FATE	微众银行	同态加密	是	研究、商用	Tensorflow、PyTorch	支持联邦迁移学习技术	车险定价、信贷风控等
PaddleFL	百度	安全多方计算	是	研究、商用	PaddlePaddle	基于全栈开源软件部署	计算机视觉、推荐算法等
Pysyft	OpenMined	同态加密、秘密共享	是	研究	TensorFlow、PyTorch	多种隐私控制策略	金融风控、广告推荐等
iBond	同盾科技	同态加密、秘密分享	否	商用	（未知）	引入知识联邦概念	自然语言处理、金融风控
PowerFL	腾讯	多方安全计算	否	商用	Angel	考虑数据异质性	金融风控、广告推荐

纵向联邦学习方法及其隐私和安全综述

Survey on vertical federated learning: algorithm, privacy and security

在线阅读

pdf下载

可视化

摘要/Abstract

引用本文

使用本文

图/表 6

参考文献 106

相关文章 4

Metrics

推荐阅读 0

[1]	陈先意, 顾军, 颜凯, 江栋, 许林峰, 付章杰. 针对车牌识别系统的双重对抗攻击[J]. 网络与信息安全学报, 2023, 9(3): 16-27.
[2]	张宇, 李海良. 基于RSA的图像可识别对抗攻击方法[J]. 网络与信息安全学报, 2021, 7(5): 40-48.
[3]	陈晋音, 张敦杰, 黄国瀚, 林翔, 鲍亮. 面向图神经网络的对抗攻击与防御综述[J]. 网络与信息安全学报, 2021, 7(3): 1-28.
[4]	刘西蒙,谢乐辉,王耀鹏,李旭如. 深度学习中的对抗攻击与防御[J]. 网络与信息安全学报, 2020, 6(5): 36-53.