Passive Inference Attacks on Split Learning via Adversarial Regularization
Xiaochen Zhu
Network and Distributed System Security (NDSS) Symposium 2025 · Day 2 · Federated Learning 1
Split Learning (SL) has emerged as a promising paradigm for collaborative machine learning, designed to address the challenges of distributed data, limited computational resources on client devices, and the paramount need for data privacy. By partitioning a neural network into client-side and server-side components, SL aims to allow multiple data owners to collaboratively train a model without directly sharing their raw data. Clients send only intermediate representations of their data to a powerful central server, which then handles the bulk of the computation and sends gradients back for client-side updates. This architectural choice is intended to safeguard sensitive client information while enabling the benefits of large-scale model training.
AI review
Solid, technically grounded ML privacy research that delivers a genuine contribution: a passive inference attack on Split Learning that closes the gap with active attacks while remaining undetectable, with the GAN-style adversarial regularization being the key novel mechanism. The work is honest about what doesn't work against it, which is rarer than it should be, and the U-shaped SL label inference result is the kind of finding that should make anyone building on SL's privacy assumptions reconsider their threat model.