When Usability Becomes a Weakness: How VENOM Breaks Vertical Federated Learning
The paper reveals that intermediate representations in vertical federated learning retain exploitable geometric structure, and introduces VENOM—a geometry‑aware model‑stealing framework that outperforms existing defenses across multiple datasets, even under distribution shift.
Vertical federated learning (VFL) enables multiple institutions to jointly train models without sharing raw data, and is widely adopted in finance, healthcare, IoT, and recommendation systems.
In the common split‑learning setup, each client sends locally generated intermediate representations to a central server; although raw features are hidden, these representations can still serve as a gateway for model theft.
Prior defenses add noise, projection, pruning, or multi‑branch decoupling to perturb the representations, but they cannot fully erase the local geometric structure because the server must preserve semantic relationships to maintain prediction performance.
This creates a dilemma: preserving too much structure enables attacks, while destroying it harms utility.
A joint research team from SUNY Stony Brook, Stevens Institute of Technology, and NYU proposes VENOM (Geometry‑Aware Vertical Federated Learning Model‑Stealing Framework), accepted as a full paper at CVPR 2026.
VENOM first learns a stable contrastive representation space from the observable intermediate embeddings, mitigating coordinate perturbations introduced by defenses. It then constructs a local‑geometry scaffold by extracting each sample’s K‑nearest and K‑farthest neighbors, and trains a proxy model that not only minimizes point‑wise deviation from target embeddings but also applies neighbor‑attraction and far‑neighbor‑repulsion forces to recover the manifold’s local structure.
Experiments on six datasets—Bank, SUSY, Diabetes, MNIST, CIFAR‑10, and NUS‑WIDE—using various bottom models show that VENOM achieves higher stealing accuracy (S‑ACC) and agreement rate (AGR) than distance‑alignment baselines across multiple defense scenarios.
Ablation studies confirm the necessity of each VENOM component.
Further tests with out‑of‑distribution auxiliary data (CIFAR‑100, Tiny‑ImageNet) demonstrate that VENOM still maintains strong stealing performance, indicating that it exploits general geometric features of the target model’s representation space rather than accidental sample matches.
In summary, the very usability of a model—its need to retain semantic geometry—also makes it vulnerable to attacks like VENOM.
How this landed with the community
Was this worth your time?
0 Comments
Thoughtful readers leave field notes, pushback, and hard-won operational detail here.