VILLAIN: Backdoor Attacks Against Vertical Split Learning Presented at USENIX Security 2023

On August 9, 2023, the top‑tier computer security conference USENIX Security 2023 opened, featuring a joint paper by Ant Group and Zhejiang University titled "VILLAIN: Backdoor Attacks Against Vertical Split Learning".

The work focuses on the backdoor‑attack problem in vertical split learning, a federated learning scenario where different parties hold disjoint feature sets of the same data. VILLAIN introduces a new attack framework that can efficiently plant backdoors without any auxiliary information, solving the challenge of label‑less participants.

In addition to the attack method, the authors systematically analyze how plaintext representations such as split‑learning feature vectors and model weights can be used to infer original training data, providing insights for designing stronger data‑protection strategies in finance, e‑commerce, and other domains that rely on joint modeling.

Specifically, VILLAIN consists of two modules: a label‑inference module that predicts missing labels, and a data‑poisoning module that injects malicious perturbations into the shared representations. These modules allow an attacker to embed a predefined backdoor into the server‑side model even without access to the top‑level model or true labels.

The framework was evaluated across diverse datasets and demonstrated successful backdoor implantation while resisting five existing backdoor‑detection or removal defenses, confirming its effectiveness in both attack and defense‑aware scenarios.

The paper also emphasizes the broader security implications of vertical split learning, urging the community to consider both model integrity and data privacy when designing collaborative AI systems.

USENIX Security, one of the four flagship conferences in computer security alongside IEEE S&P, ACM CCS, and NDSS, continues to shape the field by showcasing cutting‑edge research such as VILLAIN.